The Privacy Advisor Interviews Federal Trade Commission Chairman Deborah Platt Majoras, Winner of the IAPP's 2007 Privacy Leadership Award, About Her Priorities and Accomplishments
The Privacy Advisor (TPA): How would you describe the Federal Trade Commission's (FTC's) approach to consumer privacy under your leadership?
Majoras: Our work on consumer privacy has been and remains a top priority, and I would describe it as active and multi-faceted. The explosive growth of the Internet and the development of sophisticated computer systems and databases has made it easier than ever for companies to gather and use information about their customers. These systems can have tremendous benefits for consumers, but they can also increase their exposure to harm. Our approach to privacy focuses on preventing and addressing harm to consumers from the misuse of their sensitive data, from spyware and related downloads, and from other unlawful practices. In our privacy work, we combine aggressive law enforcement, consumer and business education, partnerships with other agencies and the private sector, and ongoing evaluation and learning.
Enforcement: Since 2001, we have brought 14 cases against businesses that have failed to provide reasonable data security to protect sensitive consumer information. Since 1997, when the FTC brought its first case involving spam, the FTC has aggressively pursued deceptive and unfair practices in spam through 89 law enforcement actions, 26 of which were filed after Congress enacted the CAN-SPAM Act. The Commission also has brought 10 law enforcement actions against spyware distributors. Further, the FTC has filed 11 civil penalty actions and has obtained more than $1.8 million in civil penalties, settling allegations of violations of the Children's Online Privacy Protection Act (COPPA). We also continue to bring cases against telemarketers that fail to comply with the National Do Not Call Registry and against companies and individuals that obtain and sell consumers' confidential telephone records to third parties.
Education: Consumers are the first line of defense against the misuse of their personal information, and educating consumers is essential in eliminating privacy risks and the resulting harm. The FTC's nationwide identity theft education program, "Avoid ID Theft: Deter, Detect, Defend," teaches consumers that they can DETER identity thieves by safeguarding their personal information; DETECT suspicious activity by routinely monitoring their financial accounts, billing statements, and credit reports; and DEFEND against ID theft as soon as they suspect it.
The Deter, Detect, Defend campaign has been very popular - we have distributed more than 1.5 million brochures and 30,000 kits that organizations can use to educate their employees, their customers, and their communities about how to minimize their risk of identity theft.
Partnerships: Our consumer education efforts are just one example of our partnerships with public and private sector entities in the area of privacy. We also are partnering with 17 other federal agencies as part of the President's Identity Theft Task Force, which already has made interim recommendations and will be issuing final recommendations soon.
Evaluation and Learning: We strive to develop policies and execute our work in a way that is balanced, thoughtful and informed. One example of how we stay informed and anticipate the future is through public workshops. In April, we will host a workshop to explore better methods for authenticating individuals, as limitations in current authentication methods have created opportunities for identity thieves to open new accounts and to use stolen identities.
TPA: In November last year, the FTC held a series of hearings on "Protecting Consumers in the Next Tech-ade." After hearing the testimony of various privacy and security experts, what threatens consumer privacy the most in the coming Tech-ade?
Majoras: In my view, the greatest threat to consumers in the next decade does not appear likely to come from any one particular technology or practice.
Instead, it is likely to arise from the cumulative effect of collecting, using and storing massive amounts of information, especially where increased data mobility exacerbates the risk that it will fall into the wrong hands. Technological advances in data storage, such as perpendicular storage, will allow massive amounts of data to be stored. Experts at the Tech-ade hearings predicted that a decade from now we will be storing between 10 and 100 times the amount of data that we store today. At the hearings, we heard about a wide range of technologies and practices that will require the collection and use of large amounts of information, including some very sensitive information. We also heard that information will be increasingly mobile, flowing across borders and from device to device.
At the FTC, we have emphasized the need for a "culture of security" to respond to data security risks. What I heard at the Tech-ade hearings convinces me that the need to create such a culture is real and growing.
TPA: What steps, if any, does the FTC plan to take in the aftermath of the hearings?
Majoras: We intend to issue an FTC staff report describing what we heard and analyzing upcoming challenges for the FTC. This report, however, is just the beginning. In November 2007, we will host a series of Town Hall meetings around the country to supplement and build on some of the key topics discussed at the hearings. After these meetings and the FTC staff's own internal strategic planning process, we will announce a Technology Research and Policy Development Plan for 2008. This Tech R & D Plan will include all of the hearings, workshops and similar events related to technology that we intend to hold during the year.
TPA: New security breaches already have affected millions of consumers in 2007. Does the FTC support a national security breach notification law, and if so, what elements are essential and what proposed mechanisms are unnecessary?
Majoras: I support a national data breach notification law that would require notice to consumers when their sensitive personal information has been breached in a way that creates a significant risk of identity theft. Notice can help consumers prevent or mitigate harm resulting from a data breach by allowing them to take precautions, such as monitoring their accounts more closely, closing their accounts, or placing fraud alerts on their credit reports. Notice also alerts consumer reporting agencies and law enforcement so that they can take appropriate actions to assist consumers in preventing identity theft. Notification, however, makes sense only when it is useful to consumers, and not in situations involving insignificant risks.
I also support legislation that requires companies that maintain sensitive consumer information to have reasonable security procedures in place. I have testified several times on these issues, urging Congress to use caution in passing any new laws, so that in an effort to safeguard data we do not inhibit consumers' commercial transactions.
