The Federal Trade Commission's final report on online consumer privacy can be summed up thusly: We've made progress but there's still a lot of work to do.
The progress cited by the FTC mostly relates to the work that the tech industry has made in implementing "Do Not Track" protocols for browsers, websites and Web-based advertisements that protect user privacy and give users the ability to control whether or not their data is shared. The more work cited by the FTC basically refers to just about everything else.
GOOGLE REED-ER: Facebook making the right noises about password privacy
For those who don't have time to leaf through the FTC's report, here are some quick breakdowns of the commission's five key privacy recommendations and the work that needs to be done to get them implemented.
First: Finish implementing "Do Not Track." The FTC singles out browser developers, the Digital Advertising Alliance and the World Wide Web Consortium (W3C) for pitching in to make Do Not Track protocols a reality. The key work, though, is being done by the W3C building a universal Do Not Track mechanism that can be adopted by all browsers and websites. The FTC says that the W3C has published drafts of Do Not Track standards for both mobile and desktop devices and expects to have a final product ready to go in the coming months. The FTC's role will be to "work with these groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system."
Second: Make sure mobile users get the same level of privacy protections that desktop users get. With the advent of GPS capabilities on smartphones and mobile applications that exist outside standard browsers, keeping consumers' privacy on the mobile Web is a wee bit trickier than on standard wireline services. The FTC plans to host a workshop at the end of May to address how companies can develop short, easy-to-understand privacy disclosures for mobile websites and applications that give users an accurate picture of what data is being collected from them and how it's being used.
Third: Make a centralized website for data brokers. This one is pretty simple: The FTC wants companies that collect data for marketing information to create one central website that would act as a hub for consumers to learn who has been collecting their data and what they're using it for. The FTC also wants data brokers to publicly disclose "the access rights and other choices they provide with respect to the consumer data they maintain" so users can exert more control over how their data can be used.
Fourth: Take a close look at large platform providers. The HTC apparently believes that large platform providers -- think Google, Facebook, Twitter, Apple, Microsoft and the major wireless carriers -- deserve their own special scrutiny to how they manage user privacy. To that end the FTC is holding yet another workshop sometime in the second half of 2012 "to further explore privacy and other issues related to ... comprehensive tracking" performed by the big-time platform providers.
Fifth: Enroll the big stakeholders in self-regulatory programs. This is basically an attempt to get the major Web and tech companies to abide by a common set of privacy guidelines that both regulators and the public can use to judge the companies' behavior. The FTC says that it will "view adherence to such codes favorably in connection with its law enforcement work" and that it will "also continue to enforce the FTC Act to take action against companies that engage in unfair or deceptive practices, including the failure to abide by self-regulatory programs they join." In other words, the self-regulatory programs are voluntary, but if you sign up for them you'd better comply with them or the FTC will have grounds to go after you for deceptive practices.
If you really want to plow through the whole report, you can access it on the FTC website here: http://www.ftc.gov/opa/2012/03/privacyframework.shtm