The Federal Trade Commission has now held the second of its three privacy roundtable events. The first, on Dec. 7, focused on data collection and use online and offline, including consumer expectations surrounding various practices and the state of self-regulation. The second roundtable, held Jan. 28 in Berkeley, Calif., focused on how technology can affect consumer privacy — both privacy-enhancing means and in ways that may threaten consumer privacy. The third event (March 17 in Washington, D.C.) will focus on several themes, including how to safeguard health data and other sensitive consumer information.
One common thread that has run through the roundtables so far is the FTC’s apparent concern that there’s a gap between what consumers know and assume, and what actually happens with their data. This was reiterated last week by the remarks of David Vladek, director of the FTC’s Bureau of Consumer Protection, and commissioner Pamela Jones Harbour.
So, where is the FTC headed with this series? What is the likely outcome? What form will that take? These, of course, are the $64,000 questions and no one, not even the FTC itself, knows the answers at this stage.
The FTC has made clear that it’s seeking a new privacy framework. The roundtables are designed to provide a record from which to build that framework. The framework would then be used by to apply the FTC’s authority under Section 5 of the FTC Act (which prohibits unfair and deceptive acts and practices in national commerce) to companies’ privacy practices to determine whether they are compliant.
What will this framework look like? At this stage, I think it will be a sliding scale, where greater transparency and choice mechanisms will be required as the privacy risks, including the risk of identity theft, go up.
This sliding scale is likely to include a component relating to the FTC’s view of consumers’ reasonable expectations of how their data will be used and shared under the circumstances. There are some clues that this is the way things are going. The FTC has stated that it does not think that past frameworks have been a complete solution. According to the commission, the “notice and choice” framework was helpful in terms of improving transparency and consumer choice, but it has resulted in privacy policies that consumers struggle to read and understand. The “harms-based approach” that followed — focusing the commission’s limited recourses on the activities that cause the most harm — was also helpful (it resulted in the popular Do Not Call List), but too limited to protect the privacy of all consumers. It seems unlikely at this stage that the commission will throw these children out with the privacy bathwater, and more likely that it will incorporate them into a broader framework.
What form will the new framework take? Again, we have a clue: the FTC has said that it will issue a report in June or July 2010. This could be a staff report, a commission report or even a report to Congress. The latter seems unlikely at this stage, but if the commission were to issue such an FTC report, as it did on privacy in 2000, it may also propose new legislation or new aspects to legislation that is now pending in Congress.
This could be in the form of an amendment to the FTC Improvements Act, now pending in the Senate (having been passed by the House). That bill would give the FTC broad powers, including the ability to seek civil penalties in Section 5 cases for the first time, an easier and quicker mechanism for creating new trade regulation rules, and the express authority to sue not only those who violate the FTC Act, but also those who provide “substantial assistance” to those who violate the FTC Act.