Online privacy protection for consumers has been built around the idea of "notice and choice" but it was clear to me at Thursday’s Federal Trade Commission Privacy Roundtable at UC Berkeley that top FTC officials think the traditional system isn’t working.
The question, of course, is: What do we replace it with?
The online industry’s giants like Google and Facebook, want to spy on you as much as possible, compile data about your web surfing and use that data to serve you up to advertisers.
I think information about you belongs to you and you have the right to decide who gets it, how it’s used and how long it’s kept. Indeed, you should be able to say whether it’s gathered at all.
The consumer privacy "protection" system has been that a company has a privacy policy that explains its data collection, use and retention policies. Consumers then supposedly have the ability to exercise "choice" in deciding whether they want to use the services. If a company violated its own privacy policy, it could face FTC sanctions for an unfair trade practice.
Never mind that the company could have any privacy policy it wants and could change it on a whim. If they say one thing and do another, and are caught, there can be sanctions. But the system to guarantee consumer privacy is absolutely not working in the real world.
Privacy policies are mind-numbing pages of legalese and bafflegab that nobody understands, probably not even the teams of lawyers who write them. So consumers don’t get real notice and without that, there is no real choice.
FTC Consumer Protection Bureau chief David Vladeck acknowledged as much when he said that "consumers have little understanding about data collection procedures" and noted that most consumers think that a company "having a privacy policy means it doesn’t share data." That is not the case at all.
Privacy guarantees, he said, "need to be baked in at the beginning rather than being a half-baked after thought."
FTC Commissioner Pamela Jones Harbour disputed recent statements by Facebook CEO Mark Zuckerberg that expectations about privacy are changing and people are more willing to share information on line. She said surveys continue to demonstrate privacy remains a big concern.
Panels comprised of representatives of industry, academics and some consumer groups debated technology and privacy, privacy implications of social networks (like Facebook), privacy implications of cloud computing, privacy implications of mobile computing, and technology and policy.
Industry representatives like Erika Rottenberg, general counsel for LinkedIn, Tim Sparapani, Facebook’s director of public policy and Nicole Wong, deputy general counsel for Google down played the need for regulations. They argued they need the trust of their users and claimed they compete on privacy issues.
"Certainly there are bad actors out there," said Rottenberg.
"The credible players are all here," said Wong.
They touted the value of self-regulation, which if there are "bad actors out there" can’t be working all that well, I’d say. Nor did they address their own data gathering operations, many of which questionable.
The good news from this Privacy Roundtable is what I’d say is a clear recognition that "notice and choice" is not working to provide meaningful privacy guarantees. Undoubtedly that will be reenforced at another Privacy Roundtable in March in Washington, DC.
With the recognition that "notice and choice" isn’t cutting it, Congress and the FTC can focus on the need for real regulations enforced by the FTC governing how consumers’ data can be gathered, used and stored. Such regulations based on Fair Information Principles would not only protect consumers’ rights, but would also build consumers’ trust in online activities, to the benefit of the companies.
Fri, Jan 29, 2010 at 5:44 pm