At a
speech this week in Los Angeles, Federal Trade Commission Chairman Jon Leibowitz said that the agency has "great hopes" that a new
industry self-regulatory program will adequately protect consumers' privacy.
"So long as self-regulation is making forward progress, the FTC is not interested in regulating in this area," he
told the National Cable & Telecommunications Association's Cable Show.
But, while industry executives undoubtedly are relieved to hear that, Leibowitz also issued some warnings to the
online ad industry. Among other tidbits, he indicated that the FTC will consider privacy violations problematic even without proof of identity theft or other financial harm.
"In the FTC's
more traditional consumer protection work, we often look to stop practices that cause consumers tangible harm. But wouldn't that miss a serious part of the value of privacy to consumers?" he asked.
"How can we put a price on the unease of knowing that strangers out in cyberspace might be compiling detailed dossiers about you?"
That's significant because it appears to conflict with the
where's-the-harm approach that ad executives long took regarding online privacy. To this day, some observers tend to approach online privacy as a security matter, arguing that users have no reason to
worry about data that's collected as long as they're safe from identity theft.
But it's become increasingly clear that consumers do care about privacy separate and apart from
online security. Just consider the pushback to Facebook's new instant personalization, which automatically shares users' names, photos and other information with Yelp, Microsoft Docs and Pandora.
Leibowitz also once again took aim at the incomprehensible privacy polices that have become commonplace online. "Each website gathering information for behavioral advertising needs to tell
consumers that's what it is doing," he said, adding: "And by this, I do not mean another 3-point font, 10-page document written by corporate lawyers and buried deep within the site."
Additionally, he advised companies to obtain consumers explicit consent before obtaining sensitive data -- and to err on the side of caution when defining that term. "Health records, financial
information, social security numbers, home addresses, anything at all about children -- these certainly comprise sensitive data. And in the gray areas beyond that, if you want to continue to
self-regulate, you will need to be -- well -- sensitive to what others consider sensitive personal information."