By Brendan Sasso - 05/13/12 10:15 AM EDT
The Obama administration is pushing Congress to enact baseline privacy regulations, but for now, there are few rules governing how companies must treat people's private data.
Under Chairman Jon Leibowitz, the FTC has stepped into the void as the main government agency focused on online privacy protection.
In a speech earlier this year, Leibowitz referred to the FTC as the "nation’s privacy protection agency."
Chris Olsen, assistant director of the FTC's Division of Privacy and Identity Protection, said the agency "has always been very front and center in terms of protecting consumers on the Internet," though he acknowledged that privacy protection is a "priority" for Leibowitz.
Despite the lack of formal privacy laws, the FTC has used its consumer protection authority to go after companies that make promises in their privacy policies, but fail to live up to them.
In the past year alone, the FTC has settled charges with Google, Facebook and, most recently, Myspace for violating their own privacy agreements. The agency also settled charges with Twitter in 2010 that the company had inadequate data protection standards.
Those cases all fell under the FTC's jurisdiction over "unfair or deceptive" trade practices.
The FTC imposed similar settlements on Google, Facebook and Myspace. In all three cases, the agency required the companies to adopt comprehensive privacy programs and to hire independent firms to conduct regular audits of their privacy practices for 20 years.
The settlements also bar the companies from misrepresenting their privacy practices going forward. Future violations could result in hefty penalties.
Olsen said the orders were much more than a slap on the wrist for the Web companies.
"Putting a company under order for 20 years so their activities are monitored is a substantial imposition that we've put in place," he said, adding that the settlements create "an incentive to take these issues seriously so they can avoid a monetary fine."
With orders against some of the largest online companies, the FTC has set up a regime to monitor their privacy practices and to impose aggressive penalties if they slip up again.
But Olsen noted that the privacy requirements are not industry-wide.
Major companies that collect sensitive information such as Amazon, Apple and Yahoo have no agreements with the FTC.
The FTC and the White House have urged Congress to pass legislation to set mandatory privacy standards for all Web companies.
In February, the White House announced its “Privacy Bill of Rights” — a set of principles about how companies should handle users' personal data.
The FTC is working with the Commerce Department and companies to develop detailed codes of conduct based on the White House's principles. The FTC would have the authority to sue companies that promise to abide by the codes but then violate them.
And in March, the FTC released its own long-awaited report on online privacy and promised to work with advertisers and Web browsers to implement a "Do Not Track" button to allow users to prevent advertisers from tracking their online activity.
But many Web companies and free-market advocates warn that aggressive privacy regulations will stifle innovation online and hurt consumers. Facebook and Google are able to offer their services for free because they use people's personal information to target advertisements at them.
Restricting those companies' ability to use their customers' information will only lead to fewer online services, according to critics.
Administration officials argue that mandatory privacy rules will help customers feel safe sharing their information with Web companies and will actually boost e-commerce.
The FTC's Olsten said privacy rules create "more consumer trust."
"We don't agree with the premise that innovation can occur only by sacrificing consumer privacy," he said.