Federal Trade Commission Continues to Explore Consumer Privacy Protection Measures
Kelley Drye Client Advisory
On January 28, 2010, the Federal Trade Commission (FTC) held its second consumer privacy roundtable, focusing on technology’s effect on consumer privacy and its potential to both weaken and strengthen privacy protection. Similar to the first roundtable, the FTC’s second roundtable featured discussions by industry leaders, consumer groups, academics, and government representatives. The discussion continued to focus on whether the FTC’s current privacy paradigm, particularly the notice and choice model, sufficiently protects consumers and allows them to understand and control how personal information is collected and used.
FTC and Government Officials Reaffirm Concepts From December Roundtable and Highlight Future Practices
In keeping with themes from the FTC’s December roundtable[1], FTC officials discussed privacy policy concerns with the current notice and choice model of privacy protection. The FTC also provided insight into future Commission enforcement and potential regulation. For example, David Vladeck, the Director of the FTC’s Bureau of Consumer Protection, noted that the Commission intends to increase enforcement actions against organizations that engage in practices to undermine consumers’ privacy decisions about online marketing. Although Mr. Vladeck did not expand on the types of companies or practices that the FTC plans to target, he previously has raised concerns about the use of flash cookies, a technology that permits the storage of information about a user’s browsing habits and enables targeted behavioral advertising, which cannot be deleted in the same manner as traditional HTTP cookies.Further setting the stage for some of the days’ topics, Commissioner Pamela Jones Harbour spoke about technology’s role as a “double-edge sword” because of its ability to both protect consumers and lead to consumer harm if used in unfair and deceptive ways. Commissioner Harbour also advocated for comprehensive legislation that would address both online and offline data collection, noting that “behavioral targeting represents just one aspect of a multifaceted privacy conundrum.”
In addition to the FTC’s comments, Daniel J. Weitzner, the National Telecommunications and Information Administration’s Associate Administrator for Policy at the Department of Commerce (DOC), outlined the DOC’s and President Obama’s administration goals to protect consumer privacy, including promoting the United States’s role as a leader in global privacy discussions and addressing consumer privacy protection in an increasingly transparent online environment. Mr. Weitzner also set forth a framework for privacy regulation discussions, noting that lawmakers and regulators need to balance a regulation’s protection benefits with harmful effects to online systems and services. The DOC has indicated that it will issue a Notice of Inquiry requesting information from industry leaders, academics, and government representatives about privacy regulation issues and concerns, and hopes to work with the FTC to create privacy regulation.
Panels Focus on Technology’s Role in Privacy Protection
- One panel focused on the developing tension between technology and privacy, noting that as technology becomes more sophisticated, consumers’ control over personal information diminishes. Panelists noted that many technologies developed for consumers’ benefit can be repurposed and used for nefarious data collection and other activities. Echoing the balancing theme advanced by the FTC and the DOC, panelists believe that the FTC should create privacy protections that control harm without robbing consumers of beneficial new technologies.
- Other discussions focused on the nature of information sharing practices, finding that technology itself is not the problem, but that privacy risk and consumer harm stems from how information is used once it is divulged by the consumer. For example, panelists were concerned that once consumers provide personal information to an organization that shares data with third parties, consumers lose control over how that information will be used by the third party in the future. These panelists believe the FTC needs to address regulatory gaps for third-party companies that buy and collect information, and use that information in ways the consumer did not anticipate or consent.
- Further, the panelists addressed privacy implications for social networking and similar online services. In particular, panelists explored how social networking sites affect consumers’ view of their privacy and discussed views held by some industry leaders that consumers who put personal data on social networking sites have surrendered their privacy expectations. Despite privacy concerns, many panelists touted the benefits of these services, noting that online social networking advances the global economy and facilitates social interactions. Finally, some panelists believe that social networking sites’ privacy measures offer a model for consumer privacy protection for other industries because many sites allow consumers to customize and control privacy settings in a very detailed manner.
