Federal agencies have taken signiﬁcant steps to improve consumer privacy as well. For its part, since
issuing the preliminary staﬀ report, the FTC has resolved seven data security cases,
obtained orders against
Google, Facebook, and online ad networks,
and challenged practices that violate sector-speciﬁc privacy
laws like the Fair Credit Reporting Act (“FCRA”) and COPPA.
周e Commission has also proposed
amendments to the COPPA Rule to address changes in technology. 周e comment period on the Proposed
Rulemaking ran through December 23, 2011, and the Commission is currently reviewing the comments
Additionally, the Commission has hosted public workshops on discrete privacy issues such as
child identity theft and the use of facial recognition technology.
Other federal agencies have also begun examining privacy issues. In 2011, the Federal Communications
Commission (“FCC”) hosted a public forum to address privacy concerns associated with location-
周e Department of Health and Human Services (“HHS”) hosted a forum on medical
identity theft, developed a model privacy notice for personal health records,
and is developing legislative
recommendations on privacy and security for such personal health records. In addition, HHS recently
launched an initiative to identify privacy and security best practices for using mobile devices in health care
20 See In the Matter of Upromise, Inc., FTC File No. 102 3116 (Jan. 18, 2012) (proposed consent order), available at http://www.
ftc.gov/os/caselist/1023116/index.shtm; In the Matter of ACRAnet, Inc., FTC Docket No. C-4331 (Aug. 17, 2011) (consent
order), available at http://www.ftc.gov/os/caselist/0923088/index.shtm; In the Matter of SettlementOne Credit Corp., FTC
Docket No. C-4330 (Aug. 17, 2011) (consent order), available at http://www.ftc.gov/os/caselist/0823208/index.shtm; In
the Matter of Ceridian Corp., FTC Docket No. C-4325 (June 8, 2011) (consent order), available at http://www.ftc.gov/os/
caselist/1023160/index.shtm; In the Matter of Lookout Servs., Inc., FTC Docket No. C-4326 (June 15, 2011) (consent order),
available at http://www.ftc.gov/os/caselist/1023076/index.shtm; In the Matter of Twitter, Inc., FTC Docket No. C-4316 (Mar.
2, 2011) (consent order), available at http://www.ftc.gov/os/caselist/0923093/index.shtm; In the Matter of Fajilan & Assocs.,
Inc., FTC Docket No. C-4332 (Aug. 17, 2011) (consent order), available at http://www.ftc.gov/os/caselist/0923089/index.
21 See In the Matter of Google, Inc., FTC Docket No. C-4336 (Oct. 13, 2011) (consent order), available at http://www.ftc.gov/
os/caselist/1023136/index.shtm (requiring company to implement privacy program subject to independent third-party audit);
In the Matter of Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011) (proposed consent order), available at http://www.
ftc.gov/os/caselist/0923184/index.shtm (requiring company to implement privacy program subject to independent third-
party audit); In the Matter of Chitika, Inc., FTC Docket No. C-4324 (June 7, 2011) (consent order), available at http://
www.ftc.gov/os/caselist/1023087/index.shtm (requiring company’s behavioral advertising opt out to last for ﬁve years); In
the Matter of ScanScout, Inc., FTC Docket No. C-4344 (Dec. 14, 2011) (consent order), available at http://www.ftc.gov/os/
caselist/1023185/index.shtm (requiring company to improve disclosure of its data collection practices and oﬀer consumers a
user-friendly opt out mechanism).
22 Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; COPPA Rule, 16 C.F.R. Part 312; see also, e.g., United States v. W3
Innovations, LLC, No. CV-11-03958 (N.D. Cal. Sept. 8, 2011) (COPPA consent decree); United States v. Teletrack, Inc., No.
1 11-CV-2060 (N.D. Ga. ﬁled June 24, 2011) (FCRA consent decree); United States v. Playdom, Inc., No. SACV-11-00724-
AG (ANx) (C.D. Cal. May 24, 2011) (COPPA consent decree).
