After months of anticipation, the Federal Trade Commission announced earlier today its staff report on privacy. The report sets forward an updated framework to address the increasingly complex threats to consumers' privacy.
The new principles announced by the FTC are extremely strong. The report acknowledges that the FTC’s previous approach focusing on notice-and-choice and harms have not provided sufficient privacy protection to consumers. The new framework centers on three principal ideas: privacy by design, simplified choice, and greater transparency. However, a full reading of the report shows that the FTC has thought deeply about how to protect consumer privacy, and the framework incorporates all the Fair Information Practice principles, including purpose specification, data minimization, data quality, and access.
Of course, the key question is how will these principles be implemented. The report is largely agnostic on that question. The FTC, without administrative rulemaking authority, lacks the power to embody its framework in regulation. Instead, the FTC has said that the report should serve as a guide to both industry and lawmakers.
We fully expect that the FTC will go to the limit of its authority to enforce these principles where they can, under its Section 5 authority to enjoin deceptive and unfair practices, and under various sector-specific laws such as the Fair Credit Reporting Act or the Children’s Online Privacy Protection Act. However, that power only goes so far, and the FTC cannot implement sufficient privacy protections merely by enforcing existing law. The report also recognizes quite candidly that to date, industry has failed to adequately self-regulate. The FTC’s principles need to be implemented for all companies — not just those few that have shown real privacy leadership, but for the ever-expanding universe of companies that collect and trade consumer information. It is now incumbent upon Congress to pass privacy legislation that enacts the important ideas reflected in the FTC’s report.
Finally, much of the attention around the FTC report has clustered around the idea of creating a “Do Not Track” mechanism to offer consumers a universal opportunity to opt out of online tracking. CDT joined with other groups to propose the idea of “Do No Track” in 2007, and continues to believe it would be a powerful tool to give consumers control over how their information is shared. However, it is not a complete solution. Whether implanted by industry or Congress, “Do Not Track” would still only apply to online behavioral advertising, and not to a host of other privacy issues around cloud computing, data brokers, social networking, “apps,” and the entire offline world. It is important not to conflate “ Do Not Track” with comprehensive privacy protection. Fortunately, the FTC report stresses that its privacy framework needs to apply both offline and online, and that “Do Not Track” is just one piece of the online puzzle.
We applaud the FTC for setting forward a strong privacy protection framework. Now, we need Congress to pass legislation to put those principles into place.