FTC privacy report appeals to Congress as critics assail self-regulation

The FTC issues a privacy report that garners overall praise but criticism for its self-regulatory proposals.

The Federal Trade Commission called on Congress Monday to enact basic privacy legislation and promised to work with legislators on new laws, while at the same time asking private industry to step-up self-regulation.

Reaction was mixed from critics who want policies with teeth and less self-regulation, which has not proved to be effective in many high-profile cases, including FTC action against the likes of Google and Facebook.

The best-practice recommendations for commercial entities that collect or use consumer data were contained in an FTC document entitled "Protecting Consumer Privacy in an Era of Rapid Change."

The report is a follow-up to a preliminary FTC report on consumer privacy policy released in 2010.

"If companies adopt our final recommendations for best practices - and many of them already have - they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy," Jon Leibowitz, FTC chairman, said in a statement.

The report called for "Privacy by Design" and said companies should build privacy principles into products and services, simplify consumer choice, offer clear privacy notices, provide reasonable access to consumer data, and expand consumer education around privacy.

Reaction was mixed with some groups praising the overall effort but criticizing the self-regulation proposal.

"The harvesting and sale - often in real-time - of our valuable data, including about our financial and health interests, poses a major threat to consumers.  The FTC's call for legislation is a digital wake-up call to Congress," said Jeffrey Chester, executive director of the Center for Digital Democracy.

But Chester, along with others also chided the FTC calling their self-regulation proposal "disappointing."

"However, we call on the FTC to specifically spell out how to ensure consumers have meaningful "choice" to control the collection and use of their information.  The commission's overall support for industry self-regulation is disappointing, and reveals a FTC still too often constrained from effectively protecting the public."

The Electronic Privacy Information Center (EPIC) also called out the FTC on the self-regulation issue and said  in a statement the FTC's privacy framework doesn't exceed other proposals.

"The framework is not as extensive as the White House Consumer Privacy Bill of Rights and depends on industry self-regulation. EPIC previously commented on an earlier draft of the framework, pointing out that the FTC "mistakenly endorses self-regulation and 'notice and choice,' and fails to explain why it has not used its current Section 5 authority to better safeguard the interests of consumers."

FTC commissioner J. Thomas Rosch, who cast the only dissenting vote in a 3-1 decision, said regardless which privacy document is adopted the issue is whether privacy practices are voluntary or federal requirements.

Over the next year, the FTC plans to focus its policy making in five areas: Do Not Track, Mobile, Data Brokers. Large Platform Providers and Promoting Enforceable Self-Regulatory Codes.

The FTC said in the report that the recommendations do not apply to companies that "collect only non-sensitive data from fewer than 5,000 consumers a year, provided they do not share the data with third parties."

See also: