FTC: Online Privacy Needs New Approach

In a sweeping report, the Federal Trade Commission called for a stronger approach to protecting online privacy, including a "Do Not Track" mechanism.

The Federal Trade Commission outlined today the beginnings of a new framework to protect online privacy, starting with a "Do Not Track" feature.

The recommendation was included in a sweeping report (PDF), which FTC Chairman Jon Leibowitz said includes concrete guidance for an industry that has failed to properly self-regulate.

"If companies tell consumers what they're doing with their data, consumers can just avoid companies that have data practices they don't like," he said during a conference call with the media. "But many companies are not disclosing their practices. And, even if companies do disclose them, they do so in long, incomprehensible privacy policies and user agreements that consumers don't read, let alone understand."

The commission is not calling for legislation yet, the chairman said, but is making recommendations for best practices.

The report does call however for companies to promote privacy in their products, services and procedures from start to finish, as well as simplified user choice and greater transparency in policy. Part of this should involve a "Do Not Track" mechanism, which could be established either through legislation or "through robust, enforceable self-regulation," the report states. The most practical way to do this would be to provide a setting similar to a persistent cookie on a consumer's browser and conveying that setting to sites that the browser visits, according to the commission.

"A Do Not Track browser setting would serve as an easy, one-stop shop for consumers to express their choices, rather than on a company-by-company or industry-by-industry basis," Leibowitz said. "Microsoft, Google, Mozilla and Apple have already experimented with this, by the way, as has a coalition of companies."

Lisa Sotto, head of the Privacy and Information Management Practice at Hunton & Williams LLP (New York), called the commission's Do Not Track idea "viable."

"People have said that privacy notices are dead," she said. "Privacy notices are not dead at all. The FTC's position is that privacy policies are here to stay, but they must be more effective-they need to be shorter, clearer and ... provided at the time data is collected so consumers can make informed choices."

By focusing on privacy-by-design, employee training and consumer education, the Commission lays the necessary foundation for any companies to successfully deliver on their privacy promises, Jules Polonetsky and Christopher Wolf, co-chairs of the Future of Privacy Forum, said in a joint statement.

"The Commission was widely expected to call for legislation of a Do Not Track mechanism, but wisely left the door open to either legislative or self-regulatory solutions," the two said. "The industry should act quickly to explore and implement a Do Not Track mechanism that both supports responsible advertising practices and enhances consumer controls and choices."