FTC privacy report backs more credit data access for consumers
Taking a cue from safeguards already in place for credit
card holders, the Federal Trade Commission is
proposing rules and business "best practices" intended to
shield and fortify Americans' privacy.
In a report issued
earlier this week, the agency called for a blend of business and legislative actions
that would give consumers more control over the personal data that is collected
about them. That data -- collected mostly through Internet and cellphone transactions -- is then
sold to others or used to target those same consumers with an onslaught of
narrowly focused ads.
The report recognizes the dizzying array of new threats to privacy in a digital world in which consumer data can be mined from Wi-Fi hot spots, tweets and games downloaded to smartphones, and then used by creditors, employers, insurance companies and landlords.
To a large
extent, the recommendations would give Americans the right to challenge errors
in all personal and financial data gathered about them and to correct those
errors, just as credit card holders and others now have the right -- under the Fair Credit Reporting Act -- to challenge
and correct reports from credit bureaus.
Most of the FTC's
recommendations call for voluntary action by retailers, advertising agencies, credit
card issuers, cellphone companies, Web operations and the relatively new
phenomenon of "data brokers," increasingly powerful entities that
collect, collate and sell a wide range of personal and financial information
But the FTC's
sweeping 112-page report, "Protecting Consumer Privacy in an Era of Rapid
Change: Recommendations for Businesses and Policymakers," also raised the
threat of federal legislation, especially if businesses fail to take swift,
significant and wide-ranging action.
'Do Not Track'
At the top of the FTC's
"This Is Not Just a Wish" list: a simple but robust "Do Not Track"
option for Web surfers.
companies adopt our final recommendations for best practices, and many of them
already have, they will be able to innovate and deliver creative new services
that consumers can enjoy without sacrificing their privacy," FTC
Chairman Jon Leibowitz said as the report was issued Monday.
confident that consumers will have an easy-to-use and effective 'Do Not Track'
option by the end of the year because companies are moving forward
expeditiously to make it happen and because lawmakers will want to enact
legislation if they don't," he said.
Data security, consumer notification
At the same time, the FTC
also suggested that Congress waste no time, reporting that legislation immediately
was required to strengthen data security and the standards to notify consumers
of any breaches in that security.
experts expressed concern that the recommendations could go too far, while many
consumer advocates and privacy experts expressed general approval.
Not Track' will give people more faith in the Internet," said John M. Simpson
of Consumer Watchdog, a nonprofit public interest group. "That will be a
win-win for business and consumers."
significant fraction of the data collected online involves purchases made with
credit cards, but credit card customers -- and all Americans -- would come into
contact with the new rules every time they go online and every time they
migrate from one website to another.
"Americans have enthusiastically migrated more and
more of their lives online," Leibowitz said during a news conference in
Washington, D.C. "As a result, we have had to ask how can consumers
continue to enjoy the riches of a thriving online and mobile marketplace
without surrendering their privacy as the price of admission?"
Show us the credit data
In addition, credit card
account holders already serve as something of a test bed for the regulations.
Under the Fair Credit Reporting Act, credit card customers and anyone applying
for credit must be notified of any personal data that is collected and subsequently
triggers an adverse credit decision -- and they have their right to see the
report and contest such data.
One of the main
recommendations of the FTC's
new report calls for similar transparency of all other personal data collected
online, by cellphone and through other methods. This would include new federal legislation
focused on those data brokers, who would be required to provide consumer access
to information gathered about them and the ability to correct any errors in
should disclose details about their collection and use of consumers'
information, and provide consumers access to the data collected about them,"
Specifically, the agency cited "companies that assemble and evaluate consumer information
for use by creditors, employers, insurance companies, landlords and other entities involved in eligibility decisions affecting consumers." It noted that the Federal Credit Reporting Act already stands as "an important tool that provides consumers with the right to access their own data that has been used to make such decisions, and if it is erroneous, to correct it."
should disclose details about their collection and use of consumers'
information, and provide consumers access to the data collected about them
FTC privacy report
Disclosure, error correction
Under the act, the report pointed out, consumer reporting agencies must "disclose to consumers, upon request, all items in the consumer's file, no matter how or where they are stored, as well as the entities with which the consumer reporting agency shared the information in a consumer's report." When errors are found and reported, the agency generally is required to investigate and correct or delete the erroneous information.
"As more and more consumer data becomes available from a variety of sources, companies are increasingly finding new opportunities to compile, package and sell that information," the FTC said. "In some instances, companies could be compiling and selling this data to those who are making decisions about a consumer's eligibility for credit, insurance, employment and the like."
Importantly, such activities are subject to the Fair Credit Reporting Act, again indicating that credit-related protections already in effect will be serving as a model for some of the new privacy protection recommendations.
The agency also called
on companies to employ consumer privacy protections "at every stage in developing
their products." This includes limited collection and retention of
consumer data, the securing of such data and reasonable efforts to ensure the
accuracy of the data. The agency calls this "privacy by design."
'Big Brother' watchdog over data collection
Of particular significance, the FTC
emphasized that consumers must
have the ability to decide what information is shared about them and with whom.
The main mechanism for this should be an easy-to-use "Do Not Track" option on Web
browsers and websites, the agency said.
This is a hot
issue in the online world.
For one thing,
some business interests prefer to define "Do Not Track" as, "Well,
OK, we can track, but we can't use that particular information to target ads."
No way, Leibowitz said. He said "Do Not Track" means "Do not collect
online data." Period.
many privacy experts.
It would install 'Big Brother' as the watchdog over these practices not only in the online world but in the offline world.
J. Thomas Rosch
meaningful standards will ensure that 'Do Not Track' does not become a weakened 'Do
Not Target' standard ... " said Rainey Reitman, activism director for the
Electronic Frontier Foundation, which works to defend privacy and "freedom"
in the online world. "The issue of 'Do Not Track' versus 'Do Not Target' is
fundamental to online behavioral tracking."
interests, however, say that "Do Not Track/Collect" options, if widely deployed,
would prevent them from collecting information about consumer tastes and habits
and, consequently, would cripple the rapidly growing online advertising
The final report
issued Monday expands on and somewhat revises a preliminary FTC
staff report issued in December 2010. That earlier report generated comments
from 450 groups, companies and individuals, and some of those comments were
incorporated in the final report, the agency said.
vote approving the report was 3-1, with Commissioner J. Thomas Rosch
dissenting. He expressed several concerns, including the possible overreaching
nature of the recommendations.
"If implemented as written, many of the report's
recommendations would instead apply to almost all firms and to most information
collection practices," he wrote in his dissent. "It would install 'Big
Brother' as the watchdog over these practices not only in the online world but
in the offline world."
For the most
part, however, consumer and privacy advocates applauded the report.
Said Reitman of
the Electronic Frontier Foundation: "The final report creates strong
guidelines for protecting consumer privacy choices in the online world."
See related: Agencies release new consumer privacy rights notice forms
Published: March 28, 2012
Three most recent Legal, regulatory, privacy issues stories: