FTC fair information practice: Difference between revisions

Content deleted Content added

Inline

Revision as of 20:48, 23 April 2009

The United States Federal Trade Commission's Fair Information Practice Principles (FIPs)^[1] are guidelines that represent widely-accepted concepts concerning fair information practices in an electronic marketplace.

Introduction

The FTC Fair Information Practice Principles are the result of the Commission's inquiry into the manner in which online entities collect and use personal information and safeguards to assure those practices are fair and provide adequate information privacy protection. The FTC has been studying online privacy issues since 1995, and in its 1998 report,^[2] the Commission described the widely-accepted Fair Information Practice Principles of Notice, Choice, Access, and Security.^[1] The Commission also identified Enforcement, the use of a reliable mechanism to provide sanctions for noncompliance as a critical component of any governmental or self-regulatory program to protect online privacy.

History and Development

Fair Information Practices were initially proposed and named^[3] by the US Secretary's Advisory Committee on Automated Personal Data Systems in a 1973 report, Records, Computers and the Rights of Citizens,^[4] issued in response to the growing use of automated data systems containing information about individuals. The central contribution of the Advisory Committee was the development of a code of fair information practices for automated personal data systems. The Privacy Protection Study Commission also may have contributed to the development of FIPs principles in its 1977 report, Personal Privacy in an Information Society.^[5]

As privacy laws spread to other countries in Europe, international institutions took up privacy with a focus on the international implications of privacy regulation. In 1980, the Council of Europe adopted a Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.^[6] At the same time, the Organisation for Economic Cooperation and Development (OECD) proposed similar privacy guidelines in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.^[7] Both the Council of Europe Convention and the OECD Guidelines relied on FIPs as core principles, although neither document used the term. Both organizations revised and extended the original U.S. statement of FIPs, with the OECD Privacy Guidelines being the version most often cited in subsequent years.^[8]

The FTC Fair Information Practice Principles

The core principles of privacy addressed by these principles are:

1. Notice/Awareness Consumers should be given notice of an entity's information practices before any personal information is collected from them. This includes an explicit statement regarding:

identification of the entity collecting the data; identification of the uses to which the data will be put;
identification of any potential recipients of the data;
the nature of the data collected and the means by which it is collected;
whether the provision of the requested data is voluntary or required;
the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.

2. Choice/Consent Giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information -- uses beyond those necessary to complete the contemplated transaction. The two typical types of choice models are 'opt-in' or 'opt-out'. Opt-in requires affirmative steps by the consumer to allow the collection and/or use of information; opt-out requires affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule when no affirmative steps are taken by the consumer.

3. Access/Participation An individual's ability both to access data an entity has collected on himself and to contest that data's accuracy and completeness.

4. Integrity/Security Data should be accurate and secure. Collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.

5. Enforcement/Redress Enforcement mechanisms to ensure compliance with core fair information practice principles. Among the possible enforcement approaches are industry self-regulation; legislation that would create private remedies for consumers; and/or regulatory measures enforceable through civil and criminal sanctions.

Enforcing the Principles

Currently the FTC version of the Fair Information Principles are only recommendations for maintaining privacy-friendly, consumer-oriented data collection practices, and are not enforceable by law. The enforcement of and adherence to these principles is currently therefore exclusively self-regulatory within industry. Because self-regulatory initiatives fall far short of an ideal implementation of the principles, the Commission recommends that the United States Congress enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online.

The legislation recommended by the Commission would set forth a basic level of privacy protection for consumer-oriented commercial Web sites and would establish basic standards of practice for the collection of information online. Consumer-oriented commercial Web sites that collect personal identifying information from or about consumers online would be required to comply with the four widely-accepted fair information practices.^[8]

Alternate Proposals Regarding 'Fair Information'

Alternate proposals regarding the fair use of consumer information online have been presented by such organizations as the Organisation for Economic Co-operation and Development (OECD) The OECD principles are thought to be more comprehensive and provide added protections via the Individual Participation principle where specific requirements are made for access and modification of personally collected information by the individual and the Accountability principle (a data controller should be accountable for complying with measures which give effect to the principles stated above).^[9]

Criticism of the FTC Principles

Robert Gellman, a DC-based privacy and information policy consultant, suggests the FIPs are much less comprehensive in scope than laws in some other countries in. In Fair Information Practices: A Basic History he suggests the FTC's 2000 version of FIPs is shorter and less complete than a version issued by the Privacy Office at the Department of Homeland Security in 2008, which includes eight principles that match up closely with the OECD version. Gellman also says some in the privacy community believe that FIPs are too weak, allow too many exemptions, do not require a privacy agency, fail to account for the weaknesses of self-regulation, and have not kept pace with information technology. Critics from a business perspective often prefer to limit FIPs to reduced elements of notice, consent, and accountability. They complain that other elements are unworkable, expensive, or inconsistent with openness or free speech principles.

