Privacy Advocates Pleased by New FTC Agenda

For days, consumer and privacy advocates have been bracing themselves to deal with the details of the new Federal Trade Commission (FTC) privacy agenda, which was widely expected to roll back the perceived privacy-friendly agenda of the commission under the Clinton Administration. But those advocates expressed much praise and few gripes after Chairman Timothy J. Muris laid out the commission’s new privacy agenda at the 2001 Privacy Conference in Cleveland, Ohio Thursday.

“Broadly, I’m mostly very pleased with what Chairman Muris has delivered,” said Jason Catlett, president of privacy advocacy firm Junkbusters Corp. and Fellow of the Kennedy School of Government at Harvard University.

Catlett added, “By the standards of the FTC’s two decades of timid consumer protection, Chairman Muris’ agenda represents a substantial improvement. Muris has taken on several long-overdue items, such as pretexting, on which his fellow commissioner Orson Swindle had voted against enforcement action. In proposing a national Do-not Call list, Muris is catching up with Congress’ plainly stated intent in the TCPA of 1991. His promised actions against deceptive spammers should have started at the FTC five years ago.”

Those thoughts were echoed by other privacy advocates.

“Overall, I think it’s a good start,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC).

Jim Harper, editor of the privacy Web site Privacilla.org, added, “The FTC’s privacy agenda is truer to the concerns of American consumers than what we have seen before. By helping consumers discover and recover from identity fraud, the FTC will allay a primary concern with the modern marketplace. Enforcing privacy promises without dictating them will put consumers in a position to protect privacy on terms they choose.”

The Agenda
Muris said the FTC plans to increase the resources it dedicates to privacy protection by 50 percent and presented an enforcement plan that will involve “every division of the Bureau of Consumer Protection and increase the resources devoted to privacy issues substantially.”

The new privacy agenda’s law enforcement and education initiatives include:

• The creation of a national Do-Not-Call List to give consumers a more efficient way to prevent unwanted calls from telemarketers
• Beefing up enforcement against deceptive spam
• Helping victims of Identity Theft by using data collected from consumers to spot patterns and help law enforcement agencies prosecute perpetrators; as part of this initiative, the FTC will release a universal fraud affidavit that victims of ID theft can submit when fraudulent accounts are opened in their names
• Putting a stop to Pretexting, the practice of fraudulently obtaining personal financial information like account numbers and balances, usually by calling banks under the pretext of being a customer
• Encouraging accuracy in credit reporting and compliance with the Fair Credit Reporting Act
• Enforcing privacy promises made by companies, whether online or offline
• Increasing enforcement and outreach on the Children’s Online Privacy Protection Act of 1998
• Development of a “substantial” consumer awareness campaign to let consumers know that they should report privacy-related complaints to the FTC
• Enforcing the Telemarketing Sales Rule, especially provisions about harassing calls and the hours during which calls are allowed
• Restricting the use of pre-acquired account information
• Enforcing the Gramm-Leach-Bliley Act of 1999, which requires financial institutions to provide privacy notices to consumers
• Holding workshops to explore the privacy implications of new and emerging technologies.

“Initially, the agency’s privacy program was focused primarily on the Internet, and on what information Web sites collect and use,” Muris said in his speech. “This was appropriate when the Internet boom was just beginning. Consumers, surfing from the privacy of their homes, may have felt anonymous. This focus, as important as it is, does not address privacy concerns raised by offline information practices and the rapid convergence of online and offline information systems. The threat of identity theft, for example, is a real threat whether the thief steals the information from an online Web site with a list credit card numbers or from a consumer’s mailbox.”

New Legislation?
But while advocates generally had praise for Muris’ stance, they were also concerned by his not-unexpected hesitancy regarding online privacy legislation.

In his speech, Muris said, “I have learned that there are clearly good arguments for such legislation: online privacy legislation could increase consumer confidence in the Internet by establishing a clear set of rules about how personal information is collected and used. Moreover, federal legislation could help ensure consistent regulation of collection practices across the 50 states.

“These are desirable goals. Nevertheless, it is too soon to conclude that we can fashion workable legislation to accomplish these goals. We need to develop better information about how such legislation would work and the costs and benefits it would generate.”

Muris argued that legislating broad-based privacy protections is exceedingly difficult, using the example of the Gramm-Leach-Bliley Act — which he referred to as “barely comprehensible privacy notices” — as an example. He also said it makes little sense to limit legislation to online practices only, saying that all avenues of commerce should be held to the same set of rules, regardless of the medium used to deliver it. Additionally, he raised concerns about the costs to businesses of compliance to privacy legislation and suggested further study was needed.

“The only thing we have a problem with are his conclusions on legislation,” said Sarah Andrews, research director for EPIC. Andrews noted that there is still no legislation that requires companies to post privacy policies on their Web sites, which she indicated took much of the steam out of the FTC’s goal of enforcing privacy promises made by businesses. As to the issue of costs incurred by companies’ compliance with privacy legislation, Andrews said, “There is no weight of evidence behind that.” She explained that many of the studies which found that businesses would be forced to shoulder an undue burden if required to adhere to government mandated privacy policies did not take into account the costs of not protecting consumer privacy.

Catlett added that the studies also assumed each company would be forced to build its own privacy compliance application. “That’s not really how this market works,” he said.

But Catlett also noted that in his role as chairman of the FTC, Muris is not a lawmaker. He said Muris’ views are unlikely to sway the opinions of many members of Congress who have already decided that privacy legislation is indeed necessary.

“Muris did not address the more recent privacy issues, such as opt-in for email marketing, profiling by banner ad companies, or Microsoft’s Passport and other identity services,” Catlett said. “His opinion that new privacy rights are not currently needed is disappointing, and is another example of how he is still lagging behind the prevailing sentiments of lawmakers and the majority of Americans.”

However, Catlett also pointed out that it is understandable that Muris is going after older issues first.