I am speaking at SMX WestToday’s title could be the name of the my next band.  Instead, it is today’s installment of our analysis of the FTC’s “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers” in preparation for my presentation next week at the SMX West Conference.  The FTC is promoting three aspects: (1) privacy by design; (2) clear and meaningful choice; and (3) transparency.  Today, we focus on transparency and then look at the views of the two concurring statements in the report.


The FTC says privacy policies should be clearer, shorter and more standardized.  The FTC knows no one reads them which is even more true with mobile applications because of screen size (call me guilty).  If the meat of the policy was in the same place every time and companies used the same terms about what was being collected and who can see it, consumers would know exactly where to look before deciding on whether to use a web-based service.   Unfortunately, the FTC points to the financial industry privacy notices as a standard.  I’ve read even less of the little notices stuffed in my credit card bill or bank statement than I have web privacy policies.

Next, the FTC wants companies to provide reasonable access to the consumer data they maintain.  We will now see commercials with a guy strumming a guitar in a pirate costume talking about how he would not have lost his girlfriend if he had gotten his free data report at freeonlineprivacyreport.com rather than his free credit report because the Fair Credit Reporting Act is a template for providing consumers access to the data.  This brings up concerns about the cost to access for businesses, authentication of the identity of the requesters and privacy threats if access is more readily available.  Basically, it would require companies to identify information to the specific user when many times companies retain otherwise anonymous information that can’t be placed to a specific user.

The FTC also wants changes to privacy policies to be more prominent if the use of the data changes requiring the consumers to affirmatively consent to the change.  Under existing law, the FTC has already punished companies that made unilateral, retroactive changes to material terms to agreements.  They are threatening to the do the same with privacy policies.

I hate to keep coming back to Facebook, but it is an easy example.  The FTC would prefer that before you sign up for a Facebook game, you have to consent to the use of your data.  Not in a convoluted policy that people won’t read, but in some box that comes up and says: “Dude, if you play this game, we are going to review and sell all of your information on Facebook and that of your friends too.  Are you sure this game is worth it?”  That would make the FTC happy and perhaps make less clutter on Facebook because I don’t care about your farm or your mafia.

The Concurrers

There are five members of the Commission.  Two of them filed concurring statements.  Commissioner Kovacik voted to issue the report to stimulate more discussion, but does not endorse its content because he believes the Do Not Track recommendation is premature.  Commissioner Kovacik appears to be a free market guy advocating for some time to let the market determine whether privacy is really that important and whether consumers will drive the change.  He points to the economic harm companies have had to face as a result of various data breaches including both economically and on the public relations side.  In addition to the many questions posed by the report, he invites comments on others.  His questions regarding Do Not Track are worth noting:  “Would it be significant if, at the time [Do Not Track] was implements, there was no legal mandate (at least for companies that did not promise to comply with such requests) requiring websites and other to comply?  With or without new legislation, would there be an effective enforcement mechanism?  Would consumers be able to detect violations?  Would enforcement officials?  Further is there a risk consumers will be harmed if they believe, mistakenly, that websites are incapable of tracking them?” He also asks if content providers can provide less to consumers who sign up for Do Not Track.  Likewise, could Google offer slightly better results to the person who does not sign up for Do Not Track?

Commissioner Rosch also appears hesitant to implement new rules without allowing the market time to react.  He notes misleading privacy policies are already actionable and that companies can’t avoid liability by not having a privacy policy because that would be “competitive suicide.”  Imagine if a new social networking site came on the scene and simply refused to provide any information about its privacy policy.  He also expresses concern that self-regulation would allow the established players to raise the privacy bar so high that start-ups will find it difficult to compete.  He would prefer to focus on the notice side:  “If a consumer is provided with clear and conspicuous notice prior to the collection of information, there is no basis for concluding that a consumer cannot generally make an informed choice.” Should Do Not Track become law, he thinks it should be opt in to see how many consumers truly want it.

The report has accomplished the goal of fostering discussion on this topic.  As noted in prior segments, Congress would have to take action to make Do Not Track law and in our next post, we will look at some of the current legislative proposals that came after the FTC’s report.