OneTrust_Square Banner_300x250_DD_ROS_01_19

The Privacy Advisor Interviews Federal Trade Commission Chairman Deborah Platt Majoras, Winner of the IAPP's 2007 Privacy Leadership Award, About Her Priorities and Accomplishments

The Privacy Advisor (TPA):
How would you describe the Federal Trade Commission's (FTC's) approach to consumer privacy under your leadership?

Our work on consumer privacy has been and remains a top priority, and I would describe it as active and multi-faceted. The explosive growth of the Internet and the development of sophisticated computer systems and databases has made it easier than ever for companies to gather and use information about their customers. These systems can have tremendous benefits for consumers, but they can also increase their exposure to harm. Our approach to privacy focuses on preventing and addressing harm to consumers from the misuse of their sensitive data, from spyware and related downloads, and from other unlawful practices. In our privacy work, we combine aggressive law enforcement, consumer and business education, partnerships with other agencies and the private sector, and ongoing evaluation and learning.

Since 2001, we have brought 14 cases against businesses that have failed to provide reasonable data security to protect sensitive consumer information. Since 1997, when the FTC brought its first case involving spam, the FTC has aggressively pursued deceptive and unfair practices in spam through 89 law enforcement actions, 26 of which were filed after Congress enacted the CAN-SPAM Act. The Commission also has brought 10 law enforcement actions against spyware distributors. Further, the FTC has filed 11 civil penalty actions and has obtained more than $1.8 million in civil penalties, settling allegations of violations of the Children's Online Privacy Protection Act (COPPA). We also continue to bring cases against telemarketers that fail to comply with the National Do Not Call Registry and against companies and individuals that obtain and sell consumers' confidential telephone records to third parties.

Consumers are the first line of defense against the misuse of their personal information, and educating consumers is essential in eliminating privacy risks and the resulting harm. The FTC's nationwide identity theft education program, "Avoid ID Theft: Deter, Detect, Defend," teaches consumers that they can DETER identity thieves by safeguarding their personal information; DETECT suspicious activity by routinely monitoring their financial accounts, billing statements, and credit reports; and DEFEND against ID theft as soon as they suspect it.
The Deter, Detect, Defend campaign has been very popular - we have distributed more than 1.5 million brochures and 30,000 kits that organizations can use to educate their employees, their customers, and their communities about how to minimize their risk of identity theft.

Our consumer education efforts are just one example of our partnerships with public and private sector entities in the area of privacy. We also are partnering with 17 other federal agencies as part of the President's Identity Theft Task Force, which already has made interim recommendations and will be issuing final recommendations soon.

Evaluation and Learning: We strive to develop policies and execute our work in a way that is balanced, thoughtful and informed. One example of how we stay informed and anticipate the future is through public workshops. In April, we will host a workshop to explore better methods for authenticating individuals, as limitations in current authentication methods have created opportunities for identity thieves to open new accounts and to use stolen identities.

In November last year, the FTC held a series of hearings on "Protecting Consumers in the Next Tech-ade." After hearing the testimony of various privacy and security experts, what threatens consumer privacy the most in the coming Tech-ade?

In my view, the greatest threat to consumers in the next decade does not appear likely to come from any one particular technology or practice.
Instead, it is likely to arise from the cumulative effect of collecting, using and storing massive amounts of information, especially where increased data mobility exacerbates the risk that it will fall into the wrong hands. Technological advances in data storage, such as perpendicular storage, will allow massive amounts of data to be stored. Experts at the Tech-ade hearings predicted that a decade from now we will be storing between 10 and 100 times the amount of data that we store today. At the hearings, we heard about a wide range of technologies and practices that will require the collection and use of large amounts of information, including some very sensitive information. We also heard that information will be increasingly mobile, flowing across borders and from device to device.
At the FTC, we have emphasized the need for a "culture of security" to respond to data security risks. What I heard at the Tech-ade hearings convinces me that the need to create such a culture is real and growing.

What steps, if any, does the FTC plan to take in the aftermath of the hearings?

We intend to issue an FTC staff report describing what we heard and analyzing upcoming challenges for the FTC. This report, however, is just the beginning. In November 2007, we will host a series of Town Hall meetings around the country to supplement and build on some of the key topics discussed at the hearings. After these meetings and the FTC staff's own internal strategic planning process, we will announce a Technology Research and Policy Development Plan for 2008. This Tech R & D Plan will include all of the hearings, workshops and similar events related to technology that we intend to hold during the year.

TPA: New security breaches already have affected millions of consumers in 2007. Does the FTC support a national security breach notification law, and if so, what elements are essential and what proposed mechanisms are unnecessary?

I support a national data breach notification law that would require notice to consumers when their sensitive personal information has been breached in a way that creates a significant risk of identity theft. Notice can help consumers prevent or mitigate harm resulting from a data breach by allowing them to take precautions, such as monitoring their accounts more closely, closing their accounts, or placing fraud alerts on their credit reports. Notice also alerts consumer reporting agencies and law enforcement so that they can take appropriate actions to assist consumers in preventing identity theft. Notification, however, makes sense only when it is useful to consumers, and not in situations involving insignificant risks.

I also support legislation that requires companies that maintain sensitive consumer information to have reasonable security procedures in place. I have testified several times on these issues, urging Congress to use caution in passing any new laws, so that in an effort to safeguard data we do not inhibit consumers' commercial transactions.

