SIIA Welcomes New FTC Privacy Report

SIIA welcomes today’s clarification of the FTC’s policies in the area of online privacy. This clarification is especially important because of the FTC’s substantial authority to bring cases against the companies it claims are in violation of its policies. SIIA has long supported a collaborative, public-private approach as the best way to ensure consumer privacy, and we cannot endorse the report’s call for new legislation. In light of the FTC’s substantial authority in this area, we do not believe there is a need for new privacy legislation.

Read today’s coverage of SIIA’s stance:

FTC Report Calls for Transparency, Stops Short on Do Not Track Law – E-Commerce Times

FTC privacy: Key excerpts from the report – Washington Post

FTC Pushes ‘Do Not Track’ Privacy Option for Consumers – National Journal

FTC Chairman: Do-Not-Track Law May Not Be Needed – PC World


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

SIIA Applauds White House Privacy Recommendations

SIIA today welcomed the release of the White House’s report on privacy. In its report, the White House proposes that privacy codes of conduct be developed through a multi-stakeholder process that involves representatives from industry sectors, civil society, and representatives of other governments. The Department of Commerce would convene these discussions and act as a facilitator to ensure progress.

Voluntary, industry-specific privacy guidelines will improve privacy while maintaining the incentive and opportunity for industry participants to bring new information products and services to the public. Relying on a regulatory agency to come up with one-size-fits-all privacy rules will inhibit innovation and won’t lead to the most effective privacy protection for the public. The White House has developed a forward-looking, effective approach to improving privacy.

We simply don’t need legislation to develop privacy standards that work. The general principles of fair information practice are well known and have been articulated anew in the report. These principles can be made more specific through industry sector codes of conduct, and compliance can be assured through the existing authority of the Federal Trade Commission.

SIIA cannot endorse this proposal as a legislative initiative, but we welcome the multi-stakeholder process and look forward to participating in it. We also welcome the proposed multi-stakeholder agreement on adopting a do-not-track system.

Today’s agreement providing consumers and business with clear privacy rules related to online behavioral advertising is a good first step in carrying out the promise of the multi-stakeholder approach to protecting privacy. We are encouraged that the agreement was done collaboratively, with involvement from government, business and civil society. SIIA looks forward to additional accomplishments and stands ready to work with all stakeholders to continue to ensure consumer privacy is protected in the Internet age.


Katie CarlsonKen Wasch is President of SIIA.

Reply to Chertoff: Do Not Let the Perfect be the Enemy of the Good on Privacy and the Cloud

In his recent op-ed (Cloud computing and the looming global privacy battle, February 9, 2012), Michael Chertoff properly worries about privacy in the cloud. But he’s wrong to think that all problems are equally important or that they all must be solved at once.

We shouldn’t wait for harmonized privacy regimes before making progress on cross border data flows. The priority going forward should be a system of clear and simple procedures that allow global companies to comply with substantively different privacy regimes. In the absence of simple compliance procedures, millions of dollars will be spent on unnecessary bureaucratic paper shuffling instead of on productive investments that can generate economic growth and jobs. Eliminating this waste must be a priority, especially given the worldwide economic challenges.

One way forward is through international agreements that put streamlined compliance procedures in place. To accomplish this, countries have to be willing to approve data transfers across borders when companies demonstrate that they are in compliance with local rules. Mechanisms adopted by the Asia Pacific Economic Cooperation group move in this direction. Proposals tabled in the Trans Pacific Partnership trade discussions also contain this key idea. And the European Union’s proposed data protection regulation provides that compliance can be based on contracts, binding corporate rules or codes of conduct approved by single EU member regulator.

Deep integration of privacy regimes is a worthy, but distant goal. Fostering interoperability and cross border data flows are urgent immediate needs. We shouldn’t let the perfect be the enemy of the good.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

SIIA Responds to Proposed EC Data Protection Regulations

The European Commission today proposed a comprehensive reform of the EU’s 1995 data protection rules for online privacy. The proposal includes two legislative proposals setting out the Commission’s objectives: a Regulation setting out a general EU framework for data protection, and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

SIIA welcomes revisions that would make it easier for global companies to demonstrate compliance with the EU privacy regime, and to ease the administrative burdens. However, we are concerned that the breadth of these proposed regulations threaten the internet economy and impede economic growth and job creation. SIIA looks forward to working with EU oifficials to resolve any concerns about substantive new privacy rules such as the proposed new right to be forgotten and requirements for affirmative consent.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

LBS = Location-Based Services, Not Stalking

The new wave of mobile and cloud computing presents a tremendous amount of innovation and opportunity. Together, the combination of innovative new devices like smart phones and tablets, along with centralized cloud-based storage and computing power, promise to transform how we work, consume media, communicate and live our live. The recent proliferation of these technologies is only the tip of the iceberg.

