IAPP-GDPR Web Banners-300x250-FINAL

The Privacy Advisor Interviews Federal Trade Commission Chairman Deborah Platt Majoras, Winner of the IAPP's 2007 Privacy Leadership Award, About Her Priorities and Accomplishments

The Privacy Advisor (TPA):
How would you describe the Federal Trade Commission's (FTC's) approach to consumer privacy under your leadership?

Our work on consumer privacy has been and remains a top priority, and I would describe it as active and multi-faceted. The explosive growth of the Internet and the development of sophisticated computer systems and databases has made it easier than ever for companies to gather and use information about their customers. These systems can have tremendous benefits for consumers, but they can also increase their exposure to harm. Our approach to privacy focuses on preventing and addressing harm to consumers from the misuse of their sensitive data, from spyware and related downloads, and from other unlawful practices. In our privacy work, we combine aggressive law enforcement, consumer and business education, partnerships with other agencies and the private sector, and ongoing evaluation and learning.

Since 2001, we have brought 14 cases against businesses that have failed to provide reasonable data security to protect sensitive consumer information. Since 1997, when the FTC brought its first case involving spam, the FTC has aggressively pursued deceptive and unfair practices in spam through 89 law enforcement actions, 26 of which were filed after Congress enacted the CAN-SPAM Act. The Commission also has brought 10 law enforcement actions against spyware distributors. Further, the FTC has filed 11 civil penalty actions and has obtained more than $1.8 million in civil penalties, settling allegations of violations of the Children's Online Privacy Protection Act (COPPA). We also continue to bring cases against telemarketers that fail to comply with the National Do Not Call Registry and against companies and individuals that obtain and sell consumers' confidential telephone records to third parties.

Consumers are the first line of defense against the misuse of their personal information, and educating consumers is essential in eliminating privacy risks and the resulting harm. The FTC's nationwide identity theft education program, "Avoid ID Theft: Deter, Detect, Defend," teaches consumers that they can DETER identity thieves by safeguarding their personal information; DETECT suspicious activity by routinely monitoring their financial accounts, billing statements, and credit reports; and DEFEND against ID theft as soon as they suspect it.
The Deter, Detect, Defend campaign has been very popular - we have distributed more than 1.5 million brochures and 30,000 kits that organizations can use to educate their employees, their customers, and their communities about how to minimize their risk of identity theft.

Our consumer education efforts are just one example of our partnerships with public and private sector entities in the area of privacy. We also are partnering with 17 other federal agencies as part of the President's Identity Theft Task Force, which already has made interim recommendations and will be issuing final recommendations soon.

Evaluation and Learning: We strive to develop policies and execute our work in a way that is balanced, thoughtful and informed. One example of how we stay informed and anticipate the future is through public workshops. In April, we will host a workshop to explore better methods for authenticating individuals, as limitations in current authentication methods have created opportunities for identity thieves to open new accounts and to use stolen identities.

In November last year, the FTC held a series of hearings on "Protecting Consumers in the Next Tech-ade." After hearing the testimony of various privacy and security experts, what threatens consumer privacy the most in the coming Tech-ade?

In my view, the greatest threat to consumers in the next decade does not appear likely to come from any one particular technology or practice.
Instead, it is likely to arise from the cumulative effect of collecting, using and storing massive amounts of information, especially where increased data mobility exacerbates the risk that it will fall into the wrong hands. Technological advances in data storage, such as perpendicular storage, will allow massive amounts of data to be stored. Experts at the Tech-ade hearings predicted that a decade from now we will be storing between 10 and 100 times the amount of data that we store today. At the hearings, we heard about a wide range of technologies and practices that will require the collection and use of large amounts of information, including some very sensitive information. We also heard that information will be increasingly mobile, flowing across borders and from device to device.
At the FTC, we have emphasized the need for a "culture of security" to respond to data security risks. What I heard at the Tech-ade hearings convinces me that the need to create such a culture is real and growing.

What steps, if any, does the FTC plan to take in the aftermath of the hearings?

We intend to issue an FTC staff report describing what we heard and analyzing upcoming challenges for the FTC. This report, however, is just the beginning. In November 2007, we will host a series of Town Hall meetings around the country to supplement and build on some of the key topics discussed at the hearings. After these meetings and the FTC staff's own internal strategic planning process, we will announce a Technology Research and Policy Development Plan for 2008. This Tech R & D Plan will include all of the hearings, workshops and similar events related to technology that we intend to hold during the year.

TPA: New security breaches already have affected millions of consumers in 2007. Does the FTC support a national security breach notification law, and if so, what elements are essential and what proposed mechanisms are unnecessary?

I support a national data breach notification law that would require notice to consumers when their sensitive personal information has been breached in a way that creates a significant risk of identity theft. Notice can help consumers prevent or mitigate harm resulting from a data breach by allowing them to take precautions, such as monitoring their accounts more closely, closing their accounts, or placing fraud alerts on their credit reports. Notice also alerts consumer reporting agencies and law enforcement so that they can take appropriate actions to assist consumers in preventing identity theft. Notification, however, makes sense only when it is useful to consumers, and not in situations involving insignificant risks.

I also support legislation that requires companies that maintain sensitive consumer information to have reasonable security procedures in place. I have testified several times on these issues, urging Congress to use caution in passing any new laws, so that in an effort to safeguard data we do not inhibit consumers' commercial transactions.

