A brave new world of technological innovation is emerging – some would say it has already emerged. Although we cannot predict the next killer app or revolutionary invention, we can be fairly sure that it will involve the use of personally identifiable information. Consumers have enthusiastically adopted personalized applications of all varieties, yet the way things stand now they must be prepared to sacrifice something at least as valuable: their privacy.
Congress is just beginning the complex process of developing legislation to protect consumer privacy while nurturing innovation in products and services. An important way to achieve the delicate balance between encouraging technology and preserving privacy is for Congress to expand the capabilities of the Federal Trade Commission (FTC) to ensure that it can keep up with the rapidly evolving marketplace.
In the mid to late 1990s, the FTC began reviewing how websites collected and managed consumers’ personally identifiable information. This led to the creation of a set of self-regulatory rules known as the Fair Information Practice Principles, which created four basic obligations:
- Consumers must be notified as to whether their online information is being collected
- Consumers must provide consent as to whether or not they want their online information collected
- Consumers must be able to view information a company has collected about them and verify its accuracy
- Businesses must undertake measures to ensure that information is accurate and stored securely
The framework of the Fair Information Practice Principles is a good place to start when considering future privacy legislation. Over the past two decades it has demonstrated a suitable balance between responsible privacy standards and room for innovation. However, as technology evolves, the FTC should be able to keep up.
The FTC must be provided with the discretion and flexibility to adapt, update and strengthen the Fair Information Practice Principles, as well as its own role in safeguarding consumer privacy in response to changing technologies and consumer needs.
The FTC, in partnership with the private sector, should create privacy notices that are easy to read and understand in conjunction with an education campaign to inform consumers about their rights. Many privacy notices are dense and contain so much legalese that they become ineffective because consumers simply don’t read them.
Congress should provide the FTC with the resources to create an Online Consumer Protection bureau that focuses exclusively on online crimes such as identify theft, e-mail scams, and privacy enforcement. This would expand the FTC’s capabilities to investigate, prosecute and enforce consequences against breaches of privacy.
Any attempt to impose new privacy standards should distinguish between good actors that slip-up inadvertently versus bad actors that aim to cause trouble. A safe harbor program will accomplish this task by reducing liability if actions are preformed in good faith. Safe harbor programs provide a combination of carrot and stick that allow the FTC to execute different programs for different actors.
As policymakers continue to deliberate the best path for balancing the various stakeholder interests around the issue of online privacy, they must remember that any proposed legislation should not be absolute. The current set of privacy principles adopted by the FTC has worked well for over a decade and should serve as a framework for any new legislation. Technology is a moving target and privacy laws should be sufficiently flexible to adapt.
Todd Thibodeaux is CEO and president of CompTIA, a non-profit trade association advancing the global interests of information technology (IT) professionals and businesses. David Valdez is the organization’s senior director of Public Advocacy.