The main themes of the FTC report are that rapid changes in technology and marketers' adoption of these new technologies require a new privacy framework, and that companies that collect, share and use consumers' information are not doing enough to protect consumers' privacy.
Regarding privacy notices, the FTC criticized companies for using privacy notices that make it hard for consumers to understand what information is being collected, how it will be used and shared, if a person can opt-out of having information collected, and how to opt-out. The FTC also criticized companies for burying their privacy notices in user agreements or otherwise making them hard to find. In fact, the FTC recently announced the settlement of charges against a company for an inadequate privacy notice. The FTC alleged the company violated federal law by burying its privacy notice in the 30th paragraph of a long user agreement and providing only a vague statement about how it intended to use consumers' information.
The FTC's report does not have the force of law, but it should be seen as a collection of "best practices" as interpreted by the country's primary consumer protection agency.
- The FTC wants companies to provide a description of their privacy practices that is short, easy to understand, and easy to find.
- The FTC also wants companies to offer consumers a chance to see the data collected about them, and in some cases allow consumers to collect or delete such data.
- The FTC is not requiring companies to offer an opt-out to everyone, but for companies that do provide consumers with the choice of opting-out of all or part of their information collection, the FTC wants companies to tell consumers about that choice up front.
For example, the FTC said where a company has a relationship with a consumer (or fan), the choice mechanism should be offered at the point when the consumer is providing data or otherwise engaging with the company.
- In the context of an online retailer, the disclosure and choice mechanism should appear clearly and conspicuously on the page on which the consumer types in his or her personal information.
- With respect to social media services, if consumer information will be conveyed to a third-party application developer, the notice-and-choice mechanism should appear at the time the consumer is deciding whether to use the application and, in any event, before the application obtains the consumer's information.
The FTC also outlined a new form of choice for online behavioral advertising - a "do not track" program. (Online behavioral advertising, or online tracking, refers to the collection of information, usually using cookies, from a computer about a computer user's activities on the Internet, over time and across different websites.)
The FTC runs the national Do Not Call registry, which allows consumers to put their landline and cellular phone numbers on a list and telemarketers are not supposed to call anyone on that list for telemarketing purposes. The FTC said it supports establishing a do not track program, probably using some kind of browser setting, so that consumers can opt-out of online tracking. In January, a bill called the "Do Not Track Me Online Act" (H.R. 654) was introduced in Congress. The bill would authorize the FTC to establish standards for an online opt-out mechanism that would allow consumers to "effectively and easily" prohibit the collection or use of personal information (with some exceptions).
- Privacy notices should be short, clear and easy to understand.
- This notice should be easy for a user to find - not buried in a long user agreement.
- The policy should clearly spell out how the company uses information, with whom the company shares the information, whether an individual can opt-out of having the information collected or used, and how to opt-out.
- Individuals should be offered a chance to see the information that is collected about them and be allowed to change or delete the information in some cases.
- Information should be saved only as long as necessary and companies should implement plans for safeguarding that information.