Response was swift and generally positive to the Federal Trade Commission's release of its final report on privacy protection in the digital age.
The report backs a voluntary do-not-track regime, both browser- and website-based, but suggests legislation is needed to regulate online data brokers and a general online privacy framework that will put teeth into voluntary efforts to provide consumers more transparency, choice and control.
"It is gratifying to see that the input provided by the Future of Privacy Forum was useful to the FTC, which repeatedly cites the Forum in the Report," said Christopher Wolf, co-chair of the Future of Privacy Forum. "The FTC's definition of the scope of privacy protection is flexible and sensible, and allows for use of de-identified data.
"It is not surprising that the Commission joins in the call for baseline privacy legislation and data security legislation. There appears to be a groundswell of support for legislation. With that said, the FTC has called for legislation before, so by itself, this support will not necessarily lead to legislation anytime soon. On Do Not Track, the FTC correctly is prepared to wait for the ongoing self-regulatory efforts to proceed. A lot of progress has been made and can be expected."
Jeff Chester of the Center for Digital Democracy has been one of the leading voices for online privacy protections. He praised the effort, but called for more. "The Commission's new privacy report zeros in on one of the most glaring threats to consumers today-the growth of the online-merged with-offline data collection complex. In its call for Congress to enact legislation to rein in the data broker industry, the FTC has opened up an important new â€˜front' in the battle to protect consumer privacy... Overall, the FTC's call for ensuring the public has greater control over how their data is collected and used online, should prompt industry leaders to rethink how they address protecting consumer privacy. The FTC's further clarification of what is considered personally identifiable also is a step forward."
In order to be able to anticipate future uses of data, FTC recommends a definition of personally identifiable information in terms of "data that, while not traditionally considered personally identifiable, is linkable to a consumer or device."
But the battle remains. "We call on the FTC to specifically spell out how to ensure consumers have meaningful "choice" to control the collection and use of their information," said Chester. "The commission's overall support for industry self-regulation (such as the largely invisible â€˜icon' placed on ads) is disappointing, and reveals a FTC still too often constrained from effectively protecting the public."
While a source said cable operators and phone companies lobbied hard for being able to use deep packet inspection, the FTC decided that ISPs who use DPI are engaging in a different relationship with the customer and
"should not be exempt from having to provide consumers with choices" over whether or not its packets get inspected. "This is true whether the entity tracks consumers through the use of DPI, social plug-ins, http cookies, web beacons, or some other type of technology."
"The commission resisted calls from the telephone and cable lobby to endorse the controversial Deep-Packet Inspection (DPI) surveillance system,"s aid Chester. "The FTC plans to hold a workshop and conduct further study on this critical privacy and civil liberties issue, which is prudent."
Adonis Hoffman, communications professor at Georgetown and former general counsel at the American Association of Advertising Agencies, praised the report as a good balancing act between regulation and the marketplace.
"Once again, the FTC has shown its sensitivity for the need to balance consumer interests with business realities," he told Multichannel News. "This report puts the burden on companies to implement privacy best practices, and it commendably exempts small businesses from this burden. As with any self-regulatory framework, the test will be enforcement. Predictably there is bound to be one or more examples of bad behavior where consumers get harmed. When that happens, it will be incumbent on the FTC to come up with strong sanctions and send a clear message that consumer privacy matters. If the commission does not act boldly in those cases, it will run the risk of being seen as too cozy with the industries it regulates. All things considered, the report should provide a good predicate for any major privacy legislation."
Amy Mushahwar, data privacy & security attorney at Reed Smith LLP, was all for self-regulation. "We agree with the FTC that industry's self-regulatory efforts concerning the development of a Do Not Track browser standard have come a long way during the past year, and we also agree with the FTC that the significant progress already made by the Digital Advertising Alliance will likely obviate the need for legislation on this issue," she said in an e-mailed statement. "It is the right thing to do, and it is getting done. The fact that the FTC is continuing to work with industry on these issues is a very positive sign."
FTC chairman Jon Leibowitz told reporters Monday he was very confident a "do not track" regime for online data could be achieved short of legislation.