Today, Privacy Rights Clearinghouse submitted comments to the Federal Trade Commission (FTC) on its preliminary report, “Protecting Consumer Privacy in an Era of Rapid Change: a Proposed Framework for Businesses and Policymakers.”
FTC’s report, issued on Dec. 1, 2010, proposes a framework to balance consumers’ right to privacy with business’ need to innovate. The framework contains three main components:
- Privacy by Design – Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services. When customer data is collected, it should be the minimum amount needed, stored securely, stored for the shortest amount of time possible, and disposed of safely.
- Consumer Choice – Companies should allow consumers to choose what data is collected and how it will be shared. For practices that are not commonly accepted, such as online behavioral advertising, consumers should have a uniform and comprehensive way to opt-out, such as a “Do Not Track” mechanism.
- Transparency – Companies should increase transparency of their data practices. Privacy policies should be easy to understand and consumers should be notified of significant policy changes.
The proposed framework is a self-regulatory approach. FTC does not discuss privacy legislation per se, although in a recent presentation, FTC Commissioner Julie Brill stated that if industry’s self regulatory proposals do not adequately protect consumers, the FTC will recommend that Congress take action.
In its submitted comments, Privacy Rights Clearinghouse (PRC) commended FTC for recognizing the growing need for stronger consumer privacy protection both offline and online. However, PRC believes that self-regulation is ultimately not enough and that truly effective privacy protection is best accomplished through federal legislation.
PRC’s comments focused on two major privacy issues: online behavioral advertising and data brokers.
Online Behavioral Advertising
Garnering the most media attention is the FTC’s proposal for a “Do Not Track” mechanism, a result of the growing use of online behavioral tracking among advertisers in order to deliver targeted ads to consumers.
Online behavioral advertising is defined by the advertising industry as the collection of “data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.”
“What this means in plain English is that advertisers are invisibly tracking where you go online, what you click on, and what information you give to websites,” says Beth Givens, director of Privacy Rights Clearinghouse.
Privacy Rights Clearinghouse is concerned about the unforeseen ways companies may use online behavioral tracking to unfairly target consumers based on the data collected. Non-transparent data collection may subject consumers to medical and financial targeting for instance, and differential pricing based on a profile.
In its report, the FTC called on industry members to create “a uniform and comprehensive consumer choice mechanism for online behavioral advertising” that allows consumers to “control the collection and use of their online browsing data.” Shortly after the report was released, three major browser developers launched different “Do Not Track” mechanisms:
- Mozilla Firefox 4 – Offers a “Do Not Track” option which, when enabled by users, sends an HTTP header to websites signaling the user’s wish to opt-out of online behavioral advertising.
- Microsoft Internet Explorer 9 – Offers a feature called “Tracking Protection” which, when enabled by users, helps them control and block third-party tracking by creating or adding Tracking Protections Lists (TPLs).
- Google Chrome – Piggybacks on an existing behavioral advertising opt-out created by the National Advertising Initiative (NAI). When consumers choose NAI’s opt-out, a cookie is placed on their computer that advertisers who are members of NAI recognize as being an opt-out. Google created a “Keep My Opt-Outs” extension that, when install by the user, prevents this opt-out cookie from being deleted when users periodically clear their cookies.
Privacy Rights Clearinghouse believes the most promising strategy is the browser-based header mechanism proposed by Mozilla because of its simplicity for the user as well as being universal and persistent. This is the only strategy that has been proposed that, if paired with legislation, isn’t as easy for trackers to develop a workaround for.
Though less discussed by the media, the FTC report also examines data brokers that “acquire consumer data from a variety of sources and use it for purposes that consumers never anticipated.”
Information collected about individuals is obtained primarily from public records, although some data aggregators also “scrape” information from social media sites. Data may include a person’s name, birth date, Social Security number, home address and ownership status, marital status and telephone number. Some data brokers sell the information they collect to companies with a “legitimate business purpose.” Others sell to anyone, no questions asked. Unfortunately, for data brokers in the latter category, it is all too easy for identity thieves, other criminals, and stalkers to obtain the information and use it for illegitimate purposes.
Privacy Rights Clearinghouse maintains a growing list of data brokers, currently listing 133 websites. Some data brokers offer an opt-out to consumers, but not all do. Each opt-out process is different, and many data brokers have created barriers to opting out by requiring, for example, that individuals mail in a copy of their driver’s license.
In its submitted comments, Privacy Rights Clearinghouse advocates for a more transparent and regulated data broker industry and recommends:
- a mechanism whereby information brokers must register with a clearinghouse or registry created and monitored by the FTC
- a one-stop opt-out process that is simple and standardized
- legislation giving consumers the right to see information collected on them and the ability to dispute inaccuracies
- legislation giving consumers the right to receive notice when data about them has been used to deny benefits, similar to the Fair Credit Reporting Act (FCRA)
“Individuals should have the right to see what information is being collected about them, understand how it is being used, and be able to correct inaccurate data,” says Givens. “We need something similar to the FCRA, which gives consumers the right to an annual free credit report, an avenue for disputing inaccuracies, and the right to know when they’ve been denied benefits as a result of a credit check.”
To read the PRC’s comments to the FTC, visit the PRC website here: http://www.privacyrights.org/ftc-protecting-consumer-privacy-report-comments.
The FTC is expected to release its final report by the end of the year.