FTC Cautioned Against Heavy Privacy Rules

Facebook urged the FTC to pursue a “restrained approach” to enforcement of privacy issues that maximizes user control of privacy and promotes innovation, the company said. “Imposing burdensome privacy restrictions could limit Facebook’s ability to innovate, making it harder for Facebook to compete in a constantly evolving industry,” the company said. It’s essential that “do not track” mechanisms clearly define what “tracking” is prohibited, said Facebook. The social media company also advocated for the establishment of a Privacy Policy Office in the Commerce Department to ensure user privacy.

Google suggested that the commission’s framework incorporate transparency about how data is disclosed to third parties and provide flexibility in order to foster innovation in the industry. The commission’s framework should also distinguish between personally identifiable information and non-personally identifiable information, Google said. The company said it has “significant constitutional concerns” about the Electronic Privacy Communications Act and urged Congress to revise portions of the law that permit “government access to the content of communications with less than a warrant."

Microsoft suggested a “limited exception” for companies that collect, use, store, or disclose personal information from less than 5,000 consumers in any 12-month period and “use such information only for purposes that are reasonably necessary for the operation of the company.” The company supports an industry wide privacy by design principle, it said. However, businesses need flexibility not only for developing privacy programs, “but also in implementing privacy by design principles more broadly,” the company said. Microsoft urged the commission to “avoid imposing prescriptive requirements with respect to data retention periods or in further defining ’specific business purpose’ or ‘need.'” There are a number of legitimate business reasons for retaining and using consumer data, Microsoft added.

Data that isn’t linked to personal identifiers “should not be treated the same as data that are directly linked,” Yahoo said. What it called the commission’s over-broad definition “would cover non-personally identifiable information data in all cases.” The agency should realize that “data used for one purpose is often legitimately used for others in the same general category as well,” Yahoo said. “General uses should be disclosed to users, but the cost of being overly-specific about each use of data is that innovation on behalf of users could be unnecessarily encumbered, delayed or limited."

Zynga, the largest Facebook applications developer, supports privacy-by-design and self-regulatory best practices, it said. To be successful, privacy-by-design must incorporate access and accountability, TRUSTe said. It said it supports the application of the framework “to all entities that possess and use consumer data, regardless of whether they are a commercial entity or not.” NetChoice said it disagrees with FTC Chairman Jon Leibowitz’s proclamation that “self-regulation of privacy has not worked adequately and is not working adequately for American consumers.” NetChoice urged “continued industry self-regulation and increased enforcement of existing laws that prohibit unfair and deceptive practices.” Most commercial data “is collected to update interest categories that are not sensitive, such as a user’s interest in sports or politics,” the group said. “This non-sensitive data shouldn’t be subject to opt-in consent or detailed access and correction, even if it were linked to a specific computer or device."

USTelecom called for more centralized federal oversight of privacy matters. “The regulatory environment surrounding privacy in today’s digital marketplace is extremely complex with multiple government authorities at the federal and state levels,” it said. “Inconsistencies among different jurisdictions’ regulations or requirements or different agencies’ enforcement activities could introduce uncertainty into business planning.” That could lead to extra costs and limit investment in new technologies, the association said.

The center of the FTC’s framework should be “competitive neutrality,” and it should focus on privacy practices, not specific industry segments, USTelecom, NCTA and CTIA each said separately in comments. Inconsistencies already exist, USTelecom said, presenting the case of Communications Act-defined “cable operators” versus their over-the-top video counterparts. “While a local cable company must adhere to these significant privacy obligations, a non-infrastructure based company that delivers similar content over that local cable company’s broadband platform is under no such obligation,” USTelecom said.

Privacy rules should offer carriers flexibility and be neutral as to “technologies, business models and platforms,” CTIA said in its filing at the FTC. The rules should recognize “the complex mobile ecosystem” and take into account that mobile means more than just phones, the group said. “The scope of ‘mobile devices’ is rapidly expanding with increasing varieties of form factors and types of devices having connectivity such as notebook computers, tablets and e-readers,” CTIA said. “In addition, numerous machine-to-machine communication technologies are being developed -- some of which have no user interface at all, as the ‘Internet of Things’ progresses.”

NCTA said the FTC “should avoid endorsing privacy standards that vary according to an entity’s technology or role in the marketplace.” That could give certain online businesses artificial advantages over others, it said. “The framework should provide all entities involved in online advertising the opportunity to use any technology or approach, provided that it offers the necessary security and privacy for customers."

The FTC’s proposed framework could hurt broadcasters’ ability to make money online, thereby limiting stations’ ability to grow and serve the public, Belo Corp. and Gray TV said in separate comments. The Do Not Track proposal could restrict Belo’s ability to “produce content that local audiences want and need,” because it uses several cookie-based platforms to analyze user preferences and behavior on its sites, that company said. Cookies also help advertisers gain confidence in buying online ads because they allow audiences to be measured more accurately, Belo said. “Degrading the ability of cookies to measure audiences would reverse this effect, representing an additional, independent threat to online advertising revenue."

A misguided privacy framework could also restrict the ability of companies that broadcasters partner with to develop new technologies, Gray TV said. “Restrictions on online advertising, a prevailing driver of online revenue, would have a chilling effect on Internet innovation,” the company said. “Before taking any steps with respect to online advertising … the Commission should account for the consumer benefits that are supported by such advertising and support flexible industry self-regulation."

The FTC’s call for a Do Not Track mechanism is premature, Verizon and Verizon Wireless said jointly. “The FTC should first allow the industry to gain experience under the self-regulatory efforts” of the Interactive Ad Bureau and others, they said. Elements of the Do Not Track proposal are problematic, they said. Relying on an HTTP header extension mechanism would exclude Web communications that occur in applications outside of a browser, the companies said. “Where HTTP is not the communication format, the device protocols would have to be revised or extended to carry the equivalent information,” the two said, changes which would be difficult to implement given the scope of the mobile application software developer universe.