Perhaps the most visible innovation to users comes in the form of mobile apps providing information, services and communication in a way that was unimaginable just five years ago. Increasingly, substantial functionality of mobile apps derives from location-based services (LBS) that customize users experiences based on where they are.
Of course, with the opportunities always come new challenges.

On Tuesday, a bipartisan group of six Senators sent a letter to the FTC and DOJ expressing serious concern about “stalking apps,” mobile apps that allow “someone to continuously and secretly monitor another person’s movements and whereabouts.” There are clearly legitimate uses for individuals to be able to track others, such as the case of parental tracking of children’s location, or even allowing individuals to decide to allow others access to their location information to stay connected.

However, it goes without saying that some apps are designed and openly marketed to individuals seeking to “stalk” or “spy” on an unwitting victim. They clearly are designed to run secretly, or are undetectable. They are an invasion of privacy and pose a real threat to public safety.

The Senators appropriately reference some of the good work that is being done by the industry to combat this challenge, particularly that “all major carriers take precautions pursuant to voluntary industry guidelines to notify a wireless user that he or she is being tracked through one of the services” that they provide within users of a calling plan. Additionally, the leading smartphone and tablet platofrm providers have adopted policies that include removing any illegal apps that are identified. Spyware isn’t new, it’s been around and used to spy for quite some time. Fortunately, the technology industry has done an excellent job of providing tools for individuals to monitor and combat this phenomenon.

So, this is another case of good technology—LBS—being used for bad purposes. As always, it’s critical to make sure that laws and regulations are applied to stop the malicious applications without thwarting the technology. The obvious flip side is the benefit that LBS can provide for locating missing persons, particularly children. It would be a shame to lose this critical new technological tool.

SIIA is confident this balance can be created, through the application of technology and voluntary industry measures, as well as targeted enforcement for bad actors by the FTC and other regulators. We look forward to working with policymakers and regulators to enable enforcement against apps that inappropriately facilitate stalking.

More broadly, SIIA is actively working with a broad cross-section of stakeholders to develop to voluntary privacy principles and best practices for mobile app developers, and to establish transparency about the collection, use and protection of consumer data. We are confident that such practices, along with current laws and regulations, can ensure the level of safety and satisfaction that users deserve, and that will enable continued explosive innovation and growth.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

SIIA op-ed: Software industry should develop mobile app privacy guidelines, not Congress

Today, NextGov ran an SIIA op-ed highlighting our view that industry — not Congress — is best positioned to develop effective practices that ensure consumer confidence.

SIIA recently joined an application privacy working group through the Future of Privacy Forum, a Washington think tank. With this group, we are bringing forth the expertise of our member companies to develop voluntary guidelines that will spread best practices to all participants in the industry. In addition, the FPF project website, supported by SIIA and others, makes available a variety of tools to help app developers manage issues of data collection and use.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

SIIA comments on FTC Privacy Report

Today, SIIA submitted comments on the Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. Here’s an excerpt:

SIIA strongly supports the balance between privacy and the free flow of information, as well as the balance between the need for consumer confidence and continued innovation.

To that end, we appreciate the FTC, the DOC and the Administration for taking such a thorough, thoughtful approach, rather than rushing to make policy recommendations at this time.

In an era of rapidly changing technology and business models, the development of a fixed regulatory framework for privacy protection is a counterproductive exercise.

Therefore, SIIA strongly cautions against the implementation of unnecessary legislation or regulations, in favor of a framework that is industry-led, voluntary and enforceable.

The FTC’s proposed privacy framework calls for companies that collect or use consumer data to adopt certain privacy protections to ensure that consumers and other data subjects are protected from privacy-related harm.

The Report combines elements of the previous policy frameworks used by the Commission – the notice and consent and the harm frameworks – to craft a checklist of good information management practices that companies can use as they design the systems and business practices or update them to provide new products or services to their customers.

The key elements of this new privacy framework include:

  • Data security, reasonable collection limitations, sound retention policies and data accuracy;
  • Choice on the collection and use of data at the time of data collection, except for certain commonly accepted business practices;
  • Clearer, shorter and more standardized privacy notices;
  • Special choice for online behavioral advertising:  Do Not Track; and
  • Reasonable access to data.