Earlier today, Maureen Ohlhausen, the newly appointed FTC Commissioner participated in an open Question & Answer session on Reddit, a user-generated interactive news website. She took questions on a broad range of privacy issues including changes to terms of service, data protection by small businesses, unfair privacy practices, and maintaining privacy on mobile apps. The Commissioner provided tips on how consumers can protect themselves from ID theft, talked about the FTC’s support of increased access to broadband internet, and outlined what she believes are key elements for successful industry self-regulation.
Below you will find an abridged summary of what she said:
Hi. I’m Maureen Ohlhausen, a Commissioner at the U.S. Federal Trade Commission (the nation’s consumer protection agency). I am looking forward to having a conversation with you about the FTC’s approach to consumer privacy, though you should know that my comments today represent only my own views. Understanding and addressing privacy issues, particularly those raised by new technologies and services, such as mobile apps, is critical for consumers, businesses and the FTC’s mission. My goal today is to share important information that we have about how entrepreneurs and other small businesses can get the information they need to comply with federal privacy laws and to learn more about the difficulties faced by entrepreneurs and small businesses in addressing evolving privacy problems. AMAA
The FTC hasn’t taken any official position on Bitcoin, but there are lots of innovative payment methods out there now that may offer consumers new options. The FTC has sponsored workshops and issued reports on that topic. Our first issue always is are consumers protected?
The FTC has made it clear that companies need to notify consumers and get their consent before using their personal information in a way that is different from what they promised when they collected that information. If consumers object to the changed terms, they can look for other products or services in the market that offer privacy terms they prefer. It seems like companies are starting to compete on their privacy terms more frequently and I applaud this development.
In many ways, good data security practices cost next to nothing. Shredding confidential paperwork, training staff to keep personal information safe, and limiting what you collect in the first place are all cost-effective examples. Here’s something else to consider. In the long run, NOT implementing reasonable data security can wind up costing small businesses even more. The FTC has free resources for small businesses at www.business.ftc.gov to help implement best practices at your company.
I have my eye on the Wyndham Hotels proceeding in New Jersey, where the defendant seeks to constrain the Commission from using Section 5 to proceed against companies failing to secure personal information. In the event Wyndham succeeds, what powers (if any) does the Commission or any other federal agency to protect me in the event my Reddit fails to secure my personal information? In that instance, are we going to have to rely on Congress to do something?
Second question: What role, if any, do you see the private plaintiffs’ bar playing in connection with data privacy or data security issues (Internet or otherwise)? While that bar supplants the FTC and other agencies in several fields (i.e. antitrust), private data security actions have faced significant obstacles and been largely unsuccessful (with the exception of a few outliers). In the event Congress does establish data security legislation (which they should), do you believe that legislation should include components to incentivize the plaintiffs’ bar to bring private enforcement actions (i.e. statutory damages, fee-shifting provisions, and the like)?
Thanks very much! I am a big fan of your agency.
Although I can’t discuss ongoing FTC litigation, I can say that the FTC has often used its authority under Section 5 to challenge deceptive and unfair practices in the area of privacy. Thus, we have brought many cases where companies that made promises about how they will use or secure consumer data have failed to live up to those promises. I believe we can continue to do this in the future. I have also been generally supportive of federal data security and breach notification legislation.
[–]hundredgrand :To your second question, private action would just add horrible insult to injury. Big judgments against companies for data breaches would incentivize them to take precautions but does it need to get to that? There has to be some other way for companies to protect consumer data at the outset.
[–]competitionroolz : Ideally, yes, but the reality is that the only way to ensure large companies comply with law and good practice is by punishing them economically if they don’t. I wish it were otherwise. I tend to think the best solution is clear standards for businesses to follow, coupled with clear consequences if they do not. I’m not sure that we have either at this point.
The FTC encourages affirmative protection of consumer privacy through a number of actions that responsible businesses can take, including privacy by design and ensuring that consumers get accurate information about what information is collected and how it is used and shared . See more in our privacy report: http://www.ftc.gov/os/2012/03/120326privacyreport.pdf
[–]wawdtb: A lot of apps collect information that on its face creates no problem for the end user. What pisses off a lot of consumers is when that information gets into the hands of data brokers. What is the FTC doing to about data brokers and their ability to create profiles on users?
We have also heard concerns about how consumer information is shared with third parties. In response, the Commission recently began a formal study of the data broker industry. We sent out formal requests for information to nine large data brokers to learn more about their practices, including how they use, share, and secure consumer data. It is vital that we have a good understanding of how data brokers operate because appropriate use of data can greatly benefit consumers through better services and convenience while inappropriate use or insecure maintenance of data could cause significant harm to consumers. We will carefully analyze the submissions from the companies and use the information to decide how to proceed in this area.
[–]00000000000 : It seems everyday there are privacy breaches, whether by the NSA, technology companies, or data warehouses. What can the average consumer/citizen do to protect their privacy? And what steps should they take once they know a breach has occurred?
The FTC has lots of suggestions for consumers on how to protect their privacy and foil identity thieves. Just a few tips: 1) Shred paperwork that includes personal information. 2) Keep your online virus and malware software up to date. 3) Don’t respond to unsolicited email that claims to be from your credit card company or bank. It’s likely a phishing scam. 4) Don’t give out your Social Security number without asking tough question like “Why do you need it?” and “How do you plan to keep my information secure?”
