David Vladeck, Director of the Division of Consumer Protection at the Federal Trade Commission, today spoke at the IAPP Privacy Academy in Baltimore, and offered the FTC vision for future privacy protection. Here are some highlights:
- FTC will continue to bring cases to ensure that companies reasonably ensure safeguards for consumer privacy
- FTC will bring more cases involving pure privacy protections, in addition to data security cases, building on the Sears case. "You can expect more cases like that in the future." (This suggests a greater focus on how notice and choice is given and the degree to which privacy options are implemented, such as in the recent US Search enforcement). "Consumer choice must control."
- We will be focusing our efforts on new technologies, such as our enforcement in the Twitter case. FTC has hired new technologists and has created a mobile lab to address smart phones and mobile apps.
- There will be increased international cooperation on privacy, as evidenced by the Global Privacy Enforcement Network (GPEN) announced last week. Recent cooperation brought down the latest spam operation in the world, resulting in a 25% drop in spam worldwide,
- The Roundtables demonstrated that (1) Data persists longer than people expect; (2) The difference between PII and non-PII is blurring; (3) Consumers understand very little about how their information is used and shared; (4) Often, consumers do not interact with or have direct contact with companies that handle their information; (5) Technology can provide important privacy solutions.
- When is the Report coming out? "This Fall"
- What will he Report say? "This is impossible to answer as Commissioners are still to review and will provide input" But here are the big picture issues in the report: (1) Importance of Privacy by Design — thinking about good data hygiene from the very beginning; (2) Increased transparency is needed about data practices — we need better privacy notices, in a more consistent, shorter formats; (3) We need to simplify consumer choice — especially regarding uses of data they would not expect.. Privacy choices should be presented at the point when the consumer is providing the data. And more consistent policies that allow comparison may allow competition for privacy practices. We need more protection for sensitive information. Consumer choice once exercised must be respected. "The FTC will not tolerate a technology arms race to circumvent privacy protecting technology" (4) On the thorny problem of access, companies collecting and aggregating data used for purposes beyond consumer expectation is a problem,. There is no easy solution to the access question, and the FTC will consider the cost of access to the data broker industry. (5) There should be better consumer education about how tracking on the Internet works and what are their choices on privacy.
- The Report will be issued in DRAFT with opportunity for public comment. Even when finalized, the Report will not be the end of the debate but " the beginning of the next phase of the debate on privacy." One key component must be flexibility and adaptability,
- "Do Not Track" is not off the table, and will be considered, despite its complexity.
- On the issue of regulation vs. self-regulation: The Commission has always supported self-regulation, but the Commission has supported privacy laws like the telemarketing law. With respect to privacy and online advertising, "I am disappointed in the progress of self-regulation". Ad disclosures and icons are all good ideas, but implementation is very much a work in process." The Commission and the public may lose its patience with self-regulation if there is not better progress.
- On the Boucher and Rush legislative proposals, I am concerned that the bills place too much reliance on already overburdened privacy policies. Also, it is premature to conclude that existing private initiatives are sufficiently robust to provide safe harbors.
- On data security, legislation that requires reasonable security and notice of breaches creating a reasonable risk of harm will provide sorely needed broad based protections at the federal level. For the first time, the FTC would have the general right to obtain a civil penalty, which is important. We see too many companies ignoring well-known vulnerabilities that are easily plugged. Penalties would help convince those companies to comply.
- My vision for consumer privacy in 2011 in beyond: In my privacy utopia, companies are building in privacy from the start; consumers have access to information about privacy; the FTC continues its enforcement regime, with the help of consumer watchdog organizations. The time for companies using trial and error to protect privacy should come to an end.