FTC Commissioner Julie Brill on Online Privacy and Data Security
Over the past few years many of my clients have been involved in the digital advertising industry. When I learned that FTC Commissioner Julie Brill would be speaking at Harvard’s Berkman Center for Internet & Society I was curious to hear her thoughts on consumer protection, privacy policies and the idea of consent and the rules vs. standards approach to protecting online privacy.
In both cases, the FTC borrowed concepts from the remedies it had developed and imposed around data security in the past. Both Facebook and Google were required to implement full-blown privacy programs that will be audited for 20 years by an independent third-party.
Back in the 2000s, much of the focus on privacy was related to data security and data breaches. Today the emphasis has shifted to the inappropriate use of consumer information. In this context, Brill was asked about consumers’ apparent resignation to compromised privacy.
On the topic of consent, Brill said companies posted their privacy policies with the assumption that by clicking OK or ticking the box the user had agreed. Companies have left this issue to their legal departments and have asked them to come up with policies that will keep them out of trouble.
She believes we need a new concept of consent, one that is accessible, quick and understandable. There will always be a place for full-blown privacy policies but consumers need much simpler “just-in-time” information that is relevant to what they are doing. Do Not Track (DNT) is an example of the type of tools consumers need – and that the industry is starting to provide; but there is room for improvement.
Brill says that consent needs to be about more than giving notice and choice. Companies need to start building privacy into their products. The industry needs privacy by design. This means not making things so hard for consumers. It can’t just be for show though; the tools for understanding need to be accessible but real privacy still needs to be in place and available even if under the hood.
The always-engaging Jonathan Zittrain had an interesting question for Brill. He was curious about rules vs. standards; and how well she thought the agency reflected the vision of Brandeis as politically independent but flexible and responsive to a complex and changing world.
Brill believes the standard approach is a wonderful and flexible tool. The differences between rules and standards become really visible when looking at the EU and US privacy regimes. The EU is far more rules focused and as a result of the differences between the two approaches (and the fact that they do not view of standards approach as adequate) the flow of data isn’t free and relies on a safe harbor model to function.
The FTC takes the view that the agency does a good job of protecting privacy based on its application of standards that have grown up around a common law understanding of privacy. As a result, the FTC is very careful in its case selection. Cases are chosen that will communicate important information and lessons to industry. Each of these cases sends an important message to the industry as a whole and corporate privacy people and groups pay close attention.
To further help the industry understand the current environment, the FTC has just issued its report: Protecting Consumer Privacy in an Era of Rapid Change.