CDT has submitted comments for the FTC’s first in a series of public roundtable discussions exploring the privacy challenges posed by 21st-century technology and business practices that involve the collection and use of consumer data. CDT views these roundtable sessions as a historic opportunity for the FTC to develop and announce a comprehensive privacy protection policy for the next decade.
The FTC’s current notice, choice and security regime has brought progress toward corporate compliance on privacy, but seems to have met the limits of its utility. CDT urges the FTC to finally move beyond this limited framework. Now is the time for the Commission to apply a full set of Fair Information Practice principles (FIPs) in pursuit of privacy protection. Privacy is an issue that will define the use of technology in the 21st century. CDT expects that the FTC will stand up for consumers and continue to bolster its role as one of the leading agencies in the world safeguarding consumer privacy. This Commission has a great opportunity to make its mark on history by creating a strong framework in favor of privacy, and we urge the FTC to make the most of it.
CDT Consumer Privacy Roundtable Comments: Refocusing the FTC’s Role in Privacy Protection
Any discussion of consumer privacy – whether in Congress, at the FTC, or within industry – must be grounded by a comprehensive set of FIPs. FIPs have been embodied to varying degrees in the Privacy Act, Fair Credit Reporting Act, and other “sectoral” federal privacy laws that govern commercial uses of information online and offline. CDT strongly believes that the concept of FIPs has remained relevant for the digital age despite the dramatic advancements in information technology that have occurred since these principles were first developed. But the principles must be re-emphasized and refocused to be relevant and effective in the 21st century. The most recent government formulation of the FIPs offers a robust set of modernized principles that should serve as the foundation for any discussion of self-regulation or legislation in the online sector. These principles, as described by the Department of Homeland Security in 2008, include:
- Individual Participation
- Purpose Specification
- Data Minimization
- Use Limitation
- Data Quality and Integrity
- Accountability and Auditing
Properly understood, FIPs constitute a comprehensive privacy framework that self-regulatory guidelines, federal legislation and FTC enforcement should all reflect. Unfortunately, most privacy schemes to date have focused only on a subset of the FIPs: some have been confined only to notice and consent. Relying exclusively on notice, consent, and security compliance regimes places the entire burden for privacy on the consumer to navigate an increasingly complex data environment. In most instances, little practical privacy protection is achieved by reliance on this narrow set of protections. The privacy challenges posed by the vast array of 21st-century technology and business practices require a greater emphasis on a broader set of substantive protections. Notice and consent are crucial, but they are simply not enough to adequately protect consumers today.
In 2000, the FTC issued a report to Congress outlining four core principles of privacy protection: (1) Notice/Awareness, (2) Choice/Consent, (3) Access/Participation, and (4) Integrity/Security. The FTC’s condensed set of FIPs – which have yielded a focus on only notice, choice and security in practice – has been largely criticized as a watered down version of previous principles. The principles focus narrowly on Web site privacy policies in practice, resulting in today’s stagnant notice-and-consent framework. CDT calls for the FTC to move beyond this limited set of FIPs and instead apply a more comprehensive set of FIPs.
To enforce a full set of FIPs absent broader rulemaking authority, the FTC must rely on its power to prohibit unfair trade practices. Only recently has the Commission begun to file complaints based on allegations of unfair privacy practices as opposed to only deceptive practices. The Commission has continued to favor cases that hinge on procedural deceptive practices instead of the substantive unfair practices and this has contributed to a regime in which procedural compliance mechanisms are favored over a full set of FIPs. The FTC needs to reclaim and re-emphasize its power under Section 5 of the FTC Act to prohibit unfair trade practices and, in doing so, stress the importance of the forgotten FIPs.
The FTC has used its authority to police unfair practices in the spyware space and now is the time for the Commission to exercise this authority in the general consumer privacy space. Unfair practice rulings were an integral part of the Commission’s successful fight against spyware and are necessary to effectively ensure strong online consumer privacy protections. The FTC will successfully meet the challenges of the digital age only if it begins to move beyond its notice, choice, and security regime and protect all of the FIPs under its unfairness jurisdiction.
In addition, the FTC should consider the benefits of applying a full set of FIPs to diverse data collection and use practices. One such example is online behavioral advertising. While the FTC’s self-regulatory principles represented a major step forward toward better policies on behavioral advertising, the protections they provide are limited. The guidelines are organized along principles of “Transparency and Consumer Control,” Reasonable Security, and Limited Data Retention for Consumer Data,” “Affirmative Express Consent for Material Changes to Existing Privacy Promises” and “Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising.” Instead of setting out a broad, comprehensive self-regulatory framework with detailed guidance for behavioral advertisers of different kinds built in, the FTC focused on this narrow set of requirements, further contributing to a behavioral advertising ecosystem that lacks substantive limitations on data collection and uses, means for ensuring data quality, and mechanisms for accountability.
Self-regulatory principles that include a full set of FIPs would address many of the gaps in the current behavioral advertising landscape and also provide a common vocabulary as different sets of guidelines begin to see implementation.
While such principles would be a significant step forward, we are skeptical that even the most comprehensive self-regulatory framework alone would effectively police behavioral advertising practices. First, a self-regulatory system that relies on trade associations to provide implementation and accountability guidelines is clearly incomplete: the activities of non-members will remain unregulated. No self-regulatory system is likely to cover or be enforced against all entities, especially when new participants so regularly enter and leave the scene. Second, a confederated set of notifications, mechanisms for consent, and principles that guide data collection and use will only confuse consumers. Third, self-regulation is simply an improper mechanism for true consumer protection. The trade associations continue to define the types of activities that are and are not covered by self-regulatory guidelines based on how they structure their business contracts rather than how the activities impact consumer privacy. Furthermore, implementation of self-regulatory principles has been slow at best.
CDT strongly believes that it is time for the FTC to play a larger role to ensure that consumer interests are fully protected here. The FTC should rely on some of the precedents it established in the spyware cases and it should challenge companies engaging in unfair behavioral advertising practices. The Commission should further use these cases as opportunities to establish a more comprehensive framework for addressing broader privacy concerns – a framework based on a full set of FIPs.
To improve consumer privacy protection in the 21st century, CDT makes the following specific recommendations for future FTC action:
- The FTC should release an updated, comprehensive set of FIPs based on the most modern and complete model.
- The FTC should reaffirm that violating FIPs can result in consumer harm. The Commission should pursue enforcement actions against those engaged in unfair practices, not just in the spyware space, but also in the general realm of online consumer privacy. The FTC should use these actions to highlight violations of any or all of the FIPs, not merely notice, choice and security.
- The FTC should use its subpoena power to acquire information about company privacy practices.
- The FTC should encourage Congress to pass general consumer privacy legislation that is based on a full set of FIPs. Self-regulation cannot adequately protect consumer privacy when it is not girded by legal standards and more direct oversight from the FTC.
- Whether or not specific consumer privacy legislation passes, the FTC should consider drafting its own set of consumer privacy rules if it is granted standard rulemaking authority. This would significantly clarify basic privacy expectations for consumers and businesses alike.
- The FTC should explore the establishment of benchmarks and metrics for evaluating company privacy practices.
- The FTC should more actively promote the continued development of privacy-enhancing technologies.
For a more detailed analysis of these recommendations, please see our comments.