Q&A: What the FTC recommendations mean for online privacy

An interview with Christopher Wolf of the Future of Privacy Forum

Future of Privacy Forum co-chair Christopher Wolf answers questions about privacy "self-regulations," centralized data broker websites and more.

The Federal Trade Commission this week released its final report on online consumer privacy that recommended implementing a universal "Do Not Track" standard, a centralized website for data brokers and more.

Christopher Wolf, the director of information management practice at the Hogen Lovells law firm and the co-chairman of the Future of Privacy Forum, thinks that the FTC hit most of the right notes in crafting its policy, as it will rely on a flexible "self-regulation" regime that subjects web companies to FTC enforcements if they agree to sign on to privacy rules created by the FTC and industry leaders. In this question-and-answer session we'll talk with Wolf about how "self-regulation" might work, what a centralized data broker information site might look like and what the FTC needs to do to protect consumer privacy on the mobile web.

BACKGROUND: The FTC's online privacy report: Breaking down the recommendations

ANALYSIS: Google's new cross-service info sharing: What's the hubbub?

A lot of the recommendations being pushed by the FTC involve "self-regulation." How exactly does this work on a practical basis.

I'd call it "co-regulation" rather than "self-regulation." The concept is that groups and businesses will come up with a set of standards that they'll promise to abide by and if they don't then they're subject to enforcement by FTC under regulations against deceptive trade practices. Rather than imposing standard one-size-fits-all rules, it allows for flexibility and it allows for changes to occur.

What are some of most important rules outlined by the FTC?

Do Not Track has gotten the most attention and that will help users prevent tracking of their online activity on an anonymous basis while allowing for reasonable tracking as well. There's lot of tracking done that's done for analytics to see whether website ads are being looked at, for instance. Remember that so much content on the Internet is made available to us through advertising. Allowing for a measurement of that is perfectly appropriate.

The other category has to do with data brokers and coming up with a mechanism that lets people see what information has been collected about them. The FTC asked the industry to address this issue without legislation, although they did recommend separate legislation that provides baseline protections for consumers as well.

What will consumers find useful about a centralized website for data brokers? Will they be able to understand what they're looking at?

We won't know until it's created, but possibly yes. The idea is that it will be a consolidated website. They're trying to persuade data brokers to create that as a kind of portal, which will be a little bit like the credit report consumers can get from the credit card industry. Nobody's seen it yet so it's hard to comment on it in the abstract.

What more has to be done in the mobile space to ensure mobile privacy?

It's a real challenge because the screen size is pretty small in the mobile space and the ability to provide privacy notifications is difficult. But that doesn't mean that app developers and device manufacturers shouldn't try. The bottom line is that companies that operate in the mobile ecosystem have to understand that privacy is an important value and it won't thrive without consumer trust or if privacy protections aren't provided.

What would you have done differently from what the FTC has done?

I think they did a terrific job in addressing a difficult task. If you look at how the draft has evolved from 13 months ago, it's really a remarkable document and it goes a long way toward setting best practices. As someone who represents companies that are under investigation by FTC, it would have been helpful to know which of their recommendations were priorities, so we know whether the best practices are standards that companies need to adhere to or just goals that they should aspire to. But overall I can't find much fault in the FTC's final report.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies