The Federal Trade Commission (FTC) released today its final report on privacy. An updated and revised version of the preliminary report the FTC released in December 2010, the new report (pdf), dubbed “Protecting Consumer Privacy in an Era of Rapid Change,” outlines laws that are on the books concerning user privacy, and details a framework for how US businesses can better protect user data. While the report does not establish any new rules, it does provide a comprehensive look at how the federal government is attempting to get a handle on privacy in the Web and application era. Rather than making you read through the full report, here’s a breakdown of the most important bits that could have an effect on you online life.
Who’s in, who’s out
The policy framework outlined by the FTC applies to nearly all companies “that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.” Due to the financial burden of the proposals in the famework, the FTC has updated this final version of the report to exclude business that collect data from fewer than 5,000 customers per year, and do not “share data with third parties.” In other words, the proposal applies to nearly every service that you use.
Privacy by design
At the heart of the FTC’s recommendations is that companies should build privacy protections into their businesses and services from the ground up. This includes “data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.” Moreover, the FTC recommends that companies maintain these standards for data management for the life of a product or service.
While asking businesses to build with privacy in mind is definitely good advice, it fails to address all the business that are already up and running at full force, and does little to help users protect themselves. That’s where Do Not Track comes in. For those of you in the dark, Do Not Track is a technology that allows users to opt-out of having their Web activity tracked by websites they do not visit. The FTC says Web users will have “an easy to use and effective” Do Not Track option by the end of this year.
Browsers: The FTC says “significant progress” has been made in the area of Do Not Track implementation, with Mozilla, Microsoft, and Apple all releasing updated versions of their browser with Do Not Track technology built in. Mozilla’s Firefox for Android also includes Do Not Track.
Digital Advertising Alliance: The Digital Advertising Alliance, or DAA, which represents about 90 percent of all websites that use advertising, has agreed to respect Do Not Track, as well as browser settings that prevent data collection. In addition, the DAA has created an icon that will appear in DAA-affiliated ads, which users can click to see what types of data is being collected. Finally, the DAA has agreed to limit the secondary use of collected data in credit reports, and employer background checks.
W3C: The World Wide Web Consortium (W3C), the international standards body for the Internet, has agreed to work on an industry-developed standard technology for Do Not Track, which will make it easier to implement, and hopefully negate the need for a law that requires the use of Do Not Track.
Better privacy policies
The FTC concludes that most privacy policies are “generally ineffective” at explaining to users what types of information they are handing over to companies because most are “too long, are difficult to comprehend, and lack uniformity.” For this reason, the FTC proposes that all privacy policies “should be clearer, shorter, and more standardized.” The simplification and shortening of privacy policies is especially recommended for services that are accessed via mobile devices, which have smaller screens. Unfortunately, at this time, there is broad disagreement in the industry for how to achieve this.
Increased transparency on data brokers
The FTC says it will push “targeted legislation” that will require all data brokers — shadowy companies that collect and sell a staggering (sometimes troubling) range of user data to marketers, media organizations, the government, and others — to make it easy for users to see how and what information is collected. As part of this plan, the Commission seeks to create a centralized website where data brokers can “identify themselves to consumers and describe how they collect and use consumer data,” as well as provide details on who can access that information.
In addition to enabling users to see what of their personal data is collected, the FTC also proposes making it possible for users to access the data, and correct errors, or change inconsistencies. As with the privacy policies, most companies that the FTC spoke with said this was a good idea, but disagreed on how to make this happen.
Many of the companies and organizations the FTC spoke with also wanted to limit users’ ability to access and edit all types of data, instead restricting this feature for financial records and other “sensitive” data. They said giving users the ability to access all data would be too costly. The FTC agrees that access to data should “be proportional to the sensitivity and intended use of the data.”
Will this report change anything?
Not by itself. As the FTC makes clear, this proposal is just that — a set of ideas for how things should work, not a set of rules. This means that the report has no direct repercussions for companies or the way your data is treated; no enforcement mechanism is established. Its purpose, however, is to explain to the technology industry what the federal government expects them to do voluntarily, and what kinds of legislation the Commission hopes Congress will enact to help protect consumers from zealous data collectors.
We highly recommend everyone read through the whole report (pdf) themselves — it’s a little long, and probably boring. But it provides the best look at the state of online privacy, and where it might be headed.