In testimony before the Senate Committee on Commerce, Science and Transportation, the Federal Trade Commission discussed its efforts to protect consumer privacy through enforcement actions, consumer education, and policy initiatives like the FTC staff’s recent preliminary privacy report. The report proposes a framework to balance consumer privacy with industry innovation by: 1) building privacy protections into everyday business practices (“privacy-by-design”); 2) simplifying privacy choices for consumers; and 3)improving transparency with clearer, shorter privacy notices.
The Commission told Congress that industry stakeholders have made important progress in implementing Do Not Track, a mechanism proposed in the staff's preliminary privacy report last December that would allow consumers to choose not to have their Internet browsing tracked by third parties. The testimony noted that two of the major Internet browsers – Microsoft and Mozilla – “have recently announced the development of new choice mechanisms for online behavioral advertising that seek to provide increased transparency, greater consumer control, and improved ease of use.”
“Do Not Track is no longer just a concept, it is becoming a reality,” said FTC Chairman Jon Leibowitz. “It’s encouraging to see companies responding positively to our call for more consumer choice about their online privacy.”
The testimony notes that consumers may want to opt out of more than targeted ads. They may want to avoid having their browsing habits used for other purposes, including by prospective employers or insurers. An effective Do Not Track system would go beyond simply opting consumers out of receiving targeted advertisements; it would opt them out of having their behavior tracked online, the testimony states.
According to the testimony, five issues should be considered for any Do Not Track regime:
The call for Do Not Track in the staff's preliminary privacy report is only one component of the FTC's agenda to protect consumer privacy. The testimony states that protecting consumers’ privacy has been a Commission priority for 40 years. “During this time, the Commission has employed a variety of strategies to protect consumer privacy, including law enforcement, regulation, outreach to consumers and businesses, and policy initiatives.”
According to the testimony, in the last 15 years, the FTC has brought more than 300 privacy-related actions, including: 32 data security cases, 64 cases against companies for improperly calling consumers on the Do Not Call registry, 86 cases against companies for violating the Fair Credit Reporting Act (FCRA), 97 spam cases, 15 spyware (or nuisance adware) cases, and 15 cases against companies for violating the Children’s Online Privacy Protection Act (COPPA). Where the FTC has authority to seek civil penalties, it has aggressively done so. It has obtained $60 million in civil penalties in Do Not Call cases; $21 million in civil penalties under the FCRA; $5.7 million under the CAN-SPAM Act; and $3.2 million under COPPA.
In addition, the FTC has been aggressive in its efforts to educate consumers and business about their rights and responsibilities in protecting consumer privacy. Most recently, the FTC released a consumer education publication on the safe use of wi-fi hot spots. The publication, available on the FTC and OnGuard Online websites, explains that when using wireless networks, consumers should convey personal information only if it is encrypted – either through an encrypted website or a secure network. The piece notes that an encrypted website is one whose URL begins with “https.” rather than “http,” it further notes that in order to be secure, a wi-fi network must be password-protected.
In December 2010, FTC staff proposed a framework for protecting consumer privacy to inform policymakers and industry as they develop steps to improve consumers’ privacy protection. The proposed framework included three main concepts.
First, the staff proposed that companies adopt a “privacy by design” approach by building privacy protections into their everyday business practices. Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfill that purpose, safely disposing of data no longer in use, and implementing reasonable procedures to promote data accuracy.
Second, the staff proposed that companies provide simpler and more-streamlined choices to consumers about their data practices. To be most effective, choices should be clearly and concisely described and offered at a time and in a context in which the consumer is making a decision about his or her data.
Third, the staff report proposed a number of measures that companies should take to make their data practices more transparent to consumers. For instance, in addition to providing the contextual disclosures described above, companies should improve their privacy notices so that consumers, advocacy groups, regulators, and others can compare data practices and choices across companies, thus promoting competition among companies.
The Commission vote to approve the testimony was 4-1, with Commissioner William E. Kovacic dissenting. Copies of the testimony can be found on the FTC’s website and as a link to this press release.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. “Like” the FTC on Facebook and “follow” us on Twitter.