FTC chairman on online advertising, breach laws, and "walkin' the walk" on privacy

The IAPP is pleased to bring you this Q&A interview with Federal Trade Commission Chairman William E. Kovacic. Chairman Kovacic will deliver the keynote address at the upcoming IAPP Privacy Dinner in Washington, DC.

IAPP: The FTC has been very active with regard to online advertising and privacy recently. Where do you see issues headed in this area?

Chairman Kovacic: Since the mid-1990s, the FTC has played an active role in protecting consumer privacy by using all of its policymaking tools, including education of consumers, guidance to the business community, and law enforcement. Our work is rooted in our continuing effort to "stay ahead of the curve" and understand new information technologies, the online marketplace, and the privacy issues that they raise for consumers. We have hosted numerous public workshops and issued reports focusing on online data collection practices, industry self-regulatory efforts, and technological developments affecting consumer privacy. The FTC works to protect consumers from unfair or deceptive practices that affect consumers' privacy, while remaining mindful of the significant benefits that consumer data flows can bring to consumers and competition.
The growing practice of online behavioral advertising is but one illustration of where we need to achieve this balance. Over the past several months, the Commission has been closely examining this practice—its prevalence, the technology that makes it possible, and its impact on consumers and commerce.

Our examination has shown that online behavioral advertising provides valuable benefits to consumers in the form of free content, a more personalized Internet experience, and the potential reduction in unwanted advertising. At the same time, however, the invisibility of this practice to consumers raises privacy concerns, including the risk that data collected—some of which may be highly sensitive—might be misused. Many interested parties have called for greater transparency and consumer control over the collection of personal information for behavioral advertising.

To better understand this practice, Commission staff has conducted extensive outreach to a variety of stakeholders and hosted a two-day town hall on behavioral advertising in November 2007. Staff subsequently published proposed principles intended to serve as a basis for meaningful and enforceable self-regulation in this area. (See www.ftc.gov/opa /2007/12/principles.shtm.) The FTC received over 60 comments on the proposed principles, and staff currently is developing a written report to respond to the comments and to provide further guidance regarding the goals and scope of the principles. At this time, self-regulation has considerable promise to supply the most effective and efficient way of addressing this issue. Even so, the Commission will use its law enforcement authority should businesses engage in unfair or deceptive practices

IAPP: Notice of security breach laws now exist in many states. Has the proliferation of these laws helped consumer data protection? Do you think that a national, preemptive law would help to standardize the terrain? Or should states be allowed to innovate in this area?

Chairman Kovacic: The vast majority of states now have laws requiring notification to consumers in the event of a data breach, at least under certain circumstances. These laws have helped to alert businesses to the need for effective data security and, in many cases, have ensured that consumers receive important information when their data has been compromised. I commend the states' leadership in this area. At the same time, I can see significant advantages in having a uniform federal breach notification standard. Although there are many common elements, the state laws do vary to some extent on important issues. This variation may create consumer confusion and impose unnecessary compliance costs. For example, the question of when a breach triggers a notification requirement is answered differently by several states.
The President's Identity Theft Task Force, a consortium of 17 federal agencies, issued a strategic plan in April 2007 with 31 recommendations for actions to reduce the incidence and consequences of identity theft. One recommendation proposed that Congress establish national breach notification standards that would require notices when the breach creates a significant risk of identity theft. This trigger would ensure that notice goes to consumers only when the risk is real, recognizing that over-notification may be counterproductive for consumers. The Task Force further recommended that the national requirements preempt state data security laws, but allow for state enforcement of the federal standards. The Commission has supported this approach to the breach notification issue in the past and continues to do so.

IAPP: Consumer privacy has long been an issue for the FTC. But enforcement actions have been limited to cases of fraud or deception. Do you envision the FTC using the unfairness doctrine in a privacy case?

Chairman Kovacic: Most of the Commission's privacy and data security cases allege FTC Act Section 5 deception and/or violations of other statutes such as the Fair Credit Reporting Act or the Gramm-Leach-Bliley Act. We also have used our unfairness authority in a number of cases where the challenged conduct caused or was likely to cause substantial harm to consumers. For example, our action against CartManager (2005) alleged that the practice of an online shopping cart software seller harvesting and renting to third parties the personal information of the customers of the merchants using the software, which violated the merchants' privacy policies, was an unfair practice. The Gateway Learning case (2004) included an unfairness charge against a company that collected consumer information under a promise that it would not be shared with third parties, but later changed its privacy policy to allow such sharing and applied the new policy retroactively. We also have used an unfairness theory in several of our data security cases where the company failed to take reasonable steps to safeguard consumer information, resulting in a breach that caused or was likely to cause substantial consumer injury. These cases include BJ's Wholesale Club (2005), DSW (2005), CardSystems (2006), ChoicePoint (2006), and TJX Companies (2008). In addition, the FTC has used unfairness to challenge injurious practices involving spam, spyware, and "pretexting" (the use of false pretenses to obtain information about consumers).

IAPP: The FTC recently won a Privacy Innovation award for internal privacy practices at the Commission. (Cong-ratulations!) How important is "walking the walk" to the FTC?
Chairman Kovacic: When it comes to protecting consumers' sensitive information, it is very important that we "walk the walk." I told our staff during FTC Privacy Week that, as the nation's consumer protection agency responsible for enforcing many privacy-related laws, we must not only meet the standards we set for the private sector, we must hold ourselves to an even higher standard. To that end, we have a robust, innovative privacy program at the FTC that ensures that our staff properly safeguard sensitive data throughout its life cycle—from the point of collection to proper disposal. Our Chief Privacy Officer reports directly to my Chief of Staff, and my office is involved in making sure that we have the resources in place to maintain our program. I think we've done a good job of creating a culture of privacy and security at the FTC, and I'm proud that the FTC received the 2008 IAPP Innovation Award for Privacy.

IAPP: Can you give us a preview of your keynote address at the IAPP Privacy Dinner?

Chairman Kovacic: I'll give you a short preview. I plan to discuss how the FTC's privacy program has evolved over time and I'll explain the agency's use of a variety of policy tools—enforcement, public consultations, research, advocacy, education, and rulemaking. I will highlight the importance of FTC staff continually acquiring knowledge about relevant technological and commercial developments so that we can develop thoughtful regulation. I also will discuss a few "hot topics" in the FTC's current privacy and data security program, such as behavioral advertising. Finally, since this is the IAPP, I will share with you how our in-house privacy professionals implement and manage our agency-wide privacy program.

Hear more from Chairman Kovacic at the IAPP Privacy Dinner on December 9 in Washington, DC. Details at: iapp.org.