23 See Press Release, FTC Extends Deadline for Comments on Proposed Amendments to the Children’s Online Privacy
Protection Rule Until December 23 (Nov. 18, 2011), available at http://www.ftc.gov/opa/2011/11/coppa.shtm.
24 See FCC Workshop, Helping Consumers Harness the Potential of Location-Based Services (June 28, 2011), available at http://
25 See 周e Oﬃce of the National Coordinator for Health Information Technology, Personal Health Record (PHR) Model
Privacy Notice, http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__draft_phr_model_notice/1176.
26 See HHS Workshop, Mobile Devices Roundtable: Safeguarding Health Information, available at http://healthit.hhs.gov/portal/
周e private sector has taken steps to enhance user privacy and security as well. For example, Google and
Facebook have improved authentication mechanisms to give users stronger protection against compromised
Also, privacy-enhancing technologies such as the HTTPS Everywhere browser add-on have
given users additional tools to encrypt their information in transit.
On the mobile front, the Mobile
周is document provides guidance
on privacy principles for application (“app”) developers and discusses how to inform consumers about the
collection and use of their data. Despite these developments, as explained below, industry still has more
work to do to promote consumer privacy.
III. MAIN THEMES FROM COMMENTERS
周e more than 450 comments ﬁled in response to the preliminary staﬀ report addressed three
overarching issues: how privacy harms should be articulated; the value of global interoperability of diﬀerent
privacy regimes; and the desirability of baseline privacy legislation to augment self-regulatory eﬀorts. 周ose
comments, and the Commission’s analysis, are discussed below.
A. ARTICULATION OF PRIVACY HARMS
周ere was broad consensus among commenters that consumers need basic privacy protections for
their personal information. 周is is true particularly in light of the complexity of the current personal data
ecosystem. Some commenters also stated that the Commission should recognize a broader set of privacy
harms than those involving physical and economic injury.
For example, one commenter cited complaints
from consumers who had been surreptitiously tracked and targeted with prescription drug oﬀers and other
health-related materials regarding sensitive medical conditions.
At the same time, some commenters questioned whether the costs of broader privacy protections were
justiﬁed by the anticipated beneﬁts.
Relatedly, many commenters raised concerns about how wider privacy
protections would aﬀect innovation and the ability to oﬀer consumers beneﬁcial new products and services.
27 See Advanced Sign-In Security For Your Google Account, Google Official Blog (Feb. 10, 2011, 11:30 AM), http://
html; Andrew Song, Introducing Login Approvals, Facebook Blog (May 12, 2011, 9:58 AM), http://www.facebook.com/
28 See HTTPS Everywhere, Electronic Frontier Foundation, https://www.eﬀ.org/https-everywhere.
Mobile Apps (Jan. 25, 2012), available at http://mmaglobal.com/news/mobile-marketing-association -releases-ﬁnal-privacy-
30 See Comment of TRUSTe, cmt. #00450, at 3; Comment of Berlin Commissioner for Data Protection & Freedom of Information,
cmt. #00484, at 1.
31 See Comment of Patient Privacy Rights, cmt. #00470, at 2
32 See Comment of Technology Policy Institute, cmt. #00301, at 5-8; Comment of Experian, cmt. #00398, at 9-11; Comment of
Global Privacy Alliance, cmt. #00367, at 6-7.
33 See Comment of Facebook, Inc., cmt. #00413, at 1-2, 7-8; Comment of Google, Inc., cmt. #00417, at 4; Comment of Global
Privacy Alliance, cmt. #00367, at 16.
周e Commission agrees that the range of privacy-related harms is more expansive than economic or
physical harm or unwarranted intrusions and that any privacy framework should recognize additional harms
that might arise from unanticipated uses of data. 周ese harms may include the unexpected revelation
of previously private information, including both sensitive information (e.g., health information, precise
geolocation information) and less sensitive information (e.g., purchase history, employment history) to
unauthorized third parties.
