Consumer protection agencies need privacy definitions

Internet privacy continues to be a major concern among Americans. In a recent study, the Annenberg School found that 69 percent of American adults feel there should be a law that gives people the right to know everything that a website knows about them; 92 percent of those surveyed believe there should be a law that requires “websites and advertising companies to delete all stored information about an individual," if requested to do so; and 35 percent of the respondents believe that officials of companies that break these laws should serve jail time. These strong responses suggest that there is pent-up anger about the lack of transparency, control and respect for the use of personal information.

Therefore, it is surprising that in his recent op-ed on The Hill website (“Protecting consumer privacy online,” Jan. 11) the president of the Interactive Advertising Bureau, Randall Rothenberg, would not only continue to suggest that industry is adequately addressing all privacy concerns, but also would cite a report calling for greater law enforcement action in doing so.

Rothenberg misrepresents a joint report issued by the Center for Democracy & Technology (CDT) and Center for American Progress by suggesting that there was “only one case relating to privacy” out of the thousands of complaints filed in 2006 and 2007 with certain consumer protection bodies about online fraud. In reality, well over 25 percent of all fraud complaints from consumers (at least 511,775 individual consumer complaints as calculated by the Federal Trade Commission (FTC) from their consumer sentinel database) were “related to privacy.” Dozens of these complaints resulted in cases brought by state AGs and the FTC, but thousands more went unanswered. It is also clear that the consumer protection agencies did not have enough power to bring privacy cases where violations are occurring. 

While a half-million complaints in two years obviously does not paint the self-regulatory success story Rothenberg may want legislators to see, it does highlight one major problem identified in the report: Consumer protection agencies are using different terms to identify the same types of complaints. What one agency calls a “spyware” complaint, another may call “identity theft” and a third may call simply “Internet fraud.” The consumer protection agencies cannot share information among themselves to prevent privacy violations if they can’t even agree on the basic terminology.

Based on this information, CDT has developed a privacy complaint tool to help consumers file complaints with state AGs, the FTC and with friends using a more standardized terminology. 

Congress could further address this problem in its efforts to address the growing concerns of Americans on privacy. It should enact a comprehensive privacy law that provides clear definitions that would allow the FTC to develop a more detailed complaint system for consumers that could be used by states and non-government consumer protection organizations. The law should be based on the fair information practices of: transparency; individual participation; purpose specification; data minimization; use limitation; data quality and integrity; security and accountability.

On this last point, Congress should grant enforcement power of this law to the FTC and state attorneys general and give consumers a limited private right of action in order to be able to address the wide range of complaints that agencies are receiving. In addition, Congress also needs to make sure that these enforcement bodies are communicating with each other.

Consumer concerns on privacy will continue to grow until we can be sure that we are addressing the basic complaints. If agencies cannot even tell each other what these complaints are, progress will not be possible.

Schwartz is vice president and COO of the Center for Democracy & Technology.