TPA: Behavioral targeting online is an issue that continues to get a lot of public attention. Without commenting on any specific investigation, what can regulators do to protect consumers and what should consumers consider when it comes to protecting their privacy online?

Online behavioral marketing is the practice of obtaining information about consumers' online behavior in order to provide advertising targeted to a consumers' particular interests or preferences, while decreasing the volume of unwanted or irrelevant advertising shown to them. Behavioral targeting is generally accomplished by advertisers or ad networks placing cookies on consumers' computers when they visit Web sites. This practice has certain efficiencies for commerce and consumers, but it may also raise privacy concerns, particularly in those instances where personally identifiable or sensitive health or financial information might be collected and/or combined with other data.

As a law enforcement agency, the Commission can take action to halt unfair or deceptive acts or practices, such as when a company misrepresents its information collection practices or fails to adequately secure personally identifiable information. Additionally, consumers who prefer to limit the online collection of information about themselves and limit their receipt of targeted advertising can do so by installing software to block the download of certain types of cookies onto their computers or by periodically removing or emptying the contents of cookies placed on their computers by Web site operators or ad servers.

The FTC has sent some strong messages with enforcement actions that have included record penalties. With the Commission's broad enforcement authority, what are the priorities for the coming year?

Our priorities include continuing our program to bolster data security and reduce identity theft; to attack spyware; to eliminate pretexting; to support the National Do Not Call Registry through vigilant enforcement; and to protect children through aggressive COPPA enforcement.

Data Security and Identity Theft:
The Commission's ultimate goal is to protect consumers from identity theft. We will continue to devote substantial resources to educating consumers and businesses and bringing law enforcement actions against companies that fail to take reasonable steps to protect sensitive consumer information. More specifically, the Identity Theft Task Force is in the process of preparing a final strategic plan and recommendations that we hope to release in the near future. The FTC is publishing a general data security business education guide designed to assist different types of businesses in addressing data security issues. And on April 23 and 24, the FTC will host a workshop to explore better methods for authenticating individuals, as limitations in current authentication methods have created opportunities for identity thieves to open new accounts and to use stolen identities.

The Commission's spyware cases will continue to reaffirm three key principles. First, a consumer's computer belongs to him or her, not the software distributor. Second, buried disclosures do not work, just as they do not work in more traditional areas of commerce. And third, if a distributor puts a program on a consumer's computer that the
consumer does not want, the consumer must be able to uninstall or disable it.

Spam: The FTC continues to devote resources to fighting spam. The Commission is aware of email filtering companies' recent reports that the amount of spam they process is rising and is studying whether this increase has resulted in a change in the amount of spam actually reaching consumers. The Commission's recent experience suggests that spam is being used increasingly as a vehicle for more pernicious conduct, such as phishing, viruses and spyware. In the coming months, as a follow-up to its initial Spam Forum of 2003, the FTC will host a workshop to examine how spam has changed and what stakeholders can do to address it.

Telephone Records Pretexting:
The Commission's efforts against phone pretexting are ongoing. In addition to our own pending cases and investigations, we expect to develop criminal law enforcement referrals in light of the recently passed Telephone Records and Privacy Protection Act.

Children's Online Privacy Protection Act (COPPA):
The Commission's most recent action was filed in September 2006 against operators of the social networking Web site Xanga.com, in which the Commission obtained a civil penalty of $1 million, the largest civil penalty amount obtained by the Commission in a COPPA Rule violation case. The Commission will continue to enforce COPPA vigorously, as well as Section 5 of the FTC Act, in matters relating to children's online privacy. With more mobile content being accessed through wireless Internet devices, the Commission will monitor the collection of personal information from children via mobile devices to assess compliance with COPPA.

What is the latest on efforts to amend the Telemarketing Sales Rule? How will those proposed changes affect consumers?

In 2004, the FTC issued a Notice of Proposed Rulemaking that would have amended the TSR to allow the use of prerecorded messages in calls to consumers with whom the seller had an established business relationship if the consumer could easily assert a company-specific do-not-call request. In October 2006, the FTC rejected the proposed amendment, based in part upon widespread consumer opposition. In its October 2006 ruling, the FTC also noted its concern that if the proposal were approved, the use of low-cost prerecorded message telemarketing, coupled with the use of cheap new technologies, such as Voice over Internet Protocol (VoIP), likely would prompt a surge in prerecorded calls. In that event, consumers would be in much the same position as they were before creation of the National Do Not Call Registry - having to ask telemarketers, one-by-one, not to call again.
In the October notice, the Commission proposed a new TSR amendment clarifying that the "call abandonment" provisions of the TSR prevent sellers and telemarketers from delivering a prerecorded message when a consumer answers a telemarketing call, except in limited circumstances. Some 630 comments were received on this proposal prior to the close of the public comment period on December 18, 2006, and Commission staff is now reviewing these comments from consumers and businesses. A decision on this matter is anticipated in the coming months.
What message do you have for privacy professionals?

You are the front line in our efforts to protect consumers' sensitive information. Consumers expect your companies to protect this data, and I am counting on you to create a culture of security at your companies and across the private sector. Data security cannot be an afterthought; it must be integrated into business models and methods. You, and the companies you serve, must strive to balance the need to protect consumers' information from loss and misuse with the need to efficiently carry out your corporate mission. Safeguarding consumers' sensitive data not only is the law, it is the right thing to do and makes good business sense.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»