As one example, in the Commission’s case against Google, the complaint
alleged that Google used the information of consumers who signed up for Gmail to populate a new social
network, Google Buzz.
周e creation of that social network in some cases revealed previously private
information about Gmail users’ most frequent email contacts. Similarly, the Commission’s complaint against
Facebook alleged that Facebook’s sharing of users’ personal information beyond their privacy settings was
Like these enforcement actions, a privacy framework should address practices that unexpectedly
reveal previously private information even absent physical or ﬁnancial harm, or unwarranted intrusions.
In terms of weighing costs and beneﬁts, although it recognizes that imposing new privacy protections
will not be costless, the Commission believes doing so not only will help consumers but also will beneﬁt
businesses by building consumer trust in the marketplace. Businesses frequently acknowledge the
importance of consumer trust to the growth of digital commerce
and surveys support this view. For
34 One former FTC Chairman, in analyzing a spyware case, emphasized that consumers should have control over what is on
their computers. Chairman Majoras issued the following statement in connection with the Commission’s settlement against
Sony BMG resolving claims about the company’s installation of invasive tracking software: “Consumers’ computers belong to
them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers
can make informed decisions regarding whether to purchase and install that content.” Press Release, FTC, Sony BMG
Settles FTC Charges (Jan. 30, 2007), available at http://www.ftc.gov/opa/2007/01/sony.shtm; see also Walt Mossberg, Despite
Others’ Claims, Tracking Cookies Fit My Spyware Deﬁnition, AllThingsD (July 14, 2005, 12:01 AM), http://allthingsd.
com/20050714/tracking-cookies/ (“Suppose you bought a TV set that included a component to track what you watched, and
then reported that data back to a company that used or sold it for advertising purposes. Only nobody told you the tracking
technology was there or asked your permission to use it. You would likely be outraged at this violation of privacy. Yet that
kind of Big Brother intrusion goes on everyday on the Internet . . . [with tracking cookies].”).
35 See In re Google Inc., FTC Docket No. C-4336 (Oct. 13, 2011) (consent order), available at http://www.ftc.gov/os/caselist/10
36 See In re Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011) (proposed consent order), available at http://www.ftc.gov/os/
37 Although the complaint against Google alleged that the company used deceptive tactics and violated its own privacy promises
when it launched Google Buzz, even in the absence of such misrepresentations, revealing previously-private consumer data
could cause consumer harm. See Press Release, FTC, FTC Charges Deceptive Privacy Practices in Google’s Rollout of its Buzz
Social Network (Mar. 30, 2011), available at http://www.ftc.gov/opa/2011/03/google.shtm (noting that in response to the
Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their
email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors).
38 See, e.g., Statement of John M. Montgomery, GroupM Interaction, 周e State of Online Consumer Privacy: Hearing Before
the S. Comm. on Commerce, Sci., and Transp., 112th Cong. (Mar. 16, 2011), available at http://www.iab.net/media/ﬁle/
DC1DOCS1-432016-v1-John_Montgomery_-_Written_Testimony.pdf (“We at GroupM strongly believe in protecting
consumer privacy. It is not only the right thing to do, but it is also good for business.”); Statement of Alan Davidson,
Director of Public Policy, Google Inc., Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy:
Hearing Before the S. Subcomm. on Privacy, Tech., and the Law, 112th Cong. (May 10, 2011), available at http://www.
judiciary.senate.gov/pdf/11-5-10%20Davidson%20Testimony.pdf (“Protecting privacy and security is essential for Internet
C# Word - Word Conversion in C#.NET
Word documents in .NET class applications independently, without using other external third-party dependencies like Adobe Acrobat. Word to PDF Conversion. adding text pdf files; adding text pdf file
example, in the online behavioral advertising area, a recent survey shows that consumers feel better about
brands that give them transparency and control over advertisements.
