David Vladeck, the head of the Bureau of Consumer Protection at the Federal Trade Commission, shared his vision for consumer privacy protection with an audience at the IAPP’s Privacy Academy on September 30, 2010. Mr. Vladeck began by reminding the audience that the FTC is aggressively enforcing on privacy and data security matters, having brought 29 cases to date. Where possible, the FTC joins forces with other federal regulators, such as the Department of Health and Human Services, to seek broad relief that the FTC could not otherwise get on its own. Mr. Vladeck indicated that the FTC also works closely with the states, citing a recent case in which the FTC filed concurrent settlements with 36 state attorneys general. Mr. Vladeck stated that the FTC plans to continue to bring cases to ensure that companies “reasonably” safeguard information.
Mr. Vladeck noted three key areas for future enforcement. The FTC will (1) bring more cases involving “pure” privacy, i.e., cases involving practices that attempt to circumvent consumers’ understanding of a company’s information practices and consumer choices; (2) focus enforcement efforts on new technologies (Mr. Vladeck noted that, to assist staff attorneys in bringing these sorts of cases, the FTC has hired technologists to assist and also have created mobile labs to respond to the proliferation of smart phones and mobile apps); and (3) increase international cooperation on privacy issues (Mr. Vladeck cited the FTC’s recently-announced participation in the Global Privacy Enforcement Network).
Mr. Vladeck discussed the FTC’s roundtable sessions which, in his view, will form the basis for the FTC’s new vision for privacy. He believes some of the past approaches to privacy were not providing appropriate protections to consumers. Mr. Vladeck noted a few key lessons from the roundtables: (1) information is now cheaper to save than to destroy; (2) the distinction between PII and non-PII is blurring and it is increasingly difficult to be truly anonymous; (3) consumers understand very little about how their information is handled and with whom it is shared; (4) many businesses do not interact directly with consumers so consumers are particularly confused about those entities’ information practices; and (5) the flow of information brings tremendous benefits such as personalized online environments, and technology may offer solutions in the privacy space.
With respect to the eagerly awaited FTC report resulting from the roundtable sessions, Mr. Vladeck indicated that the report is still on target to be released this fall. It is currently under review by the FTC Commissioners. The report will be issued in draft form for public comment. The big picture issues that likely will be addressed are:
1.Privacy by design. Mr. Vladeck indicated that companies should build privacy into new procedures, technologies and systems. He stressed the importance of practicing good data hygiene from the beginning, with a focus on information security and data minimization.
2.Increased transparency. Mr. Vladeck noted that privacy notices help to promote accountability, but that we need better privacy notices.
3.Simplification of consumer choice. This would allow consumers to focus on choices that really matter to them rather than on information practices consumers would expect. Thus, consumers would pay attention to issues that really matter rather than being inundated with irrelevant notices. In addition, Mr. Vladeck stressed the importance of presenting a privacy notice at the point of data collection. He also focused on having more consistent formats for privacy notices. In addition, Mr. Vladeck believes additional protection is warranted for sensitive data such as health, financial and location data.
4.Access to data. Mr. Vladeck noted that consumers are particularly concerned about the collection and aggregation of data in ways they don’t expect. Providing individuals with access to data would promote transparency, particularly with respect to information services companies.
5.Consumer and business education. Consumers should better understand Internet tracking and choice options.
In addition, Mr. Vladeck indicated that the FTC is examining the viability of a Do-Not-Track preference mechanism that marketers would need to check. The FTC will continue to explore the most appropriate means for consumers to exercise their preferences.
Mr. Vladeck stated that, while the FTC has always supported self-regulation and will continue to do so, he is personally “disappointed” in industry’s progress in implementing various proposals in the behavioral advertising arena. He urged industry to “get moving” so the regulators “don't lose their patience.”
There also was discussion regarding several legislative initiatives, including the Boucher and Rush proposals (which Mr. Vladeck is concerned focus too heavily on “already over-burdened” privacy notices) and data breach legislation. Mr. Vladeck indicated that the ability for the FTC to obtain civil penalties would be “invaluable” to the FTC in protecting consumers.
Mr. Vladeck left the audience with three concluding thoughts. First, he said that his vision of consumer privacy would include “privacy by design” in which companies would incorporate privacy protections as they develop new products and services. Second, he stressed the need for consumers to have greater access to information about organizations’ privacy practices. Third, Mr. Vladeck noted that the FTC will continue robust enforcement in the privacy and data security arena to promote security and ensure that consumer choices are respected.