- In addition to social networking, panelists focused on privacy issues associated with cloud computing. This panel focused on consumer education and how the industry can help consumers understand data management, sharing, and use practices in the cloud. Many panelists noted that a high level of transparency is the key to helping consumers embrace cloud computing.
- Privacy concerns with mobile computing were also discussed. Mobile computing, similar to social networking and cloud computing, is a rapidly expanding form of technology that presents unique privacy protection challenges. Of particular concern to panelists is the spread of location-based advertising, a form of behavioral marketing which allows advertisers to target consumers through mobile devices by delivering advertisements based on a consumer’s location. Many panelists believe that lawmakers and regulators should increase oversight of location-based marketing practices, as well as behavioral marketing as a whole.
- Finally, discussions explored what role public policy should play in shaping and regulating technology. Panelists debated the efficacy of privacy enhancing technologies, such as spam filters, identity-theft monitoring software, and other products and services that consumers use to enhance online privacy protection. Many panelists supported government regulation that would promote the use of privacy enhancing technology, but cautioned that regulatory standards should be flexible in scope to avoid inhibiting the creation of new technology.
Themes that emerged from December’s roundtable included how organizations’ data collection and use practices should be regulated to best protect consumers without unduly constraining commerce. Similarly, this recent roundtable focused on how privacy protection measures can be created and applied without constraining technological development. FTC officials noted that future regulations should balance consumer privacy protections with the burdens on technological research and development, and take into account the benefits that new technology provides consumers. To protect the free-flow of commerce and technological development lawmakers and regulators may favor broad standards that can be applied to a wide-range of situations and technologies.
Based on comments from the January roundtable, it is likely that the FTC will increase its law enforcement efforts targeting deceptive or unfair online data collection and marketing techniques, particularly those using stealth technology, such as flash cookies, to potentially undermine consumers’ privacy choices. Other issues to monitor moving forward include the possibility of comprehensive privacy legislation, which has already generated some interest in Congress, but could gain momentum following any announcements by the FTC.
The FTC’s next roundtable will take place on March 17, 2010 in Washington, D.C. The focus of this final roundtable will be on protection of health data and other sensitive consumer information, as well as identity management and accountability approaches to privacy protection.
Legislative Activity
A bipartisan group of House Energy and Commerce Committee Members led by Communications, Technology, and the Internet Subcommittee Chairman Rick Boucher (D-VA) are expected to soon circulate draft legislation designed to create baseline privacy standards to guide the collection and handling of consumers’ personal information over the Internet. Chairman Boucher has indicated that his goal is to provide consumers greater control and knowledge, thereby increasing their confidence in the security of the Internet. At the same time, he views targeted advertising as an essential business practice for many companies and hopes to promote, not interfere with, successful e-commerce. In his legislation, Chairman Boucher intends to replicate the best voluntary consumer protection and privacy practices that are already in place in the private sector and require industry-wide implementation of such practices, providing the FTC with broad rulemaking and enforcement authority. Chairman Boucher’s goal is to enact legislation this year. There is no companion bill in the Senate at this time which could make enactment this year challenging. The Chairman’s legislation also will be affected by activities at the Federal Trade Commission.Chairman Boucher was a featured speaker at a recent Kelley Drye event, “A Congressional Forum: The Legislative Agenda for 2010.” If you would like to receive invitations to future Kelley Drye Government Relations events, please email dcevents@kelleydrye.com.
Kelley Drye & Warren LLP
Kelley Drye & Warren’s Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients’ customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.For more information about this Client Advisory, please contact:
Dana B. Rosenfeld
(202) 342-8588
drosenfeld@kelleydrye.com
Alysa Z. Hutnik
(202) 342-8603
ahutnik@kelleydrye.com[1] Kelley Drye & Warren LLP covered the FTC’s December 7, 2009, roundtable in greater detail in a past client advisory.