FTC Online Privacy Advisory Committee Holds First Meeting
The Federal Trade Commission's Advisory Committee on Online Access and Security held its first meeting, on February 4, as it happened only a week before the "denial of service” hacker attacks commenced on leading websites. The FTC's panel, consisting of 40 members from online industry, consumer groups, and academia, is tasked with developing a range of recommendations regarding two components of "fair information practices” for domestic commercial websites:
- what constitutes "reasonable access” by consumers to data collected from and about consumers; and
- what protective steps taken by the collector would provide "adequate security” for that information.
The focus on consumer access and information security is significant, for it suggests that the FTC believes that the first two elements of its "fair online information practices” — notice that information is being collected and consumer choice as to whether to provide personal information— are generally well understood. Indeed, FTC Chairman Robert Pitofsky stated that general agreement exists regarding these elements. However, much less work has been done to date on access and security. The purpose of the Advisory Committee is to develop options as to these components.
In framing alternative approaches for access and security, the Advisory Committee is expected to consider issues such as what data is regarded as sensitive, whether the extent of consumer access provided by websites should vary with the sensitivity of the consumer's personal information, the relevance of the costs of providing access, and consumer access rights to commingled online and offline data. Not surprisingly, the Committee displayed viewpoints on both access and security, indicating the complexity of the work that lies ahead.
The Committee will also consider, as part of a cost-benefit analysis, suggestions that in jurisdictions, such as Europe, where access is generally required, few consumers tend to seek it. It may also consider whether efforts to promote access are inconsistent with security objectives.
The Committee has subdivided itself into a series of working groups, and has set as its goal the completion of a report to the Commission by May 15, 2000. The Committee's February 25 meeting considered preliminary draft outlines submitted by subgroups on issues related to "reasonable access” and to "adequate security.” Parties interested in submitting comments to the Committee for its consideration may do so at any time. Information on Committee structure and activities is presented on its Web site: http://www.ftc.gov/access/acoas.
During the Committee's deliberations, the FTC will also be conducting its annual "privacy sweep” of website privacy policies. The FTC intends for the sweep to help identify what practices websites are currently following. The sweep, together with the recommendations of the Advisory Committee, will receive significant weight when the FTC considers whether to recommend that Congress enact online privacy legislation this year.