The FTC's New Privacy PositionOn Oct. 4, the new chairman of the Federal Trade Commission announced that he would not support new privacy legislation, but rather would intensify the FTC's enforcement of existing laws. In making this statement, chairman Timothy J. Muris reversed the FTC's 2000 recommendation to Congress that it enact a general privacy law.
While this policy change at first blush may appear favorable to industry, a close look at Muris' reasons underlying his position, and the implications of having no legislation at all, reveals otherwise.
Muris said he did not favor new privacy legislation for several reasons. First, he commented, "It is too soon to conclude that we can fashion workable legislation" to address consumer concerns about the collection and use of personal information. Second, he contended that the financial industry's compliance with the Gramm-Leach-Bliley Act resulted in "a blizzard of barely comprehensible privacy notices" that have been characterized as "creating a 'digital mattress tag.' " Third, he expressed hesitation at enacting privacy legislation that would apply only in the online context. Last, he noted the slowing of the growth of the Internet and expressed the need for a more detailed cost/benefit analysis of new privacy legislation in the online context.
"Virginia, there is no privacy law." In the absence of a general privacy law to guide marketers in their data collection and use practices, industry will continue to feel its way in the dark, risking liability at each wrong turn. Many of the privacy-related regulatory enforcement actions and private lawsuits to date have resulted from online marketers engaging in activities that until recently have been considered "business as usual," and in some cases, pursuant to legal mandate.
And what about the online/offline privacy debate? Will Muris' position on no new legislation today result in a law tomorrow that covers all data, online and offline? The list industry is well advised to make sure that this never comes to fruition.
These competing interests have placed online marketers in a schizophrenic state, resulting in privacy policies that are written by lawyers for lawyers. In the end, what was intended to help consumers understand a marketer's data collection and use policies has resulted in barely understandable notices that no one reads anyway.
The chairman's revised FTC agenda also includes the scrutiny of products touting privacy or security features, to ensure that sellers that offer such features deliver on their promises of increased privacy or security.
Enforcement of existing sectoral laws. Muris gives a mixed message on the enforcement of existing sectoral privacy statutes. He indicated that efforts to enforce the Children's Online Privacy Protection Act would continue, though he was highly critical of the Gramm-Leach-Bliley Act. He said that the privacy notices issued under the GLB Act "should give everyone pause about whether we know enough to implement effectively broad-based legislation based on notices." The chairman's GLB agenda entails the scheduling of an information workshop; no mention of enforcement of this privacy statute was made other than in the context of combating "pretexting" (obtaining personal financial information about a customer by posing as the customer).
Telemarketing. Muris indicated that the FTC's current focus on telemarketing as a fraud issue would be expanded to include consumer privacy as well. He recommended an amendment to the Telemarketing Rule that would establish a federal "one-stop do-not-call" list. While current federal law requires telemarketing firms to create and maintain their own internal do-not-call lists and some states require firms to subscribe to state-run lists, Muris' proposal would create a single national registry.
This proposal, while well-intentioned, has been considered and defeated in past governmental rule makings. As many professionals in the telemarketing industry know, the Federal Communications Commission considered and rejected a national DNC list when it promulgated rules pursuant to the telephone Consumer Protection Act of 1991. A national DNC list is problematic for other reasons, such as companies sending en masse the names of their customers to a national DNC center so that their competitors are unable to contact them.
Industry-driven initiatives. The chairman's presentation included statements supportive of industry efforts on privacy issues, including the U.S.-European Union "safe harbor" program and efforts to encourage Internet sites to post privacy policies.
While Muris' position on general privacy legislation may come as a relief to many in the marketing industry, companies are well advised to not just sit back and breath a sigh of relief. Instead, the challenges become greater than they were before. In addition to the privacy quagmire remaining murky, the FTC will no doubt increase its enforcement initiatives to cover not just online data collection and use practices, but also telemarketing and other marketing channels.