Companies oﬀering consumers information about behavioral advertising and the tools to opt out of
it have also found increased customer engagement. In its comment, Google noted that visitors to its Ads
Preference Manager are far more likely to edit their interest settings and remain opted in rather than to
Similarly, another commenter conducted a study showing that making its customers aware of
its privacy and data security principles – including restricting the sharing of customer data, increasing
the transparency of data practices, and providing access to the consumer data it maintains – signiﬁcantly
increased customer trust in its company.
In addition, some companies appear to be competing on privacy. For example, one company oﬀers
an Internet search service that it promotes as being far more privacy-sensitive than other search engines.
Similarly, in response to Google’s decision to change its privacy policies to allow tracking of consumers across
diﬀerent Google products, Microsoft encouraged consumers to switch to Microsoft’s more privacy-protective
products and services.
周e privacy framework is designed to be ﬂexible to permit and encourage innovation. Companies can
implement the privacy protections of the framework in a way that is proportional to the nature, sensitivity,
and amount of data collected as well as to the size of the business at issue. For example, the framework does
not include rigid provisions such as speciﬁc disclosures or mandatory data retention and destruction periods.
And, as discussed below, the framework streamlines communications for businesses and consumers alike by
requiring consumer choice mechanisms only for data practices that are inconsistent with the context of a
particular transaction or the business relationship with the consumer.
B. GLOBAL INTEROPERABILITY
Reﬂecting diﬀering legal, policy, and constitutional regimes, privacy frameworks around the world vary
considerably. Many commenters cited the value to both consumers and businesses of promoting more
consistent and interoperable approaches to protecting consumer privacy internationally. 周ese commenters
stated that consistency between diﬀerent privacy regimes reduces companies’ costs, promotes international
competitiveness, and increases compliance with privacy standards.
39 See RESEARCH: Consumers Feel Better About Brands 周at Give 周em Transparency and Control Over Ads, Evidon Blog (Nov.
10, 2010), http://blog.evidon.com/tag/better-advertising (“when advertisers empower consumers with information and
control over the ads they receive, a majority feels more positive toward those brands, and 36% even become more likely to
purchase from those brands”).
40 See Comment of Google Inc., cmt. #00417, at 4.
41 See Comment of Intuit, Inc., cmt. #00348, at 6-8 (“周e more transparent (meaning open, simple and clear) the company is,
the more customer trust increases. . . .”).
43 See Frank X. Shaw, Gone Google? Got Concerns? We Have Alternatives, The Official Microsoft Blog (Feb. 1, 2012, 2:00
44 See infra at Section IV.C.1.a.
45 See Comment of AT&T Inc., cmt. #00420, at 12-13; Comment of IBM, cmt. #00433, at 2; see also Comment of General Electric,
cmt. #00392, at 3 (encouraging international harmonization).
C# Excel - Excel Conversion & Rendering in C#.NET
Excel documents in .NET class applications independently, without using other external third-party dependencies like Adobe Acrobat. Excel to PDF Conversion. adding text to pdf in preview; how to insert text in pdf reader
周e Commission agrees there is value in greater interoperability among data privacy regimes as
consumer data is increasingly transferred around the world. Meaningful protection for such data requires
convergence on core principles, an ability of legal regimes to work together, and enhanced cross-border
enforcement cooperation. Such interoperability is better for consumers, whose data will be subject to
more consistent protection wherever it travels, and more eﬃcient for businesses by reducing the burdens of
compliance with diﬀering, and sometimes conﬂicting, rules. In short, as the Administration White Paper
notes, global interoperability “will provide more consistent protections for consumers and lower compliance
burdens for companies.”
Eﬀorts underway around the world to re-examine current approaches to protecting consumer privacy
indicate an interest in convergence on overarching principles and a desire to develop greater interoperability.
