Mar 26, 2012 (11:03 AM EDT)
FTC Calls For Data Privacy Laws

Read the Original Article at InformationWeek

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
The Federal Trade Commission issued a report Monday that was two years in the making, calling on Congress to pass data privacy legislation and on the private sector to do more to ensure the privacy of consumer data and the control that consumers have over use of that data.

The 73-page report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers," does not mandate action on data privacy. However, it does provide a series of best-practice guidelines, calls for Congressional action, and pushes for a robust "do not track" program to allow consumers to opt out of online advertising that tracks user behavior online.

In a press conference coinciding with the report's release, FTC commissioner John Leibowitz said that the FTC doesn't endorse a particular piece of legislation, but "endorse[s] the notion of it," including legislation that tackles data privacy in general as well as the operations of data brokers, which are the companies that collect and traffic in consumer data.

[ When it comes to privacy, we're our own worst enemy. See Google's Privacy Invasion: It's Your Faul. ]

More specifically, for example, the FTC wants the new laws to, among other things, "provide consumers with access to information about them held by a data broker." These disclosures should be "meaningful," Leibowitz said. In addition to its call for legislation, the FTC is holding a workshop on data transparency later this year, and is asking the data broker industry to set up a centralized website where consumers can go to get information on data brokers' practices.

The FTC's report follows close on the heels of the February announcements of the Obama administration's Consumer Privacy Bill of Rights, which also call for consumer privacy legislation, and advertiser endorsement of the browser-based do-not-track effort, which would allow users to opt out of ads that track online behavior.

The new FTC report emphatically supports that do-not-track work. "We will continue working with [industry] until all consumers have an option not to be tracked," Leibowitz said. "Your computer [is] your property, and people shouldn't put things in it without your consent."

He predicted that the technology would be ready by the end of the year, and that if companies don't buy in, Congress might move forward with legislation for do not track. For now, however, he said that a do-not-track law might not be necessary if enough advertisers and technology companies buy into the need. "We need a Do Not Track option that's persistent, that's easy to use, and that's effective," he said, adding that the Digital Advertising Alliance and the Worldwide Web Consortium are working hard to make that option a reality.

The report also stressed the need for mobile privacy, especially privacy of mobile device users' geolocation data. The FTC will be holding a mobile privacy workshop on May 30.

Not all of the FTC's leadership bought into the report, which built on a draft report issued in December 2010. Commissioner Thomas Rosch argued that the report's framework focuses too much on "unfair" practices rather than on deceptive practices and might apply too broadly. He also complained that the report's language suggests that its recommendations are more mandatory than voluntary.

The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)