FTC Final Privacy Report Draws a Map to Meaningful Privacy Protection in the Online World
Earlier today, the Federal Trade Commission (FTC) released its final report on digital consumer privacy issues after more than 450 companies, advocacy groups and individuals commented on the December 2010 draft report. The final report creates strong guidelines for protecting consumer privacy choices in the online world. The guidelines include supporting the Do Not Track browser header, advocating federal privacy legislation, and tackling the issue of online data brokers. We’re pleased by the flexible and user-centric nature of the privacy report, but we will continue to monitor how such principles are actually enacted.
Do Not Track & W3C
Echoing the support from the Obama Administration in its recent privacy white paper, the FTC praised the Do Not Track flag, which would provide an in-browser setting that users could use to tell companies that they do not want to be tracked around the web. While acknowledging the important steps media and advertising consortiums like the Digital Advertising Alliance have made toward better informing users about how behavioral advertising works, the FTC emphasized the World Wide Web Consortium’s (W3C) ongoing effort to craft meaningful standards to govern tracking in its multistakeholder process, which includes representatives from EFF. These meaningful standards will ensure that Do Not Track does not become a weakened "Do Not Target" standard. The Commission report stated: “The W3C group has made substantial progress toward a standard that is workable in the desktop and mobile settings, and has published two working drafts of its standard documents. The group’s goal is to complete a consensus standard in the coming months.”
The issue of Do Not Track versus Do Not Target is fundamental to online behavioral tracking. In a dissenting opinion, Commissioner J. Thomas Rosch raised questions about industry figures such as the Digital Advertising Alliance’s influence on W3C process: “It may be that the firms professing an interest in self-regulation are really talking about a “Do Not Target” mechanism, which would only prevent a firm from serving targeted ads, rather than a “Do Not Track” mechanism, which would prevent the collection of consumer data altogether.”
We share Commissioner Rosch’s concerns. EFF is working through the W3C process with the good faith belief that the consensus end-result will provide users with a meaningful form of protection from tracking, not just the display of targeted advertisements. By continuing to engage in this forum with both industry figures and other consumer advocates, EFF is committed to ensuring that a real Do Not Track mechanism is created and we’re sending representatives to Washington D.C. next month to fight for users and innovators in the next W3C meeting.
We were pleased that the FTC sang the praises of the HTTPS Everywhere Firefox Addon (developed by EFF and the Tor Project) as a mechanism to give users privacy and security when they browse the web. If you haven’t downloaded HTTPS Everywhere, you should do it now—it’s free in both senses of the word and we’ve even got a beta version available for Chrome.
Advocacy groups like the Privacy Rights Clearinghouse and the World Privacy Forum have done substantial work articulating the privacy concerns around data brokers. “Data brokers” is a loose term to describe a wide amalgamation of different companies who collect data on individuals through public, semi-public, and occasionally private sources in both the online and offline worlds and then repurpose this data for business purposes, such as selling data in bulk to large advertisers or creating websites that list individual profiles of individuals. As the FTC correctly noted, many consumers are unaware that these companies exist. As the Privacy Rights Clearinghouse explains on its site, companies in this largely unregulated industry may not offer users a way to opt out of having data included in broker lists, may charge fees to have data removed, and may repost data at a later date that was suppressed at a user’s request.
The FTC articulated the problems with data brokers and reaffirmed its support for legislation that would provide individuals with access to their personal data held by these companies. In addition, the FTC urged the data broker industry to create a central website that would explain the access rights and other options (e.g. opt out choices) available to consumers and links to exercising these choices. Notably, the Privacy Rights Clearinghouse has already gotten things started with its Online Data Vendors List.
We think this is a strong first step, but the FTC could easily have urged data brokers to provide a single website through which users can opt-out of having their data listed by any online data brokers. Right now, not all data brokers provide users with a method to opt-out of having their data personally display personal data listed. A user who wants her information removed from these sites has little legal weight to force companies to respect her choice. One exception to this is California’s recently passed Personal Information: Internet Disclosure Prohibition. Introduced by Senator Ellen Corbett, the law prohibits websites from intentionally posting the home addresses of individuals enrolled in California’s Safe at Home program (such as victims of stalking and domestic violence who enroll in the state-wide address protection program). Outside of this very narrow category of users, individuals have no right to have their data suppressed from publicly displayed data broker records.
In general, we’re pleased by the new privacy framework set forth by the Commission. We hope Congress, the Commerce Department, and industry figures will turn to it as they continue crafting policy around user data in coming years.