Senate Committee Holds Hearing on the State of Online Consumer Privacy
On March 16, 2011, the U.S. Senate Committee on Commerce, Science, and Transportation held a full committee hearing on the state of online consumer privacy. The hearing was the first in a series of hearings the Committee will hold on consumer privacy in the 112th Congress. The hearing focused on online commercial practices that involve collecting, maintaining, using and disseminating large amounts of consumer information, some of it potentially very sensitive and private in nature.
FTC Chairman Leibowitz was the first to testify, describing the FTC’s recent efforts to protect consumer privacy through law enforcement, education, and policy initiatives. Leibowitz then set forth some highlights from the Staff Report on consumer privacy and concluded with a discussion of issues related to the “Do Not Track” proposal. Leibowitz enumerated five critical principles that should be included in any Do Not Track system:
- Any Do Not Track system should be implemented universally, so that consumers do not have to repeatedly opt out of tracking on different sites;
- The choice mechanism should be easy to find and easy to use;
- Any choices offered should be persistent and should not be deleted if, for example, consumers clear their cookies or update their browsers;
- A Do Not Track system should not only allow consumers to opt out of advertising, it should allow them to opt out of tracking altogether; and
- A Do Not Track system should be effective and enforceable without technical loopholes.
Chairman Leibowitz testified he is “sort of agnostic whether the private sector does Do Not Track or Congress requires it.” To read the FTC’s prepared statement on the state on online consumer privacy, click HERE.
Lawrence E. Strickling, Assistant Secretary for Communications and Information of the Department of Commerce, testified that “the Department has concluded that the U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules for the road for businesses and consumers, while preserving the innovation and free flow of information that are hallmarks of the Internet.” Both the Department of Commerce and the FTC have been encouraging self-regulation, while suggesting congressional action might be needed as a backstop.
Mr. Strickling, however, urged Congress to enact new legislation setting forth baseline consumer data privacy protections—that is, a "consumer privacy bill of rights" consisting of comprehensive Fair Information Practice Principles (FIPPs). FIPPs should be a collection of agreed-upon principles for the handling of consumer information that would provide clear privacy protections for personal data in commercial contexts that are not covered by existing Federal privacy laws or otherwise require additional protection. Additionally, the new legislation should provide the FTC with the authority to enforce any baseline protections. Lastly, the new legislation should create a framework that provides incentives for the development of codes of conduct as well as continued innovation around privacy protections, which could include providing the FTC with the authority to offer a safe harbor for companies that implement codes of conduct that are consistent with the baseline protections. To read Mr. Strickling's testimony, click HERE.
The second panel consisted of non-government witnesses, including both consumer advocates and corporate representatives. Erich D. Andersen, Vice President and Deputy General Counsel of Microsoft, testified that “privacy is no longer about being ‘let alone.’ Privacy is about knowing what data is being collected and what is happening to it, having choices about how it is collected and used, and being confident that it is secure.” John Montgomery, Chief Operating Officer of GroupM Interaction, stated that his company “want[s] to build consumer trust in the online experience” and that “consumers should be able to choose whether and how their data is collected or used for online behavioral advertising.” Ashkan Soltani, a researcher and consultant, noted that today’s technical defenses to online tracking are not able to stop leading tracking technologies. “To be effective,” Mr. Soltani testified, “privacy protections for consumers online will likely require both a technical and policy component, working in tandem.” Barbara Lawler, the Chief Privacy Officer of Intuit, focused on the need for balance between consumer participation, the control of information, and continuing data driven innovation, stating that the key to ensuring the proper balance is “earning the customers’ trust.” Lastly, Chris Calabrese, Legislative Counsel for the American Civil Liberties Union, testified that if the collection of data is allowed to continue unchecked, capitalism will build “a complete surveillance state online.” “Without government intervention,” he testified, “we may soon find the internet has been transformed from a library and playground to a fishbowl, and that we have unwittingly ceded core values of privacy and autonomy.”
To view the hearing on the U.S. Senate Committee on Commerce, Science, and Transportation website, click HERE.
Are We Living in a Post-Disclosure, Opt-In World?
Today's New York Times Media Decoder Blog features an "on-the-record" discussion with Federal Trade Commission chairman Jon Leibowitz and Bureau of Consumer Protection chief David Vladeck. The question presented: "Has Internet Gone Beyond Privacy Policies?" The FTC (and Congress, for that matter) continue to signal that change may be imminent in the world of online privacy policies and traditional notions of opt-out consent.
The dilemma remains - if consumers don't want to read privacy policies, what would constitute true notice and consent? And, in the Web 2.0 world with consumers' insatiable appetite for on-demand, customized and interactive content, how can that process be handled in a manner that is both meaningful and consumer-friendly? What do consumers really want? And are their expectations regarding privacy simply inconsistent with the modern realities of social networking? Just yesterday, the blogosphere was abuzz with news of the Facebook CEO's comments at the Crunchies Awards that "[p]eople have really gotten comfortable sharing more information and different kinds but more openly and with more people."
At the end of the day, the real question (and answer) may have more to do with what constitutes "personal information," what consumers "reasonably" expect in today's world, and whether the sharing and use of certain kinds of information should be regulated.
In our current legal structure, even though such information flows around the world at breakneck speed, the definition of personal information ultimately depends on where you reside - and that, in turn, has grown out of social and cultural expectations. In the United States this has traditionally meant information that can be used to identify and victimize you (i.e., identity theft) - Social Security number, financial account number, and now, to a growing extent, medical information - although, in some new state statutes, the definition is much more broad. In Europe, the answer, for cultural and historical reasons, continues to be much more expansive, encompassing just about anything that can identify an individual.
So when an individual shares information on Facebook about his or her favorite music, or holiday plans, or the color of a piece of clothing, does that constitute "personal information"? What are consumers' reasonable expectations about how that information, if disclosed publicly -- or not so publicly (e.g., to one's "friends") -- should be used? And should the government regulate the sharing and use of such information by data brokers, social networks, cloud computing vendors, and advertisers?
Last year, the FTC introduced self-regulatory principles for behavioral advertising, but issued a warning that advertisers had one last chance before the FTC would take further steps to regulate. Has that time come? Mr. Vladeck told the New York Times today that the FTC will issue a report in June or July. Chairman Leibowitz said:
I have a sense, and it’s still amorphous, that we might head toward opt-in.
What would such opt-in look like and how would it operate? Is any opt-in solution manageable in the online world? Can any proposed model keep up with rapid changes in technology and consumer expectations? And will this focus on online privacy issues affect and/or eclipse the progress of the many pending federal data security and breach notification bills?
We shall see.