For example, the Commission’s privacy framework is consistent with the nine privacy principles set forth in
the 2004 Asia-Paciﬁc Economic Cooperation (“APEC”) Privacy Framework. 周ose principles form the basis
for ongoing APEC work to implement a cross-border privacy rules system to facilitate data transfers among
the 21 APEC member economies, including the United States.
In 2011, the Organization for Economic
Cooperation and Development (“OECD”) issued a report re-examining its seminal 1980 Privacy Guidelines
in light of technological changes over the past thirty years.
Further, the European Commission has recently
proposed legislation updating its 1995 data protection directive and proposed an overhaul of the European
Union approach that focuses on many of the issues raised elsewhere in this report as well as issues relating
to international transfers and interoperability.
周ese eﬀorts reﬂect a commitment to many of the high-
level principles embodied in the FTC’s framework – increased transparency and consumer control, the need
for privacy protections to be built into basic business practices, and the importance of accountability and
enforcement. 周ey also reﬂect a shared international interest in having systems that work better with each
other, and are thus better for consumers.
46 White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in
the Global Digital Economy, ii, Foreword (Feb. 2012), available at http://www.whitehouse.gov/sites/default/ﬁles/privacy-ﬁnal.
47 周e nine principles in the APEC Privacy Framework are preventing harm, notice, collection limitations, uses of personal
information, choice, integrity of personal information, security safeguards, access and correction, accountability. Businesses
have developed a code of conduct based on these nine principles and will obtain third-party certiﬁcation of their compliance.
A network of privacy enforcement authorities from participating APEC economies, such as the FTC, will be able to take
enforcement actions against companies that violate their commitments under the code of conduct. See Press Release,
FTC, FTC Welcomes a New Privacy System for the Movement of Consumer Data Between the United States and Other
Economies in the Asia-Paciﬁc Region (Nov. 14, 2011), available at http://www.ftc.gov/opa/2011/11/apec.shtm).
48 See Organization for Economic Co-operation and Development, 周e Evolving Privacy Landscape: 30 Years after the OECD
Privacy Guidelines (Apr. 2011), available at http://www.oecd.org/dataoecd/22/25/47683378.pdf.
49 European Commission, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General
Data Protection Regulation) (Jan. 25, 2012), available at http://ec.europa.eu/justice/data-protection/document/review2012/
C. LEGISLATION TO AUGMENT SELF-REGULATORY EFFORTS
Numerous comments, including those from large industry stakeholders, consumer and privacy
advocates, and individual consumers supported some form of baseline privacy legislation that incorporates
Business commenters noted that legislation would help provide legal certainty,
serve as a key
mechanism for building trust among customers,
and provide a way to ﬁll gaps in existing sector-based
Consumer and privacy advocates cited the inability of self-regulation to provide comprehensive
and long-lasting protection for consumers.
One such commenter cited the fact that many self-regulatory
initiatives that arose in response to the Commission’s 2000 recommendation for privacy legislation were
short-lived and failed to provide long-term privacy protections for consumers.
At the same time, a number of commenters raised concerns about government action beyond providing
guidance for self-regulatory programs.
Some cautioned the FTC about taking an approach that might
impede industry’s ability to innovate and develop new products and services in a rapidly changing
marketplace. Others noted that a regulatory approach could lead to picking “winners and losers” among
particular technologies and business models and called for a technology-neutral approach.
also argued that it might be impractical to craft omnibus standards or rules that would apply broadly across
diﬀerent business sectors.
周e Commission agrees that, to date, self-regulation has not gone far enough. In most areas, with the
notable exception of eﬀorts surrounding Do Not Track, there has been little self-regulation. For example,
the FTC’s recent survey of mobile apps marketed to children revealed that many of these apps fail to provide
any disclosure about the extent to which they collect and share consumers’ personal data.
50 See, e.g., Comment of eBay, cmt. #00374, at 2; Comment of Intel Corp., cmt. #00246, at 3-7; Comment of Microsoft Corp., cmt.
