FTC: Privacy legislation needed--if industry doesn't self regulate first


The Federal Trade Commission March 26 published a report it says "is intended to serve as a template for legislative recommendations," in the event that the Obama administration's Consumer Privacy Bill of Rights is not adopted in its current state as legislation.

The report's "best practices" for consumer privacy closely mirror the bill because "the President has specifically asked either that the 'Bill of Rights' be adopted by the Congress or that they be distilled into 'enforceable codes of conduct,'" says the report.

The report's codes do not, however, make any real or immediate changes to rules and regulations. And much like the Consumer Privacy Bill of Rights, they emphasize self-regulation by industry.

In the report, the FTC says it doesn't really care if its suggestions are adopted as an enforceable code of conduct or a legislative requirement. "It is arguable that neither is needed if these firms feel obliged to comply with the 'best practices' or face the wrath of 'the Commission' or its staff," says the report.

"If companies adopt our final recommendations for best practices--and many of them already have--they will be able to innovate...without [consumers] sacrificing their privacy," said FTC Chairman Jon Leibowitz in a statement.

One privacy mechanism sought by consumer groups are standards for a "do not track" regime, notes the report. The FTC said, however, that self-regulation of do not track is progressing well. FTC outlines its existing five criteria for companies to create a true do-not-track system and notes that the commission will work with stakeholders to "complete implementation of an easy-to use, persistent and effective Do Not Track system."

Leibowitz said consumers should have an "easy to use and effective Do Not Track option by the end of the year" in part because companies are adopting best practices and "lawmakers will want to enact legislation if they don't."

The Electronic Privacy Information Center issued a statement March 26 criticizing the report, saying the FTC's suggested legislation is actually less extensive than the White House proposal. It only calls for baseline privacy legislation and legislation that provides consumers access to personal information held by data brokers, said EPIC.

The report's suggested rules don't apply to all companies providing services on the Internet, and through mobile and social channels, however. For those companies with limited interaction with sensitive data, it takes a fairly hands off approach, saying rules shouldn't apply to vendors who collect information from 5,000 or fewer individuals per year. Data management standards are also not absolute, says the report, "rather, companies must take reasonable steps to ensure that data is de-identified."

For more:
- see the FTC blog post
- read the FTC press release
- download the FTC privacy report (.pdf)

Related Articles:
NTIA seeks feedback on formulating consumer privacy code
White House: 'Consumer Privacy Bill of Rights' a step toward do not track legislation
Audio: White House, Commerce, FTC officials discuss online privacy initiative