TPA: Behavioral targeting online is an issue that continues to get a lot of public attention. Without commenting on any specific investigation, what can regulators do to protect consumers and what should consumers consider when it comes to protecting their privacy online?
Majoras: Online behavioral marketing is the practice of obtaining information about consumers' online behavior in order to provide advertising targeted to a consumers' particular interests or preferences, while decreasing the volume of unwanted or irrelevant advertising shown to them. Behavioral targeting is generally accomplished by advertisers or ad networks placing cookies on consumers' computers when they visit Web sites. This practice has certain efficiencies for commerce and consumers, but it may also raise privacy concerns, particularly in those instances where personally identifiable or sensitive health or financial information might be collected and/or combined with other data.
As a law enforcement agency, the Commission can take action to halt unfair or deceptive acts or practices, such as when a company misrepresents its information collection practices or fails to adequately secure personally identifiable information. Additionally, consumers who prefer to limit the online collection of information about themselves and limit their receipt of targeted advertising can do so by installing software to block the download of certain types of cookies onto their computers or by periodically removing or emptying the contents of cookies placed on their computers by Web site operators or ad servers.
TPA: The FTC has sent some strong messages with enforcement actions that have included record penalties. With the Commission's broad enforcement authority, what are the priorities for the coming year?
Majoras: Our priorities include continuing our program to bolster data security and reduce identity theft; to attack spyware; to eliminate pretexting; to support the National Do Not Call Registry through vigilant enforcement; and to protect children through aggressive COPPA enforcement.
Data Security and Identity Theft: The Commission's ultimate goal is to protect consumers from identity theft. We will continue to devote substantial resources to educating consumers and businesses and bringing law enforcement actions against companies that fail to take reasonable steps to protect sensitive consumer information. More specifically, the Identity Theft Task Force is in the process of preparing a final strategic plan and recommendations that we hope to release in the near future. The FTC is publishing a general data security business education guide designed to assist different types of businesses in addressing data security issues. And on April 23 and 24, the FTC will host a workshop to explore better methods for authenticating individuals, as limitations in current authentication methods have created opportunities for identity thieves to open new accounts and to use stolen identities.
Spyware: The Commission's spyware cases will continue to reaffirm three key principles. First, a consumer's computer belongs to him or her, not the software distributor. Second, buried disclosures do not work, just as they do not work in more traditional areas of commerce. And third, if a distributor puts a program on a consumer's computer that the
consumer does not want, the consumer must be able to uninstall or disable it.
Spam: The FTC continues to devote resources to fighting spam. The Commission is aware of email filtering companies' recent reports that the amount of spam they process is rising and is studying whether this increase has resulted in a change in the amount of spam actually reaching consumers. The Commission's recent experience suggests that spam is being used increasingly as a vehicle for more pernicious conduct, such as phishing, viruses and spyware. In the coming months, as a follow-up to its initial Spam Forum of 2003, the FTC will host a workshop to examine how spam has changed and what stakeholders can do to address it.
Telephone Records Pretexting: The Commission's efforts against phone pretexting are ongoing. In addition to our own pending cases and investigations, we expect to develop criminal law enforcement referrals in light of the recently passed Telephone Records and Privacy Protection Act.
Children's Online Privacy Protection Act (COPPA): The Commission's most recent action was filed in September 2006 against operators of the social networking Web site Xanga.com, in which the Commission obtained a civil penalty of $1 million, the largest civil penalty amount obtained by the Commission in a COPPA Rule violation case. The Commission will continue to enforce COPPA vigorously, as well as Section 5 of the FTC Act, in matters relating to children's online privacy. With more mobile content being accessed through wireless Internet devices, the Commission will monitor the collection of personal information from children via mobile devices to assess compliance with COPPA.
TPA: What is the latest on efforts to amend the Telemarketing Sales Rule? How will those proposed changes affect consumers?
Majoras: In 2004, the FTC issued a Notice of Proposed Rulemaking that would have amended the TSR to allow the use of prerecorded messages in calls to consumers with whom the seller had an established business relationship if the consumer could easily assert a company-specific do-not-call request. In October 2006, the FTC rejected the proposed amendment, based in part upon widespread consumer opposition. In its October 2006 ruling, the FTC also noted its concern that if the proposal were approved, the use of low-cost prerecorded message telemarketing, coupled with the use of cheap new technologies, such as Voice over Internet Protocol (VoIP), likely would prompt a surge in prerecorded calls. In that event, consumers would be in much the same position as they were before creation of the National Do Not Call Registry - having to ask telemarketers, one-by-one, not to call again.
In the October notice, the Commission proposed a new TSR amendment clarifying that the "call abandonment" provisions of the TSR prevent sellers and telemarketers from delivering a prerecorded message when a consumer answers a telemarketing call, except in limited circumstances. Some 630 comments were received on this proposal prior to the close of the public comment period on December 18, 2006, and Commission staff is now reviewing these comments from consumers and businesses. A decision on this matter is anticipated in the coming months.
TPA: What message do you have for privacy professionals?
Majoras: You are the front line in our efforts to protect consumers' sensitive information. Consumers expect your companies to protect this data, and I am counting on you to create a culture of security at your companies and across the private sector. Data security cannot be an afterthought; it must be integrated into business models and methods. You, and the companies you serve, must strive to balance the need to protect consumers' information from loss and misuse with the need to efficiently carry out your corporate mission. Safeguarding consumers' sensitive data not only is the law, it is the right thing to do and makes good business sense.