Consumers Need Simple Method to Opt Out of Data Collection, FTC Recommends

The recommendations propose a framework to balance consumer privacy with innovation that relies on consumer information, the FTC said. The agency developed it as a nod to tech advances allowing for rapid data collection and sharing that is invisible to consumers, the agency said. Many companies are not disclosing their practices, added Leibowitz, and those that do often hide them in long, complicated privacy policies that consumers don’t read or understand, he said. For example, the FTC settled a complaint Tuesday with EchoMetrix involving the sale of Sentry software enabling parents to monitor their children online, said Leibowitz. EchoMetrix failed to disclose that it had sold information about children’s’ online activities to third-party marketers. The only possible hint to parents was a vague statement tucked 30 paragraphs into the Sentry end user licensing agreement, Leibowitz said. “Self-regulation of privacy has not worked adequately and is not working for Americans,” he said. “Consumers deserve far better from the companies they entrust their data to, and industry, as a whole, must do better.” The FTC will step up enforcement against companies violating consumer privacy in the next few weeks, especially in cases involving teens and children, he promised.

The agency first recommends that companies “bake” privacy practices into their business practices by adopting a privacy-by-design approach, according to a summary provided by the FTC. It includes reasonable security for consumer data, limited collection and retention of such data, and reasonable practices promoting data accuracy. Companies should also enforce sound privacy practices throughout their organizations such as assigning personnel to oversee privacy issues, training employees in privacy procedures and conducting privacy reviews of new products and services.

The paper next recommends giving consumers more choice about the collection and sharing of their data at an appropriate time and context instead of in “long, complicated disclosures” they often cannot find, the FTC said. Companies should not have to get consent for certain “first party” practices such as sending names of buyers to a shipping company that will send them products they ordered, the FTC said. Companies could streamline communications with consumers and reduce consumer confusion with such an approach, it said. The paper also recommends a “Do Not Track” procedure allowing consumers to opt out of information collection by third parties that facilitates targeted advertising, said the FTC. It envisions a simple method similar to a cookie that would place a permanent control on browsers signaling the consumer’s choices for receiving targeted ads. A consumer would express a desire to opt out of tracking by activating the control, said Leibowitz. When a browser connected to a site it would send an indication saying the consumer opted out, which sites would have to follow, he said.

The third and final recommendation is to improve transparency by clarifying privacy notices and making them shorter and more standard so users understand what’s happening to their information and who’s watching what they do online, the FTC said. Standardized notices also would enable the public to compare privacy policies of competing companies, said the FTC. Consumers should have “reasonable access” to data that companies maintain about them, especially for non-consumer facing entities like data brokers. Stakeholders also should educate consumers about commercial data practices and the choices available to consumers, the FTC said.

Washington leaders and privacy analysts lost no time commenting on the report. “The FTC’s report makes it clear that self-regulation has largely failed, online companies must be more accountable, and our national privacy policy must better serve consumers,” said Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va. “Americans need greater control over how their personal information is collected and used, and the FTC needs the authority to take action against companies who fail to provide consumers with basic privacy protections.” Rockefeller promised that the committee will take up privacy next year.

Sen. John Kerry, D-Mass., called the report “a thoughtful prescription for common practices all companies should adopt” and promised to introduce legislation early next year. “The Federal Trade Commission’s report should be a wakeup call for every Internet user in this country,” he said. The report proves that many companies fail to protect consumer information and that industry self-regulation is inadequate, he said. Consumers should have three inalienable rights in regards to online privacy: procedures used by firms to secure their information; the right to know what information firms will collect, why and how it will be used; and a simple mechanism for opting out of data collection.

Rep. Joe Barton, R-Texas, promised action in the next congressional session. “Millions of people put their information into the hands of websites like Facebook because they believe what they're told about walls protecting their privacy,” he said. “I want the Internet economy to prosper, but it can’t unless the people’s right to privacy means more than a right only to hear excuses after the damage is done. In the next Congress, the Energy and Commerce Committee and our subcommittees are going to find out if Internet privacy policies really mean anything, and if necessary, how to make them stick.”

A Do-Not-Track procedure is workable for the communications industry, said Lisa Sotto, who leads the Privacy and Information Management Practice at Hunton & Williams in New York. Industry should pay attention to the report because it indicates future FTC enforcement, she said.

The Center for Democracy and Technology applauded the FTC’s proposals. “The FTC report hits all the right notes. It sets out a modern and forward looking framework for privacy protection that moves beyond a narrow focus on notice and choice toward a full set of fair information practices and accountability measures,” said President Leslie Harris. “The FTC has provided the blueprint. Now it is time for Congress and industry to follow suit.” CDT Privacy Project Director Justin Brookman said: “This report should bolster efforts to enact a privacy bill next Congress. Its recommendations are consistent with what is being discussed on the Hill.”