As the FTC gathers comments on its proposed privacy rules, including a “Do Not Track” proposal, FTC Commissioner Julie Brill told a crowd of privacy researchers and policy wonks gathered at UC Berkeley that her agency was willing to go to Congress if online advertisers and analytics companies don’t clean up their act.
While Do Not Track has become a buzz phrase that has been getting a lot of attention, there’s more that’s needed beyond implementing a good no-tracking option, Brill said. First, companies need to start considering “privacy by design.” That means that companies building new products need to think about privacy from the get-go, not just “retrofitting” privacy features once there’s a problem. Online companies also need to think about collecting less information about their users and holding it for a shorter period of time, Brill added. That’s a suggestion that puts the FTC in direct conflict with the data-retention policies desired by the Department of Justice and law-enforcement agencies.
Second, privacy choices need to be simplified for consumers. Privacy policies are too cluttered and confusing, and tend to be full of information that’s barely relevant to the consumer. For example, an online shopper already knows that his address will be shared with FedEx or another shipper when he buys something.
Privacy policies need to address the collection of the data itself, not just how the data is used. For example, plenty of companies, such as ad networks, are holding large amounts of consumer data and could stop using it for behavioral advertising if consumers opt out. But they might be less willing to not collect the info at all. That’s because they can still sell or share that data with others.
Finally, data practices need to be transparent. Not only should consumers know what kind of data companies are collecting about them, but the FTC is actually proposing that consumers should get access to that data, Brill said.
While the commission originally called for an approach that involved a persistent “header” alerting websites to the data-collection preferences of users who visit those sites–exactly the mechanism that Mozilla just unveiled in its new Firefox browser–the FTC is open to considering other strategies, she said.
Brill also addressed a question she’s been getting frequently: what does she think about industry response to the FTC privacy report so far? Her answer: It’s nice to be getting some reaction at all. The commission called for industry to self-regulate back in February of 2009, she noted. “Industry has been kind of slow to deal with this issue… We’ve been very pleased that since we released our report two months ago, we seemed to have caught industry’s attention now.”
If the self-regulation proposals coming in aren’t sufficient to protect consumers, “we will ask Congress to take up the issue,” Brill concluded.