FTC: Self-regulation won't cut it

Edging even further from endorsements of industry efforts to safeguard Net users' privacy through self-regulation, the chairman of the Federal Trade Commission said today that new laws may be needed to eliminate concerns raised by the online collection of personal information.

"While some industry players may form and join self-regulatory programs, many may not," Pitofsky said in testimony before the House Commerce Committee's subcommittee on telecommunications.

"This would result in a lack of the uniform privacy protections that the commission believes are necessary to allow electronic commerce to flourish," he continued.

Robert Pitofsky

"The commission believes that unless industry can demonstrate that it has developed and implemented broad-based and effective self-regulatory programs by the end of this year, additional governmental authority in this area would be appropriate and necessary."

Just today, the Online Privacy Alliance--a group of 50-plus companies that includes America Online and Microsoft--unveiled its enforcement plan to protect consumer privacy on the Internet. The plan already has been called "weak" by privacy advocates.

Under respective commands by Congress and the White House, the FTC and Commerce Department have been knee-deep in debates over online privacy concerns. The agencies are charged with assessing data collection practices on the Net and determining whether industry self-regulation is working. The goal is to ensure that consumers are given proper notice and choice regarding the data they forfeit to Web sites, often in exchange for goods and services.

More coverage on CNET Radio

The administration, along with several studies, state that consumers will not engage in e-commerce if they are worried about the safety of personal data, such as their postal and email addresses, Social Security numbers, phone numbers, and financial or medical information.

Last month, the FTC said voluntary efforts weren't adequately protecting personal information on the Net. It then asked Congress for new laws to prohibit collecting sensitive data from preteens without parental permission.

"We believe that this model would bolster ongoing self-regulatory initiatives, encourage others to undertake such initiatives, and provide statutory standards that would govern businesses that do not participate in self-regulatory programs," Pitofsky's said in testimony today.

The FTC's model legislation lays out online privacy protections and would provide a safe harbor for industries that establish government-approved policies and enforcement measures.

Under the proposal, commercial Web sites that collect personal, identifying information from consumers would have to comply with four fair information practices:

Notice and awareness: Sites would have to provide consumers notice of their data collection practices and how they use the information.

Choice and consent: Online users must be given choice and give permission regarding how their personal data is used by a site.

Access and participation: Consumers must have "reasonable" access to their data and be able to correct inaccuracies.

Security and integrity: Net sites must take "reasonable steps" to ensure the security and integrity of consumer data they collect.

"The recommended standards pertaining to children would empower parents to make choices about when and how their children's information is collected and used on the Web," the proposal continues. "They would require commercial Web sites that collect personal identifying information from children 12 and under to provide actual notice to the parent and obtain parental consent."

The legislative model would provide a safe harbor from any enforcement actions under the statute if companies complied with these guidelines. Violation of the statue would give regulators (most likely the FTC) authority to bring action against sites.

"The commission recommends that the implementing agency be given the authority to review and certify industry guidelines as meeting the statute's standards after public notice and comment," the proposal states.