David Vladeck, the head of the Bureau of Consumer Protection at the Federal Trade Commission, shared his vision for consumer privacy protection with an audience at the IAPP’s Privacy Academy on September 30, 2010. Mr. Vladeck began by reminding the audience that the FTC is aggressively enforcing on privacy and data security matters, having brought 29 cases to date. Where possible, the FTC joins forces with other federal regulators, such as the Department of Health and Human Services, to seek broad relief that the FTC could not otherwise get on its own. Mr. Vladeck indicated that the FTC also works closely with the states, citing a recent case in which the FTC filed concurrent settlements with 36 state attorneys general. Mr. Vladeck stated that the FTC plans to continue to bring cases to ensure that companies “reasonably” safeguard information.
Mr. Vladeck noted three key areas for future enforcement. The FTC will (1) bring more cases involving “pure” privacy, i.e., cases involving practices that attempt to circumvent consumers’ understanding of a company’s information practices and consumer choices; (2) focus enforcement efforts on new technologies (Mr. Vladeck noted that, to assist staff attorneys in bringing these sorts of cases, the FTC has hired technologists to assist and also have created mobile labs to respond to the proliferation of smart phones and mobile apps); and (3) increase international cooperation on privacy issues (Mr. Vladeck cited the FTC’s recently-announced participation in the Global Privacy Enforcement Network).
Mr. Vladeck discussed the FTC’s roundtable sessions which, in his view, will form the basis for the FTC’s new vision for privacy. He believes some of the past approaches to privacy were not providing appropriate protections to consumers. Mr. Vladeck noted a few key lessons from the roundtables: (1) information is now cheaper to save than to destroy; (2) the distinction between PII and non-PII is blurring and it is increasingly difficult to be truly anonymous; (3) consumers understand very little about how their information is handled and with whom it is shared; (4) many businesses do not interact directly with consumers so consumers are particularly confused about those entities’ information practices; and (5) the flow of information brings tremendous benefits such as personalized online environments, and technology may offer solutions in the privacy space.
With respect to the eagerly awaited FTC report resulting from the roundtable sessions, Mr. Vladeck indicated that the report is still on target to be released this fall. It is currently under review by the FTC Commissioners. The report will be issued in draft form for public comment. The big picture issues that likely will be addressed are:
- Privacy by design. Mr. Vladeck indicated that companies should build privacy into new procedures, technologies and systems. He stressed the importance of practicing good data hygiene from the beginning, with a focus on information security and data minimization.
- Increased transparency. Mr. Vladeck noted that privacy notices help to promote accountability, but that we need better privacy notices.
- Simplification of consumer choice. This would allow consumers to focus on choices that really matter to them rather than on information practices consumers would expect. Thus, consumers would pay attention to issues that really matter rather than being inundated with irrelevant notices. In addition, Mr. Vladeck stressed the importance of presenting a privacy notice at the point of data collection. He also focused on having more consistent formats for privacy notices (which is a concept Hunton & Williams’ Centre for Information Policy Leadership proposed in the early 2000’s). In addition, Mr. Vladeck believes additional protection is warranted for sensitive data such as health, financial and location data.
- Access to data. Mr. Vladeck noted that consumers are particularly concerned about the collection and aggregation of data in ways they don’t expect. Providing individuals with access to data would promote transparency, particularly with respect to information services companies.
- Consumer and business education. Consumers should better understand Internet tracking and choice options.
In addition, Mr. Vladeck indicated that the FTC is examining the viability of a Do-Not-Track preference mechanism that marketers would need to check. The FTC will continue to explore the most appropriate means for consumers to exercise their preferences.
Mr. Vladeck stated that, while the FTC has always supported self-regulation and will continue to do so, he is personally “disappointed” in industry’s progress in implementing various proposals in the behavioral advertising arena. He urged industry to “get moving” so the regulators “don't lose their patience.”
There also was discussion regarding several legislative initiatives, including the Boucher and Rush proposals (which Mr. Vladeck is concerned focus too heavily on “already over-burdened” privacy notices) and data breach legislation. Mr. Vladeck indicated that the ability for the FTC to obtain civil penalties would be “invaluable” to the FTC in protecting consumers.
Mr. Vladeck left the audience with three concluding thoughts. First, he said that his vision of consumer privacy would include “privacy by design” in which companies would incorporate privacy protections as they develop new products and services. Second, he stressed the need for consumers to have greater access to information about organizations’ privacy practices. Third, Mr. Vladeck noted that the FTC will continue robust enforcement in the privacy and data security arena to promote security and ensure that consumer choices are respected.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code