Many privacy experts have called for omnibus privacy protection legislation in the US. However, the Principles have formed the basis of many individual laws at the both federal and state levels -- called the "sectoral approach." Examples are the Fair Credit Reporting Act, the Right to Financial Privacy Act, the Electronic Communications Privacy Act, and the Video Privacy Protection Act.^[10]

References

^ ^a ^b Federal Trade Commission, Fair Information Practice Principles (FIPs).
^ Federal Trade Commission, Privacy Online: A Report to Congress (June 1998).
^ US Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, Chapter IV: Recommended Safeguards for Administrative Personal Data Systems (1973).
^ US Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens (1973).
^ Privacy Protection Study Commission, Personal Privacy in an Information Society (July 1977).
^ Council of Europe,Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Jan. 28, 1981).
^ Organisation for Economic Cooperation and Development (OECD), OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Sep. 23, 1980).
^ ^a ^b Robert Gellman, Fair Information Practices: A Basic History (Dec. 31, 2008).
^ Pam Dixon, A Brief Introduction to Fair Information Practices World Privacy Forum (June 5, 2006).
^ Beth Givens, A Review of the Fair Information Principles : The Foundation of Privacy Public Policy (posted 1997, updated 2004).

External links

[FTCFIPS-1] Federal Trade Commission, Fair Information Practice Principles (FIPs).

[2] Federal Trade Commission, Privacy Online: A Report to Congress (June 1998).

[3] US Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, Chapter IV: Recommended Safeguards for Administrative Personal Data Systems (1973).

[4] US Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens (1973).

[5] Privacy Protection Study Commission, Personal Privacy in an Information Society (July 1977).

[6] Council of Europe,Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Jan. 28, 1981).

[7] Organisation for Economic Cooperation and Development (OECD), OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Sep. 23, 1980).

[gellman-8] Robert Gellman, Fair Information Practices: A Basic History (Dec. 31, 2008).

[9] Pam Dixon, A Brief Introduction to Fair Information Practices World Privacy Forum (June 5, 2006).

[10] Beth Givens, A Review of the Fair Information Principles : The Foundation of Privacy Public Policy (posted 1997, updated 2004).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

@@ Line 54: / Line 54: @@
 == See also ==
 * [[Federal Trade Commission]]
+* [[Code of Fair Information Practice]]
 * [[Information protection policy]]
 * [[Information security]]

v t e Privacy
Principles	Right of access to personal data Expectation of privacy Right to privacy Right to be forgotten Post-mortem privacy
Privacy laws	Australia Brazil Canada China Denmark England European Union Germany Ghana New Zealand Russia Singapore Switzerland United Kingdom United States California, amended in 2020
Data protection authorities	Australia Denmark European Union France Germany India Indonesia Ireland Isle of Man Netherlands Norway Philippines Poland South Korea Spain Sweden Switzerland Thailand Turkey United Kingdom
Areas	Consumer Digital Education Medical Workplace
Information privacy	Law Financial Internet Facebook Google Twitter Email Personal data Personal identifier Social networking services Privacy-enhancing technologies Privacy engineering Privacy-invasive software Privacy policy Secret ballot Virtual assistant privacy
Advocacy organizations	American Civil Liberties Union Center for Democracy and Technology Computer Professionals for Social Responsibility Data Privacy Lab Electronic Frontier Foundation Electronic Privacy Information Center European Digital Rights Future of Privacy Forum Global Network Initiative International Association of Privacy Professionals NOYB Privacy International
See also	Anonymity Cellphone surveillance Data security Eavesdropping Global surveillance Identity theft Mass surveillance Panopticon PRISM Search warrant Wiretapping Human rights Personality rights
Category