Mobile Privacy, Do Not Track, Privacy Policy Report Are Priorities for FTC, Brill Says

Such a law would establish “clearer rules of the road for industry as well as consumers,” Brill said. There’s no federal requirement that online entities collecting information from consumers must have a privacy policy or must disclose to consumers that they are collecting information, she said. “That, I think, would be helpful to everybody,” Brill said. “If the rules of the road were clearer, and there was baseline privacy legislation,” then bad actors, employing theoretical “worst practices,” wouldn’t be able to exist, and industry members who want guidance would have a resource, she said. The privacy policies in place are “opaque” and “very difficult for consumers to understand,” she said: This is a “big issue” for the FTC, and the agency will be issuing a report on privacy disclosures “fairly soon."

Brill wonders if data protection laws, such as the Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act, are “robust enough to cover all of the activity that is taking place” online regarding data collection, she said: “Congress should be thinking about” how online data are collected and used to influence consumers’ credit, insurance, employment and housing -- all of which fall under FCRA -- and health information, which is only protected if held by healthcare providers and businesses. With data brokers building online profiles of users that can’t be accessed or corrected, consumers might see certain offers or information, such as for subprime mortgages, she said. “There’s a lot of transparency that needs to be provided.” The FTC has enforced these laws against mobile apps “that were essentially acting like credit reporting agencies” and will continue to do so, Brill said. The FCRA is “not a sector-based law, it’s a use-based law,” she said. Brill encouraged app developers to “go out, go forth, be innovative,” but be aware that “there are laws that apply."

Brill said she’s “somewhat optimistic” that a DNT option can be handled through self regulation and was hesitant to set a deadline as to when that might be. The World Wide Web Consortium (W3C) has “very robust discussions going on” about DNT, but “the devil is in the details,” she said. Brill is waiting for a browser-based DNT option which would allow users to opt out through their browsers rather than having to opt out from tracking through individual websites, she said. “That’s the step that we're really working to get launched.” Though Brill was “not ready, personally, to set a deadline,” she said consumer demand for a DNT option will impose a deadline. “Congress will be very interested in this. Those are the kinds of pressures that industry is currently responding to,” she said. For now, “the conversations are moving in the right direction and getting closer” to a solution, Brill said. Along with data brokers and the mobile app space -- including mobile payments -- DNT will be a focus for the FTC, she said.

The public policy realm should get involved with the W3C in its DNT discussions, said Daniel Weitzner, principal research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory and former White House chief technology officer, who spoke later. Because W3C is a voluntary standard-setting body, “the public policy process is going to have to help,” he said. “We would at least be on the road to a working system,” he said, even if that system is just that “when users click a button, they get a result. We can argue about that result later.”