#00395, at 4; Comment of Intuit, Inc., cmt. #00348, at 13-14; Comment of Center for Democracy & Technology, cmt. #00469,
at 1, 7; Comment of Gregory Byrd, cmt. #00144, at 1; Comment of Ellen Klinefelter, cmt. #00095, at 1.
51 See Comment of Microsoft Corp., cmt. #00395, at 4.
52 See Comment of Intel Corp., cmt. #00246, at 3.
53 See Comment of Intuit, Inc., cmt. #00348, at 13.
54 See Comment of Electronic Privacy Information Center, cmt. #00386, at 2; Comment of World Privacy Forum, cmt. #00376, at
55 See Comment of World Privacy Forum, cmt. #00376, at 2-3, 8-17.
56 See Comment of Consumer Data Industry Ass’n, cmt. #00363, at 4-5; Comment of American Catalog Mailers Ass’n, cmt. #00424,
at 3; Comment of Facebook, Inc., cmt. #00413, at 13-14; Comment of Google Inc., cmt. #00417, at 8; Comment of Verizon,
cmt. #00428, at 2-3, 6-7, 14-17; Comment of Mortgage Bankers Ass’n, cmt. #00308, at 2; Comment of National Cable &
Telecommunications Ass’n, cmt. #00432, at 3, 5, 7-13; Comment of CTIA – 周e Wireless Ass’n, cmt. #00375, at 15.
57 See Comment of National Cable & Telecommunications Ass’n, cmt. #00432, at 32-37; Comment of USTelecom, cmt. #00411, at
5-7; Comment of Verizon, cmt. #00428, at 4-6; Comment of Direct Marketing Ass’n, Inc., cmt. #00449, at 5-6.
58 See Comment of Consumer Data Industry Ass’n, cmt. #00363, at 4-6; see also Comment of CTIA - 周e Wireless Ass’n, cmt.
#00375, at 8-11; Comment of Direct Marketing Ass’n, Inc., cmt. #00449, at 13.
59 FTC Staﬀ, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing (Feb. 2012), available at http://www.ftc.gov/
os/2012/02/120216mobile_apps_kids.pdf; FPF Finds Nearly 周ree-Quarters of Most Downloaded Mobile Apps Lack a Privacy
Policy, Future of Privacy Forum, http://www.futureofprivacy.org/2011/05/12/fpf-ﬁnds-nearly-three-quarters-of-most-
of the data broker industry to establish self-regulatory rules concerning consumer privacy have fallen short.
周ese examples illustrate that even in some well-established markets, basic privacy concepts like transparency
about the nature of companies’ data practices and meaningful consumer control are absent. 周is absence
erodes consumer trust.
周ere is also widespread evidence of data breaches and vulnerabilities related to consumer information.
Published reports indicate that some breaches may have resulted from the unintentional release of consumer
data, for which companies later apologized and took action to address.
Other incidents involved planned
releases or uses of data by companies that ultimately did not occur due to consumer and public backlash.
Still other incidents involved companies’ failure to take reasonable precautions and resulted in FTC consent
decrees. 周ese incidents further undermine consumer trust, which is essential for business growth and
周e ongoing and widespread incidents of unauthorized or improper use and sharing of personal
information are evidence of two points. First, companies that do not intend to undermine consumer
privacy simply lack suﬃciently clear standards to operate and innovate while respecting the expectations of
consumers. Second, companies that do seek to cut corners on consumer privacy do not have adequate legal
incentives to curtail such behavior.
To provide clear standards and appropriate incentives to ensure basic privacy protections across all
industry sectors, in addition to reiterating its call for federal data security legislation,
the Commission calls
60 See Comment of Center for Democracy & Technology, cmt. #00469, at 2-3; Comment of World Privacy Forum, cmt. #00376, at
2-3. Discussed more fully infra at Section IV.D.2.a.
