The Federal Trade Commission continued to step up pressure on businesses that collect consumer data on Monday, issuing a long-awaited final report on online privacy that lays out new standards and calls on Congress to push through legislation.
Predictably, free-market observers said the regulators were overstepping their bounds – and privacy advocates said the commission didn't go far enough.
But there's little doubt about two things: Companies haven't done nearly enough on their own, as the series of recent privacy debacles underscored, and the commission under President Obama has adopted a far more aggressive stance on these issues than we've seen in years.
In 2011, the FTC slapped Google and Facebook for violating their own privacy policies, forcing both to submit to years of privacy audits. In February, the Obama administration issued a blueprint for a "Consumer Privacy Bill of Rights" and called on the Commerce Department, the FTC and Congress to help put the plan to work.
The report on Monday "is putting flesh on those privacy bones," said Jeff Chester, executive director of the Center for Digital Democracy. "They're putting companies on notice."
To be clear, the FTC doesn't create laws. Rather, the Federal Trade Commission Act gives the body the power to prevent "unfair or deceptive acts or practices in or affecting commerce." Typically, it has focused on the "deceptive" part of that phrase, suing or settling with companies that break their publicly stated promises to customers.
But several observers said this report suggests the commission might stand ready to flex its "unfair" muscles against companies that disregard the new standards.
"It carries this sort of basic hint that 'If companies ignore what we're saying, then we may come after you,' " said Lee Tien, senior staff attorney at the Electronic Frontier Foundation.
The guidelines that the FTC articulates can also be employed by state attorneys general, the European Commission and other regulators probing privacy invasions, Tien said.
The sprawling "privacy framework" covers lots of complicated and dry detail – including the amount of data collection that triggers the guidelines – but essentially it calls on businesses to give consumers simpler tools to protect their private data.
Among the high-level principles, the FTC said companies should disclose how they collect and use data and build in protections that keep information safe, such as limiting the amount collected and retained. In addition, it says consumers should have access to the data concerning them, and the power to decide what is shared and with whom.
The commission said plainly in the report that self-regulation efforts haven't done enough, and called on Congress to pass "baseline privacy legislation." The report also asks legislators to pass laws requiring businesses to notify customers of data breaches and allow them to access their own information held by so-called data brokers.
These are companies like Rapleaf or Experian that collect, analyze and sell consumer data to marketers.
There seems to be little appetite, however, for Congress to take up privacy laws in an election year. So, in the meantime, the FTC is nudging the industry on its own, saying staff will work with the industry to hash through the implementation of these standards.
"The Commission urges industry to accelerate the pace of its self-regulatory measures to implement the Commission's final privacy framework," the report reads. "Although some companies have excellent privacy and data security practices, industry as a whole must do better."
For instance, it's calling on data brokers to set up their own "centralized website" where they would identify themselves, describe their practices and clearly display the options consumers have to access their information. The FTC said it will also work with businesses on standards for mobile devices, "comprehensive tracking" by social networks, operating systems and more, and Do Not Track tools.
The latter is the one area where self-regulatory efforts made progress, the FTC said. The major browser companies have all agreed to implement Do Not Track tools, which allow consumers to ask companies not to monitor their online activity. But the FTC did provide some commentary on how that process should proceed.
Among other things, it says that a Do Not Track system "should go beyond simply opting consumers out of receiving targeted advertisements; it should opt them out of collection of behavioral data for all purposes other than those that would be consistent with the context of the interaction," such as preventing fraud.
It's a meaningful statement, because the Digital Advertising Alliance's self-regulation standards appear to allow it to continue to collect information for other purposes, including loosely defined things like market research and product development.
John Simpson, director of Consumer Watchdog's Privacy Project, said the FTC should have called for legislation on Do Not Track as well. But overall the report represents progress on data privacy, he said.
"The takeaway is, we at least seem to be moving forward," Simpson said. "All told, it's a net positive."