FTC Readies National Privacy Framework

In an era of massive collecting and selling of personal data, the Federal Trade Commission is preparing to weigh in on America's marketing frenzy in an effort to referee what's fair or unfair to consumers when it comes to personal data privacy.

The FTC, whose mission is to protect consumers and guard against harmful business practices, expects to issue a "privacy framework" that will include guidance about best practices, says an FTC source. Washington insiders expect the FTC framework to appear in early December. Even sooner than that, industry watchers expect the Department of Commerce to issue a report about data privacy online and make a call for a national data-privacy law.

"There has never been a baseline privacy law in this country," says Justin Brookman, a senior fellow at the Washington-based public advocacy group Center for Democracy and Technology (CDT).

FTC appoints cool hacker as first chief technology officer

The anticipated FTC privacy framework and upcoming Commerce Department report are building momentum around the issue of consumer data-privacy protection, Brookman says. He expects the issue will be addressed in legislative proposals in the next Congress, by Sen. John Kerry (D-Mass.) as well as by representatives in the House including Cliff Stearns (R-Fla.) and Joe Barton (R-Texas).

The FTC privacy framework will help establish a baseline of permitted practices for online collection of personal information, but it's uncertain how much power the FTC will have to enforce any of its recommendations if there's not a national law to back it up. The FTC is there to enforce laws that Congress enacts, not write new laws, Brookman points out. Today, the main law the FTC has at hand for data privacy relates to "prohibited and deceptive business practices."

Seeing the momentum building for data-privacy protections over the past few years, businesses such as Google and Yahoo have jumped in to try to influence the debate. One issue at stake is the future of behavioral advertising, which the FTC once defined as the tracking of a consumer's activities online - including the searches the consumer has conducted, the Web pages visited and the content viewed - in order to deliver advertising targeted to the individual consumer's interests.

One group formed to tackle the privacy-rights issues is The Future of Privacy Forum, a Washington-based think tank led by Jules Polonetsky and Christopher Wolf. Its industry supporters include AT&T, the Better Advertising Project, Comcast, eBay, Facebook, Google, Intel, Lockheed Martin, Microsoft, Proctor & Gamble, Verizon and Yahoo, among others.

The forum, launched in 2008, has come up with an idea to provide more disclosure about data collection to online consumers. It involves including a distinctive icon with advertising that would let consumers click on it to see the origin of the data. The idea is "you can find out who's serving the ad and where the information came from," says Brookman, adding that consumers would be able to say if they don't want the information about them collected.

"Google is serving a version of this icon in their ads today," Brookman says. "They'll show you the Google profile, and you can opt out." Yahoo is starting to do something similar. More voluntary efforts at transparency are expected as companies look to get ahead of any legislation or FTC guidelines that could impose more restraints, he notes.

Fighting legalese

The FTC privacy framework is also likely to address the complaint that legal privacy disclosures today are generally dense legalese that's almost incomprehensible to the average person.

Even lawyers agree.

"It's privacy policies no one understands," says Amy Mushahwar, an attorney with Washington-based Reed Smith, which is a specialist in national and international law on the topic of data privacy.

In the U.S. today, at least 25 legal statutes govern disclosure requirements for different industries, Mushahwar points out. Telecom companies, for instance, have less strict controls on what customer-related information they can sell to affiliated companies and corporate joint ventures, but stricter rules on what can be sold to wholly-independent third parties.

Some rules entail "opt-out," which requires a consumer to make a conscious effort to opt-out of allowing personal data to be collected and perhaps sold, while others rules are "opt-in," requiring consumers to make an effort to allow personal information to be used in some way.

"What we have here is a bunch of disparate laws creating a complex regimen, one difficult for corporate America to sort out," she says.

Mushahwar acknowledges there's a huge amount of marketing and selling of personal data by industries including banking and telecom, plus online data collection on the Web, that most consumers are largely unaware of. Behavioral profiling is driven by advanced data collection and mining, especially related to the use of the Web or mobile devices.

"The selling of customer information is an accepted practice if you do it within the letter of the law," she points out. Advertising and the ability to sell user data are what funds many of today's free online services and content. But the industry does expect to see more oversight of these practices as momentum for data privacy builds politically. "People want to know better what's being sold about them," Mushahwar says.

"Google has all these free services," and "information is the compensation for these services," says D.C.-based attorney, Andy Serwin, an expert in privacy law at Foley & Lardner.

"There's a balance to be struck here," Serwin says. Behavioral advertising is growing, and people are on social networks where the purpose is to share information, he says.

There's hope the FTC will be successful in finding the right balance for disclosure and privacy guidelines. To boost its effort, the FTC is bringing on board Edward Felten, professor of computer science and public affairs and founding director of the Center for Information Technology Policy at Princeton University. He starts in January as the FTC's first-ever chief technologist.

And after the FTC issues its long awaited privacy framework, the big question will be "what do companies do with these best practices?" Serwin notes. "Online behavioral advertising is where the rubber meets the road."

Read more about wide area network in Network World's Wide Area Network section.

Subscribe to the Security Watch Newsletter

Comments