If your personal information has been breached, be sure to read your bills and statements line by line to watch out for unauthorized charges. And exercise your legal right to get a copy of our credit report at www.annualcreditreport.com. If you see accounts you didn’t open, contact the company immediately. For more privacy protection tips, visit www.ftc.gov/idtheft.
For example, a Facebook game or tool that requires permanent access to all your Facebook contacts and posts, not just the data it needs to run. Or a dictionary app on iPhone that also logs your location. Sometimes the app tells you they’re going to do something like this, but hides it in legalese in the EULA, or you face the hard choice between privacy and not using the app at all.
TLDR Why does Zynga get all my Facebook data if I just want to play Scramble with Friends?
Speaking for myself, as long as the app or website has clearly disclosed to users what information it collects and how it may be shared, it is up to the user (assuming he or she is an adult) to decide whether or not to use that app or website. Offering different privacy options to consumers may spur competition among apps and websites, however, and increase choices for consumers with differing privacy preferences.
[–]discountopinionator : It’s pretty clear that Google Mail builds a profile on me based on the content of my email so that they can serve me ads – in the regular mail world, the post office isn’t allowed to read my mail, nor build a profile on me as a user. I understand the difference between the two, but what happens when gmail is used by my school? or the Hospital? Even if Google doesn’t send me ads on my school account, are they allowed to collect there? From my doctor?
As long as Google has clearly disclosed to gmail users what information it collects and how it may be used for advertising purposes, it is up to individual consumers to decide whether or not to use it. Of course, if they promise that they will not collect or use some kinds of information, they will be held to those representations. Some other email providers do not collect information from emails for advertising, however, and you may prefer to use their services.
This shows that privacy issues are not limited to the online world.
The FTC has a number of resources that provide guidance to businesses on this topic. The FTC’s privacy report encourages increased transparency and effective notice.
Check out .com disclosures: http://ftc.gov/os/2013/03/130312dotcomdisclosures.pdf
And mobile privacy report: http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf
Also, I applaud efforts by NTIA and other organizers to create a short form notice that makes it easier for consumers and developers alike.
[–]BerinSzoka : Commissioner Ohlhausen, what about the FTC’s role as an advocate for competition? We at TechFreedom love it when the FTC urges state and local governments to remove barriers to competition — like the FTC’s recent comments urging the taxicab commissions to lay off Uber.
How do you pick your cases? And why doesn’t the FTC do even more of this kind of competition advocacy?
In particular, can the FTC clear the way for more broadband competition and better wireless service? Will the FTC get involved in urging local governments to make it easier to build competitive broadband networks by using rights of way and fairly pricing pole attachments? And what about all the applications to build or upgrade cell phone towers and small cells on buildings that are tied up in local governments because of NIMBYism?
Competition advocacy is a subject near and dear to me. I headed up our advocacy efforts as Director of our Office of Policy Planning in the 2000s and believe we were able to make a real difference for consumers. Competition advocacy is one of the most effective tools in our arsenal and one that we should always consider using. Whether it is medical care, wine, taxis, or even caskets, our advocacy efforts have been aimed at tearing down competitive barriers. But we have to be careful in selecting where and when to advocate. We typically do this only in response to invitations from policymakers or where public comments are sought. We also want to make sure we have a thorough understanding of the industries at issue and, wherever possible, empirical evidence to support our advocacies. As a Commissioner, I will continue to push the agency to advocate for procompetitive policies.
Also, Berin, how is that Vibe app coming?
[–]TampaMom : Hi, Commissioner Ohlhausen. My name is Ann Adair, President of Thinkamingo Inc, a mobile app company that makes apps for kids. We’ve worked closely with organizations like Moms With Apps (MWA) and Association for Competitive Technology (ACT) and their program Know What’s Inside (KWI). Does the FTC have plans to support industry-led initiatives like KWI and helping developers be COPPA compliant? Thank you.
Self-regulation is an important way to offer consumers additional privacy choices. The best self-regulatory programs are nimble, keeping pace with rapid changes in technology and business practices in ways legislation and regulation cannot. The Commission has long supported industry self-regulation as an efficient way of securing consumer benefits and promoting a robust and competitive marketplace. Voluntary codes of conduct and industry-led enforcement are particularly appropriate in dynamic sectors of the economy where traditional regulation may stifle innovation and slow growth. The self-regulatory activity taking place around COPPA and apps is a great example of how private efforts can augment our work at the FTC.
[–]TampaMom: Thank you, Commissioner! We plan to continue working together as a community of app developers helping each other. Our goal is a thriving community of app developers making quality, safe, and family-friendly apps! We are grateful for your support.
Thanks everybody for your great questions. I hope to do this again in the future.
This is a critically important topic and is getting tremendous attention. Like you, everyday I am reading accounts of what information is being collected and from whom. With respect to the FTC’s role however, our jurisdiction is over commercial privacy, not government privacy. With that said, its critical that policy makers act thoughtfully and appropriately to balance appropriate privacy concerns with the important job of protecting American citizens. Its a very challenging task.