Compared to the Federal Trade Commission’s recent report on privacy, the Commerce Department report appears to be friendlier to industry, which is not surprising given the department’s traditional role of helping U.S. businesses prosper. While the FTC has stated that industry self-regulation has been a failure for consumers, the Commerce Department report makes a variety of suggestions for improving privacy practices, but keeps those recommendations based on industry self-regulation.
While the new report contains a generic call for more transparency, it’s less critical of current online practices. And although the report it calls for the FTC to be the privacy enforcement agency, the Commerce report goes so far as to suggest that companies should have a “safe harbor” defense against law-enforcement actions as “so long as their practices do not deviate from the code’s approved provisions.”
Below, some other key elements of the Commerce Department report.
» A “Privacy Bill of Rights” for online consumers. The adoption of basic privacy principles “should prompt companies to be more transparent about their use of consumer information; to provide greater detail about why data is collected and how it is used; to put clearer limits on the use of data; and to increase use of audits and to increase their use of audits and other ways to bolster accountability.”
» Create a new Privacy Police Office. This office would “examine commercial uses of personal information and evaluate whether uncertainty or gaps in privacy protections exist.” The Commerce report suggests the new office should be listening to industry, consumer groups, privacy advocates and other stakeholders.
» National policies to address commercial data breaches in a consistent way. A national approach to privacy leaks is needed because of “inconsistent state laws.” While states’ enforcement powers should be preserved, there need to be “comprehensive national rules” telling businesses how to notify their consumers about data security breaches.
» Revamping the Electronic Communications Privacy Act. The ECPA is one of the more important federal privacy laws, but it’s a 1986 law passed that essentially just updated 1960s-era anti-wiretapping laws. In the internet era, the ECPA needs to be updated to include rules on privacy protection for “cloud computing and location-based services.” That seems to be code suggesting that since we have laws preventing a corporation from listening in on telephone calls, it might be a good idea to update the laws to limit how they might collect and use location information, or collect Facebook updates or other information sent to social networks.
The report is meant to complement the FTC’s own recommendations regarding online privacy, which were released in a report on Dec. 1. The FTC’s suggestions included the recommendation that web browsers include a “Do Not Track” feature. The FTC is currently accepting public comments about its report, which so far has gotten a mixed reception in Congress.