TPA: Behavioral targeting online is an issue that continues to get a lot of public attention. Without commenting on any specific investigation, what can regulators do to protect consumers and what should consumers consider when it comes to protecting their privacy online?

Online behavioral marketing is the practice of obtaining information about consumers' online behavior in order to provide advertising targeted to a consumers' particular interests or preferences, while decreasing the volume of unwanted or irrelevant advertising shown to them. Behavioral targeting is generally accomplished by advertisers or ad networks placing cookies on consumers' computers when they visit Web sites. This practice has certain efficiencies for commerce and consumers, but it may also raise privacy concerns, particularly in those instances where personally identifiable or sensitive health or financial information might be collected and/or combined with other data.

As a law enforcement agency, the Commission can take action to halt unfair or deceptive acts or practices, such as when a company misrepresents its information collection practices or fails to adequately secure personally identifiable information. Additionally, consumers who prefer to limit the online collection of information about themselves and limit their receipt of targeted advertising can do so by installing software to block the download of certain types of cookies onto their computers or by periodically removing or emptying the contents of cookies placed on their computers by Web site operators or ad servers.

The FTC has sent some strong messages with enforcement actions that have included record penalties. With the Commission's broad enforcement authority, what are the priorities for the coming year?

Our priorities include continuing our program to bolster data security and reduce identity theft; to attack spyware; to eliminate pretexting; to support the National Do Not Call Registry through vigilant enforcement; and to protect children through aggressive COPPA enforcement.

Data Security and Identity Theft:
The Commission's ultimate goal is to protect consumers from identity theft. We will continue to devote substantial resources to educating consumers and businesses and bringing law enforcement actions against companies that fail to take reasonable steps to protect sensitive consumer information. More specifically, the Identity Theft Task Force is in the process of preparing a final strategic plan and recommendations that we hope to release in the near future. The FTC is publishing a general data security business education guide designed to assist different types of businesses in addressing data security issues. And on April 23 and 24, the FTC will host a workshop to explore better methods for authenticating individuals, as limitations in current authentication methods have created opportunities for identity thieves to open new accounts and to use stolen identities.

The Commission's spyware cases will continue to reaffirm three key principles. First, a consumer's computer belongs to him or her, not the software distributor. Second, buried disclosures do not work, just as they do not work in more traditional areas of commerce. And third, if a distributor puts a program on a consumer's computer that the
consumer does not want, the consumer must be able to uninstall or disable it.

Spam: The FTC continues to devote resources to fighting spam. The Commission is aware of email filtering companies' recent reports that the amount of spam they process is rising and is studying whether this increase has resulted in a change in the amount of spam actually reaching consumers. The Commission's recent experience suggests that spam is being used increasingly as a vehicle for more pernicious conduct, such as phishing, viruses and spyware. In the coming months, as a follow-up to its initial Spam Forum of 2003, the FTC will host a workshop to examine how spam has changed and what stakeholders can do to address it.

Telephone Records Pretexting:
The Commission's efforts against phone pretexting are ongoing. In addition to our own pending cases and investigations, we expect to develop criminal law enforcement referrals in light of the recently passed Telephone Records and Privacy Protection Act.

Children's Online Privacy Protection Act (COPPA):
The Commission's most recent action was filed in September 2006 against operators of the social networking Web site Xanga.com, in which the Commission obtained a civil penalty of $1 million, the largest civil penalty amount obtained by the Commission in a COPPA Rule violation case. The Commission will continue to enforce COPPA vigorously, as well as Section 5 of the FTC Act, in matters relating to children's online privacy. With more mobile content being accessed through wireless Internet devices, the Commission will monitor the collection of personal information from children via mobile devices to assess compliance with COPPA.

What is the latest on efforts to amend the Telemarketing Sales Rule? How will those proposed changes affect consumers?

In 2004, the FTC issued a Notice of Proposed Rulemaking that would have amended the TSR to allow the use of prerecorded messages in calls to consumers with whom the seller had an established business relationship if the consumer could easily assert a company-specific do-not-call request. In October 2006, the FTC rejected the proposed amendment, based in part upon widespread consumer opposition. In its October 2006 ruling, the FTC also noted its concern that if the proposal were approved, the use of low-cost prerecorded message telemarketing, coupled with the use of cheap new technologies, such as Voice over Internet Protocol (VoIP), likely would prompt a surge in prerecorded calls. In that event, consumers would be in much the same position as they were before creation of the National Do Not Call Registry - having to ask telemarketers, one-by-one, not to call again.
In the October notice, the Commission proposed a new TSR amendment clarifying that the "call abandonment" provisions of the TSR prevent sellers and telemarketers from delivering a prerecorded message when a consumer answers a telemarketing call, except in limited circumstances. Some 630 comments were received on this proposal prior to the close of the public comment period on December 18, 2006, and Commission staff is now reviewing these comments from consumers and businesses. A decision on this matter is anticipated in the coming months.
What message do you have for privacy professionals?

You are the front line in our efforts to protect consumers' sensitive information. Consumers expect your companies to protect this data, and I am counting on you to create a culture of security at your companies and across the private sector. Data security cannot be an afterthought; it must be integrated into business models and methods. You, and the companies you serve, must strive to balance the need to protect consumers' information from loss and misuse with the need to efficiently carry out your corporate mission. Safeguarding consumers' sensitive data not only is the law, it is the right thing to do and makes good business sense.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»