X

FTC says current privacy laws aren't working

In a preview of what may be in a forthcoming report, a senior FTC attorney says existing U.S. law unreasonably places "too much burden" on people to understand privacy policies.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio
Declan McCullagh
3 min read
Kathryn Ratte, a senior Federal Trade Commission attorney (far right), says current U.S. privacy laws aren't effective.
Kathryn Ratte, a senior Federal Trade Commission attorney (far right), says current U.S. privacy laws aren't effective.

CALGARY, Alberta--A U.S. Federal Trade Commission representative delivered a stern indictment of current privacy laws on Monday, saying they fail to protect American consumers and instead place too much of a "burden" on them.

The existing constellation of privacy laws, which relies heavily on disclosure of data collection and use practices and on informed consumer choice, "in some very basic sense isn't working," said Kathryn Ratte, a senior attorney in the FTC's consumer protection bureau.

"We've put too much burden on the consumers to understand these policies," Ratte said here at an event organized by Canada's privacy commissioner. "To compare the privacy policies of two companies is an almost impossible task."

These sentiments are likely to be reflected in a widely anticipated report that the agency plans to publish later this year. The report is expected to offer to Congress recommendations on new laws and may state that the FTC intends to expand its current authority around policing "deceptive" practices to address more Internet-related business practices.

"One of the issues we've identified is...to encourage companies to have better data hygiene," Ratte said, through implementing policies such as "minimization and retention limits."

In an area like cloud computing, which demonstrates "some of the limits of these traditional structures," the current "notice and choice model in some very basic sense isn't working," she said. "The goal of transparency clearly isn't being met by the way notice is being handled today."

One type of law that has worked well is data breach notification, said Mike Hintze, Microsoft's associate general counsel, who also spoke at the Calgary event. It's one in a series of events that Canada's privacy commissioner, Jennifer Stoddart, has convened around the country.

"Old data that you don't have a business purpose for is toxic waste," Hintze said. "There's now a new incentive to get rid of data that you don't need anymore."

Last year, the U.S. House of Representatives approved H.R. 2221, a data breach notification bill, but the Senate has not acted. The measure states that anyone who "possesses data in electronic form containing personal information shall, following the discovery of a breach of security...notify each individual" who was affected by the security breach. (California already has such a law.)

In drafting its yet-to-be-released report, the FTC organized three privacy roundtables. During the first one in December, FTC Chairman Jon Leibowitz offered some hints about what his agency was thinking: "Should we utilize more opt-in? Should we treat special categories of information, such as sensitive health or personal financial, differently? How about vulnerable consumers, such as children?"

More hints have come in the form of an FTC document that suggests cloud computing services could be targeted for more regulation. The ability of these services "to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities not originally intended or understood by consumers," it states.