Transcript Consumer Information

Consumer Information
• Federal Trade Commission Act grants
Federal Trade Commission (FTC)
responsibility regarding unfair methods of
competition and unfair or deceptive acts of
practices involving interstate commerce
• At the state level—attorney general in
each state
Federal Trade Commission Act
• 15 USC Section 45a.
– (1) Unfair methods of competition in or affecting
commerce, and unfair or deceptive acts or practices
in or affecting commerce, are hereby declared
unlawful.
– (2) The Commission is hereby empowered and
directed to prevent persons, partnerships, or
corporations….from using unfair methods of
competition in or affecting commerce and unfair or
deceptive acts or practices in or affecting commerce.
FTC and online privacy
• 1996 Workshop Issues
– Role of government—regulation or no
regulation?
– Opt-in versus opt-out
– Consumer access to information held about
them
– Sensitivity of financial and medical information
and protection of children
• 1997 workshop on same areas
FTC standards for online privacy
•
•
•
•
•
Notice/Awareness
Choice/Consent
Access/Participation
Integrity/Security
Enforcement/Redress
FTC’s stand on self-regulation
• Individual reference services—”computerized database
services that are used to locate, identify, or verify the
identity of individuals”—1997 FTC report in favor of self
regulation
• Online Privacy—move toward recommending legislation
– Privacy Online: Report to Congress, 1998—in favor of selfregulation (except regarding children) although only 2% of
websites had privacy policies posted
– Self-Regulation and Privacy Online: A Report to Congress,
1999—pointed to industry initiatives like seal programs
– Advisory Committee on Online Access and Security—Final
Report of the FTC Advisory Committee on Online Access and
Security—no consensus
– Prepared statement in May 2000—self regulation not enough
Online profiling
• Online profiling report to congress, part 1
in June 2000
– Explained the issues of online profiling
• Online profiling report to congress, part 2
in July 2000
– The FTC at that time recommended
legislation
Network Advertising Initiative
• NAI principles, 2000
– Notice—”robust” notice appears at time and place of
data collection, otherwise in privacy policy
– Choice—opt-out approach
– Access—consumers should get reasonable access to
personally identifiable information but no details about
how has to be done
– Security—reasonable efforts to protect profiling data
– No enforcement
FTC from 2000-08
• Return to self-regulation approach—no new
legislation
• Promise of increased enforcement of existing
laws
• “notice-and choice” model
– Long privacy policies no one reads
• “harm-based” approach
– Deal with practices that might cause physical or
economic harm, or ‘unwarranted intrusions in
consumers’ daily lives’
Current FTC
• Proposed framework for protecting
consumer privacy 2010
– Privacy by design
• Companies should incorporate substantive privacy
protections into their practices like data security,
reasonable collection limits, sound retentions
practices and data accuracy
• Companies should maintain comprehensive data
management procedures throughout life cycle of
products and services
More on framework
– Simplified choice
• Companies don’t need to provide choice before
collecting and using data for commonly accepted
practices like product fulfillment
• For practices requiring choice, companies should
offer the choice at a time and in a context in which
the consumer is making a decision about his/her
data
– Greater transparency
• Privacy notices should be clearer and shorter;
• companies should provide reasonable access to
consumer data they maintain
• Companies must provide prominent disclosures
and obtain affirmative express consent before
using consumer data in materially different manner
than claimed when data was collected
• All stakeholders should work to educate
consumers about commercial data privacy
practices
Enforcement Actions
• Toysmart.com
– Went into bankruptcy—sought to sell its database of consumer information
though its privacy policy said it would not disclose information to third parties—
FTC intervened but overruled by bankruptcy court—database was ultimately
destroyed
• ReverseAuction.com
– Took customer information from eBay site and sent spam to the customers
soliciting their business
• Liberty Financial companies
– Didn’t keep personal information about children anonymous
• GeoCities
– Misrepresented purpose for the data it was collecting—sold it to third parties
• Amazon.com
– Altered privacy policy, but FTC saw no need for enforcement action
• Sears
– Failed to disclose how much data they were actually collecting through ‘research
software’
• Twitter
– Didn’t keep designated tweets private