61 See Grant Gross, Lawmakers Question Sony, Epsilon on Data Breaches, PC World (June 2, 2011 3:40 PM), available at http://
Silverman, App Privacy: Who’s Uploading Your Contact List?, Houston Chronicle (Feb. 15, 2012 8:10 AM), http://blog.
chron.com/techblog/2012/02/app-privacy-whos-uploading-your-contact-list/; Dan Graziano, Like iOS apps, Android Apps
Can Secretly Access Photos 周anks to Loophole, BGR (Mar. 1, 2012 3:45 PM), http://www.bgr.com/2012/03/01/like-ios-apps-
62 CEO Apologizes After Path Social App Uploads Contact Lists, KMOV.com (Feb. 9, 2012 11:11AM), http://www.kmov.com/
news/consumer/CEO-apologizes-after-Path-uploads-contact-lists--139015729.html; Daisuke Wakabayashi, A Contrite Sony
Vows Tighter Security, Wall St. J. May 1, 2011, available at http://online.wsj.com/article/SB10001424052748704436004576
63 Kevin Parrish, OnStar Changes its Mind About Tracking Vehicles, Tom’s Guide (Sept. 29, 2011 7:30 AM), http://www.
64 Surveys of consumer attitudes towards privacy conducted in the past year are illuminating. For example, a USA Today/Gallup
poll indicated that a majority of the Facebook members or Google users surveyed were “very” or “somewhat concerned”
about their privacy while using these services. Lymari Morales, Google and Facebook Users Skew Young, Aﬄuent, and Educated,
Gallup (Feb. 17, 2011), available at http://www.gallup.com/poll/146159/facebook-google-users-skew-young-aﬄuent-
65 周e Commission has long supported federal laws requiring companies to implement reasonable security measures and to
notify consumers in the event of certain security breaches. See, e.g., Prepared Statement of the FTC, Data Security: Hearing
Before the H. Comm. on Energy and Commerce, Subcomm. on Commerce, Manufacturing, and Trade, 112th Cong. (June
15, 2011), available at http://www.ftc.gov/os/testimony/110615datasecurityhouse.pdf; Prepared Statement of the FTC,
Protecting Social Security Numbers From Identity 周eft: Hearing Before the Before the H. Comm. on Ways and Means, Subcomm.
on Social Security, 112th Cong. (April 13, 2011), available at http://www.ftc.gov/os/testimony/110411ssn-idtheft.pdf; FTC,
Security in Numbers, SSNs and ID 周eft (Dec. 2008), available at http://www.ftc.gov/os/2008/12/P075414ssnreport.pdf;
President’s Identity 周eft Task Force, Identity 周eft Task Force Report (Sept. 2008), available at http://www.idtheft.gov/reports/
on Congress to consider enacting baseline privacy legislation that is technologically neutral and suﬃciently
ﬂexible to allow companies to continue to innovate. 周e Commission is prepared to work with Congress
and other stakeholders to craft such legislation.
In their comments, many businesses indicated that they already incorporate the FIPPS into their
practices. For these companies, a legislative mandate should not impose an undue burden and indeed, will
“level the playing ﬁeld” by ensuring that all companies are required to incorporate these principles into their
For those companies that are not already taking consumer privacy into account – either because of
lack of understanding or lack of concern – legislation should provide clear rules of the road. It should
also provide adequate deterrence through the availability of civil penalties and other remedies.
legislation will provide businesses with the certainty they need to understand their obligations and the
incentive to meet those obligations, while providing consumers with conﬁdence that businesses will be
required to respect their privacy. 周is approach will create an environment that allows businesses to
continue to innovate and consumers to embrace those innovations without sacriﬁcing their privacy.
