FTC Testifies on the State of Online Consumer Privacy to Senate Committee

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Industry stakeholders have made important progress in implementing “Do Not Track,” a mechanism proposed by the Federal Trade Commission last December that would allow consumers to choose not to have their Internet browsing tracked by third parties, the FTC said today in testimony before the Senate Committee on Commerce, Science and Transportation.

The FTC’s testimony discussed its efforts to protect consumer privacy through enforcement actions, consumer education, and policy initiatives like the FTC staff’s recent preliminary privacy report.

That report—titled “Protecting Consumer Privacy in an Era of Rapid Change”—proposed a framework to balance consumer privacy with industry innovation by building privacy protections into everyday business practices (“privacy-by-design”); simplifying privacy choices for consumers; and improving transparency with clearer, shorter privacy notices.

Consumer Choice Mechanisms

“Do Not Track is no longer just a concept, it is becoming a reality,” said FTC Chairman Jon Leibowitz,. “It’s encouraging to see companies responding positively to our call for more consumer choice about their online privacy.”

The testimony noted that two of the major Internet browser vendors—Microsoft and Mozilla—have announced that they are developing choice mechanisms for online behavioral advertising.

In addition, the World Wide Web Consortium has accepted a submission by Microsoft to consider a technical standard for a universal choice mechanism and has announced that it is conducting a workshop in April 2011 on how to incorporate Do Not Track preferences into Internet browsing.

In the FTC’s view, an effective Do Not Track regime would:

• Be implemented universally, so consumers do not have to opt out as they go from site to site;

• Have an opt-out mechanism that is easy to find and easy to use;

• Offer choices to consumers that are persistent and that would not be deleted if, for example, consumers cleared their cookies or updated their browsers;

• Be effective and enforceable; and

• Let consumers opt out of being tracked for reasons other than commonly accepted uses, such as fraud prevention.

Universal Opt-Out

“A robust, effective Do Not Track system would ensure that consumers can opt out once, rather than having to exercise choices on a company-by-company or transaction-by-transaction basis,” the testimony stated. “Such a universal mechanism could be accomplished through legislation or potentially through robust, enforceable self-regulation.”

Consumers may want to opt out of more than targeted ads, the FTC said. For example, they might want to prevent prospective employers or insurers from examining their browsing habits. An effective Do Not Track system would go beyond simply opting consumers out of receiving targeted advertisements; it would opt them out of having their behavior tracked online, the testimony states.

“Commission staff will monitor further industry innovation in this area, which may build upon existing industry initiatives and incorporate elements of the different mechanisms being proposed today,” said the FTC.

Privacy Protection Efforts

The Commission stated that protecting consumers’ privacy had been a priority for 40 years.

“During this time, the Commission has employed a variety of strategies to protect consumer privacy, including law enforcement, regulation, outreach to consumers and businesses, and policy initiatives,” the FTC said.

According to the testimony, in the last 15 years, the FTC has brought more than 300 privacy-related actions, including:

• 32 data security cases,

• 64 cases against companies for improperly calling consumers on the Do Not Call registry,

• 86 cases against companies for violating the Fair Credit Reporting Act (FCRA),

• 97 spam cases,

• 15 spyware (or nuisance adware) cases, and

• 15 cases against companies for violating the Children’s Online Privacy Protection Act (COPPA).

The FTC has obtained $60 million in civil penalties in Do Not Call cases; $21 million in civil penalties under the FCRA; $5.7 million under the CAN-SPAM Act; and $3.2 million under COPPA, the testimony noted.

The Commission vote to approve the testimony was 4-1, with Commissioner William E. Kovacic dissenting. Text of the testimony can be found here on the FTC website.