FTC Privacy Report Backs More Credit Data Access for Consumers


Taking a cue from safeguards already in place for credit card holders, the Federal Trade Commission is proposing rules and business "best practices" intended to shield and fortify Americans' privacy.

In a report issued earlier this week, the agency called for a blend of business and legislative actions that would give consumers more control over the personal data that is collected about them. That data -- collected mostly through Internet and cellphone transactions -- is then sold to others or used to target those same consumers with an onslaught of narrowly focused ads.

The report recognizes the dizzying array of new threats to privacy in a digital world in which consumer data can be mined from Wi-Fi hotspots, tweets and games downloaded to smartphones, and then used by creditors, employers, insurance companies and landlords. To a large extent, the recommendations would give Americans the right to challenge errors in all personal and financial data gathered about them and to correct those errors, just as credit card holders and others now have the right -- under the Fair Credit Reporting Act -- to challenge and correct reports from credit bureaus.

Most of the FTC's recommendations call for voluntary action by retailers, advertising agencies, credit card issuers, cellphone companies, Web operations and the relatively new phenomenon of "data brokers," increasingly powerful entities that collect, collate and sell a wide range of personal and financial information about consumers.

But the FTC's sweeping 112-page report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers," also raised the threat of federal legislation, especially if businesses fail to take swift, significant and wide-ranging action.

'Do Not Track' option sought At the top of the FTC's "This Is Not Just a Wish" list: a simple but robust "Do Not Track" option for Web surfers.

"If companies adopt our final recommendations for best practices, and many of them already have, they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy," FTC Chairman Jon Leibowitz said as the report was issued Monday.

"We are confident that consumers will have an easy-to-use and effective 'Do Not Track' option by the end of the year because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don't," he said.

Data security, consumer notification

At the same time, the FTC also suggested that Congress waste no time, reporting that legislation immediately was required to strengthen data security and the standards to notify consumers of any breaches in that security.

Some business experts expressed concern that the recommendations could go too far, while many consumer advocates and privacy experts expressed general approval.

"'Do Not Track' will give people more faith in the Internet," said John M. Simpson of Consumer Watchdog, a nonprofit public interest group. "That will be a win-win for business and consumers."

Obviously, a significant fraction of the data collected online involves purchases made with credit cards, but credit card customers -- and all Americans -- would come into contact with the new rules every time they go online and every time they migrate from one website to another.

"Americans have enthusiastically migrated more and more of their lives online," Leibowitz said during a news conference in Washington, D.C. "As a result, we have had to ask how can consumers continue to enjoy the riches of a thriving online and mobile marketplace without surrendering their privacy as the price of admission?"

Show us the credit data

In addition, credit card account holders already serve as something of a test bed for the regulations. Under the Fair Credit Reporting Act, credit card customers and anyone applying for credit must be notified of any personal data that is collected and subsequently triggers an adverse credit decision -- and they have their right to see the report and contest such data.

One of the main recommendations of the FTC's new report calls for similar transparency of all other personal data collected online, by cellphone and through other methods. This would include new federal legislation focused on those data brokers, who would be required to provide consumer access to information gathered about them and the ability to correct any errors in that data.

"Companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them," the FTC said.

Specifically, the agency cited "companies that assemble and evaluate consumer information��� for use by creditors, employers, insurance companies, landlords and other entities involved in eligibility decisions affecting consumers." It noted that the Federal Credit Reporting Act already stands as "an important tool that provides consumers with the right to access their own data that has been used to make such decisions, and if it is erroneous, to correct it."

Disclosure, error correction

Under the act, the report pointed out, consumer reporting agencies must "disclose to consumers, upon request, all items in the consumer's file, no matter how or where they are stored, as well as the entities with which the consumer reporting agency shared the information in a consumer's report." When errors are found and reported, the agency generally is required to investigate and correct or delete the erroneous information.

"As more and more consumer data becomes available from a variety of sources, companies are increasingly finding new opportunities to compile, package and sell that information," the FTC said. "In some instances, companies could be compiling and selling this data to those who are making decisions about a consumer's eligibility for credit, insurance, employment and the like."

Importantly, such activities are subject to the Fair Credit Reporting Act, again indicating that credit-related protections already in effect will be serving as a model for some of the new privacy protection recommendations.

The agency also called on companies to employ consumer privacy protections "at every stage in developing their products." This includes limited collection and retention of consumer data, the securing of such data and reasonable efforts to ensure the accuracy of the data. The agency calls this "privacy by design."

'Big Brother' watchdog over data collection Of particular significance, the FTC emphasized that consumers must have the ability to decide what information is shared about them and with whom. The main mechanism for this should be an easy-to-use "Do Not Track" option on Web browsers and websites, the agency said.

This is a hot issue in the online world.

For one thing, some business interests prefer to define "Do Not Track" as, "Well, OK, we can track, but we can't use that particular information to target ads." No way, Leibowitz said. He said "Do Not Track" means "Do not collect online data." Period.

That pleased many privacy experts.

"These meaningful standards will ensure that 'Do Not Track' does not become a weakened 'Do Not Target' standard ... " said Rainey Reitman, activism director for the Electronic Frontier Foundation, which works to defend privacy and "freedom" in the online world. "The issue of 'Do Not Track' versus 'Do Not Target' is fundamental to online behavioral tracking."

Many commercial interests, however, say that "Do Not Track/Collect" options, if widely deployed, would prevent them from collecting information about consumer tastes and habits and, consequently, would cripple the rapidly growing online advertising industry.

The final report issued Monday expands on and somewhat revises a preliminary FTC staff report issued in December 2010. That earlier report generated comments from 450 groups, companies and individuals, and some of those comments were incorporated in the final report, the agency said.

The FTC vote approving the report was 3-1, with Commissioner J. Thomas Rosch dissenting. He expressed several concerns, including the possible overreaching nature of the recommendations.

"If implemented as written, many of the report's recommendations would instead apply to almost all firms and to most information collection practices," he wrote in his dissent. "It would install 'Big Brother' as the watchdog over these practices not only in the online world but in the offline world."

For the most part, however, consumer and privacy advocates applauded the report.

Said Reitman of the Electronic Frontier Foundation: "The final report creates strong guidelines for protecting consumer privacy choices in the online world."