Commission is prepared to work with Congress and other stakeholders to formulate baseline privacy
While Congress considers such legislation, the Commission urges industry to accelerate the pace of its
self-regulatory measures to implement the Commission’s ﬁnal privacy framework. Over the course of the
next year, Commission staﬀ will promote the framework’s implementation by focusing its policymaking
eﬀorts on ﬁve main action items, which are highlighted here and discussed further throughout the report.
x Do Not Track: As discussed above, industry has made signiﬁcant progress in implementing Do Not
Track. 周e browser vendors have developed tools that consumers can use to signal that they do not
want to be tracked; the DAA has developed its own icon-based tool and has committed to honor the
browser tools; and the W3C has made substantial progress in creating an international standard for
Do Not Track. However, the work is not done. 周e Commission will work with these groups to
complete implementation of an easy-to use, persistent, and eﬀective Do Not Track system.
x Mobile: 周e Commission calls on companies providing mobile services to work toward improved
privacy protections, including the development of short, meaningful disclosures. To this end, FTC
staﬀ has initiated a project to update its business guidance about online advertising disclosures.
As part of this project, staﬀ will host a workshop on May 30, 2012 and will address, among other
issues, mobile privacy disclosures and how these disclosures can be short, eﬀective, and accessible to
66 Former FTC Chairman Casper “Cap” Weinberger recognized the value of civil penalties as a deterrent to unlawful conduct.
See Hearings on H.R. 14931 and Related Bills before the Subcomm. on Commerce and Finance of the H. Comm. on Interstate
and Foreign Commerce, 91st Cong. 53, 54 (1970) (statement of FTC Chairman Caspar Weinberger); Hearings on S. 2246,
S. 3092, and S. 3201 Before the Consumer Subcomm. of the S. Comm. on Commerce, 91st Cong. 9 (1970) (Letter from FTC
Chairman Caspar W. Weinberger) (forwarding copy of House testimony).
67 With this report, the Commission is not seeking to impose civil penalties for privacy violations under the FTC Act. Rather,
in the event Congress enacts privacy legislation, the Commission believes that such legislation would be more eﬀective if the
FTC were authorized to obtain civil penalties for violations.
68 See Press Release, FTC, FTC Seeks Input to Revising its Guidance to Businesses About Disclosures in Online Advertising
(May 26, 2011), available at http://www.ftc.gov/opa/2011/05/dotcom.shtm.
consumers on small screens. 周e Commission hopes that the workshop will spur further industry
self-regulation in this area.
x Data Brokers: To address the invisibility of, and consumers’ lack of control over, data brokers’
collection and use of consumer information, the Commission supports targeted legislation – similar
to that contained in several of the data security bills introduced in the 112th Congress – that would
provide consumers with access to information about them held by a data broker.
increase transparency, the Commission calls on data brokers that compile data for marketing
purposes to explore creating a centralized website where data brokers could (1) identify themselves to
consumers and describe how they collect and use consumer data and (2) detail the access rights and
other choices they provide with respect to the consumer data they maintain.
x Large Platform Providers: To the extent that large platforms, such as Internet Service Providers
(“ISPs”), operating systems, browsers, and social media, seek to comprehensively track consumers’
online activities, it raises heightened privacy concerns. To further explore privacy and other issues
related to this type of comprehensive tracking, FTC staﬀ intends to host a public workshop in the
second half of 2012.
x Promoting enforceable self-regulatory codes: 周e Department of Commerce, with the support
of key industry stakeholders, is undertaking a project to facilitate the development of sector-speciﬁc
codes of conduct. FTC staﬀ will participate in that project. To the extent that strong privacy codes
are developed, the Commission will view adherence to such codes favorably in connection with its
law enforcement work. 周e Commission will also continue to enforce the FTC Act to take action
against companies that engage in unfair or deceptive practices, including the failure to abide by self-
regulatory programs they join.
69 See Data Accountability and Trust Act, H.R. 1707, 112th Congress (2011); Data Accountability and Trust Act of 2011, H.R.
1841, 112th Congress (2011); Data Security and Breach Notiﬁcation Act of 2011, S. 1207, 112th Congress (2011).
Documents you may be interested
Documents you may be interested