Dear FTC: Privacy Power Trumps Privacy Rules

As it tackles consumer data privacy, the FTC needs to think less about limiting what companies can do, and more about empowering consumers themselves.
The Federal Trade Commission on Monday issued its final report on how businesses should try to protect consumer privacy when handling data that can be linked to a specific consumer or device.

The report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," makes some concessions to the realities of small businesses: It concludes that its proposed framework should not apply to companies collecting (and not transferring) data from fewer than 5,000 consumers a year.

It also exempts companies that take reasonable measures to de-identify data, promise not to re-identify it, and prohibit companies provided with such anonymized data from doing the same.

The report can be expected to shape future legislation and self-regulation efforts. It reiterates support for a law that would require data brokers to allow consumers to access information about them, and support for a data industry hub that would provide information about data collection practices and how to control information gathering.

[ Read FTC Calls For Data Privacy Laws. ]

The report backs compliance with industry-established norms as the yardstick by which regulatory actions will be calibrated. It calls for mobile companies to provide clearer disclosure about how they use consumer information. And it states that the FTC will work with industry groups to implement a Do Not Track system for Web browsers.

The most interesting reading in the report comes from FTC commissioner J. Thomas Rosch's dissent.

"If implemented as written, many of the Report's recommendations would instead apply to almost all firms and to most information collection practices," Rosch warned. "It would install 'Big Brother' as the watchdog over these practices not only in the online world but in the offline world."

Rosch questioned the FTC's support for making online tracking opt-in, noting a recent study that indicated "84% of users polled prefer targeted advertising in exchange for free online content."

This echoed previous testimony offered by Rosch that there's not much evidence consumers want to use Do Not Track or similar technologies.

Rosch argued that large platform providers and ISPs should only be required to get consumer consent for scanning consumer content if the company actually wants to build a profile, and not if it just has the potential to do so.

Rosch allowed that companies with monopoly power or near-monopoly power, like Intel and Google, may have extra obligations that other businesses should not be subject to.

As an antitrust attorney, Rosch is perhaps predisposed to focus on monopoly power. It's a worthy concern, but one I think needs to be approached differently in the information age. Rather than requiring that companies seek permission to gather data, we should be requiring that companies provide consumers with the tools to define privacy for themselves.

What we need is a right to self-help. Rather than attempting to legislate privacy, a term that means different things to different people, the FTC should require that companies disclose their information-collection practices and provide consumers with the ability to deny such collection. We need transparency combined with optional opacity.

We're already most of the way there on the Web. If you want to avoid being tracked online, you can already do so, Google's recent circumvention of Safari settings notwithstanding. You can operate your browser in privacy mode and you can install plug-ins to filter cookies, ads, and pretty much everything else.

Where consumers need help is on mobile devices. Consumers should have the right to run whatever browser and to install any lawful software they choose on their mobile devices. For platforms like iOS, where Apple approves all software, that would mean rejections could only be based on technical criteria, like instability, insecurity, or illegality, and not on competitive or content-based criteria. Companies' unsavory tracking practices would not matter if consumers were presented with adequate disclosures and had the option to install or implement countermeasures.

This could be extended to ISPs, such that they would be required to offer an IP-address concealment option, with provisions to make that data available only for recognized legal or security reasons.

Privacy advocates have long focused on principles of notice and consent. To that list, add control. When you have control over the information you broadcast online, you have all the privacy you want or don't want. And businesses will be able to respond accordingly: If you block ads, for example, you may have more privacy but less access to websites. The market for privacy would thus be less distorted.

In this interactive virtual event from Dr. Dobb's, Developing With HTML5, top business technologists, experts, and solution providers will discuss the present and future of HTML5 as a Web- and mobile-development platform. When you register, you will gain access to live webcast presentations and virtual booths packed with free resources. It happens April 12. (Free registration required.)