"So long as self-regulation is making forward progress, the FTC is not interested in regulating in this area," he told the National Cable & Telecommunications Association's Cable Show.
But, while industry executives undoubtedly are relieved to hear that, Leibowitz also issued some warnings to the online ad industry. Among other tidbits, he indicated that the FTC will consider privacy violations problematic even without proof of identity theft or other financial harm.
"In the FTC's more traditional consumer protection work, we often look to stop practices that cause consumers tangible harm. But wouldn't that miss a serious part of the value of privacy to consumers?" he asked. "How can we put a price on the unease of knowing that strangers out in cyberspace might be compiling detailed dossiers about you?"
That's significant because it appears to conflict with the where's-the-harm approach that ad executives long took regarding online privacy. To this day, some observers tend to approach online privacy as a security matter, arguing that users have no reason to worry about data that's collected as long as they're safe from identity theft.
But it's become increasingly clear that consumers do care about privacy separate and apart from online security. Just consider the pushback to Facebook's new instant personalization, which automatically shares users' names, photos and other information with Yelp, Microsoft Docs and Pandora.
Leibowitz also once again took aim at the incomprehensible privacy polices that have become commonplace online. "Each website gathering information for behavioral advertising needs to tell consumers that's what it is doing," he said, adding: "And by this, I do not mean another 3-point font, 10-page document written by corporate lawyers and buried deep within the site."
Additionally, he advised companies to obtain consumers explicit consent before obtaining sensitive data -- and to err on the side of caution when defining that term. "Health records, financial information, social security numbers, home addresses, anything at all about children -- these certainly comprise sensitive data. And in the gray areas beyond that, if you want to continue to self-regulate, you will need to be -- well -- sensitive to what others consider sensitive personal information."