The pace of privacy activity in Washington has increased markedly during the past few months. An event that would have produced a splash last year now creates only ripples. A case in point is the May release of the Federal Trade Commission’s new report on online privacy.
The main conclusion of the report is that privacy self-regulation is not working adequately, and the FTC endorsed legislation. The FTC’s conclusion is a disappointment to self-regulation advocates. Privacy advocates liked the FTC’s pronouncement on the failures of self-regulation, but other parts were not as well-received.
The report drew a stinging and well-written dissent from Republican commissioner Orson Swindle. He excoriated just about everything in the majority report, including the failure to recognize progress in self-regulation, the interpretation of statistics on Web site compliance with fair information practices and the lack of consideration of the costs. I don’t agree much with Swindle, but he raised some good points.
If you hate the report, you will love Swindle’s dissent. While you read it, you can ponder the possibility that George W. Bush, as president, would name Swindle chairman of the FTC next year. If Bush wins the election and if Swindle becomes chairman, the FTC may disappear from the privacy radar screen quickly.
The other Republican commissioner also dissented in part, but he concurred in part. Thomas Leary found that the report was both too broad and too narrow. It was too broad because he favors requiring notice alone rather than what the FTC called fair information practices. It was too narrow because he thinks any legislation should apply to the offline world as well.
Simple Notice Requirement
If I had to accept without change one of the three positions advocated by commissioners, it would be Leary’s. A simple notice requirement is better than the FTC’s lousy redefinition of fair information practices. Leary is also right about the need for offline coverage of privacy rules.
Is Leary too extreme for a Republican? Don’t bet on it. The Republicans are rapidly moving to the left on privacy matters. Sen. Richard Shelby, R-AL, the man who changed the Drivers Privacy Protection Act from opt out to opt in, is being joined by others.
Don’t wait for George W. to bail you out. He said in an article in The Wall Street Journal that companies must seek express permission from consumers before passing information on to others. I wonder how that statement went over at the Direct Marketing Association.
I am amused by both dissents, but I am unhappy with some of the majority report. First, the FTC continues to push its own rump version of fair information practices. My biggest objection is to its redefinition of the principle of finality. Fair information practices call for limits defined in advance on how information can be used and disclosed.
The FTC takes this principle of finality and waters it down into choice. The redefined principle states, roughly, that a business can do just about anything it wants with consumer information, as long as it gives consumers a chance to object in some fashion.
The FTC wraps itself in the flag of fair information practices and cites its long and influential history. However, it does not own up to that it has restated some major elements and ignored others.
My second objection is to the FTC’s enforcement proposal. The report does not directly recommend an expansion of the FTC’s authority. Oh, no. It just recommends that regulatory authority be given to “some” agency. It must just be a coincidence that the scope of the FTC’s recommendations matches exactly with its traditional jurisdiction.
The legislation proposes a basic level of privacy protection for all visitors to consumer-oriented commercial Web sites. Governmental, noncommercial and nonprofit activity also can violate privacy, but if a privacy concern does not coincide with the FTC’s natural jurisdiction, then the FTC does not care. It does, however, seem interested in protecting its turf.
To make matters worse, the FTC wants to be the only enforcer of the law. Under the proposal, individuals would have weak protections and no way to enforce them directly through a private right of action. The FTC’s enforcement proposal might undermine some existing remedies and could make individuals worse off.
I wouldn’t object to FTC enforcement if it actually used its existing authority. The number of privacy cases taken up by the FTC is less than a handful. It has only been willing to take easy cases or to announce investigations for press consumption. The FTC should have decided dozens of privacy cases by now, and it isn’t even close.
As part of the Safe Harbor discussion with the European Union, the FTC promised to give priority to privacy complaints from foreigners. Maybe we need legislation to make the FTC pay attention to American complaints.
In the end, I don’t think the FTC’s recommendations will matter. The privacy issue is moving away from the center, and the FTC has positioned itself on the wrong side and at the wrong time.
Why did the business community reject the FTC proposals? That’s a good question. The FTC’s weak privacy legislation would allow business to continue to exploit consumer information with few barriers and no effective remedies for consumers. Anyone who thinks business will get a better deal from Congress needs to have a chat with Shelby and some of his colleagues.