FTC to Refocus Privacy Efforts
So I’ve notice a good deal of discussion here on Agent Genius related to privacy. I thought I’d devote this post to how policymakers in Washington, particularly the Federal Trade Commission (FTC) are viewing the topic and how the agency is starting to think about future regulation in the area.
I attended what is to be the first of three privacy workshops held by the FTC on December 7. The workshop brought together FTC staff, academics, consumer advocates and industry representatives to discuss whether new regulations are necessary and if so, what they might look like.
Chairman Jon Leibowitz opened the event by stating that “We are at another watershed moment in privacy, and the time is right for the commission to take a broader look at privacy.” He announced that the FTC “will pay increased attention to online privacy concerns over the next six months.”
What was clear from the workshop is that the FTC is no longer satisfied with the current privacy protection paradigm of notice and choice. In other words, under current law, as long as you disclose your privacy practices in a policy on your website, and stick to them, generally, anything goes.
Consumer Protection Leads FTC’s New Direction
The FTC is headed in a new direction and consumer protection is the name of the game. During the course of the day-long workshop FTC staff repeatedly stated that consumers don’t read or understand privacy policies so new methods of disclosure are needed to ensure that consume privacy is protected.
Commission staff suggested broadening the traditional definition of personally identifiable information or PII. This is the threshold definition for determining which information will be protected. Today it generally consists of names and account numbers. The suggestion was that a new broader definition of PII should include any information that can be aggregated from different sources to identify an individual.
Other ideas to improve consumers’ understanding of how their data is used include just- in- time privacy notices— disclosures made at the point of data collection, layered privacy notices that would start with short, high level disclosures then drill down to more detailed disclosure if a consumer wished to learn more and the concept of a standardized privacy policy akin to a nutrition label on food packaging.
Finally, the Commission identified emerging technologies that will come under increasing scrutiny for privacy related issues in the months and years ahead as cloud computing, mobile or location specific applications and social media networks.
So What Does this Mean for Real Estate Professionals?
So what does this all mean for real estate professionals? As with many things here in Washington, it’s unclear at the moment. What I can say is that new and additional privacy regulations are on the horizon. It is not a matter of if but of when. Now is a good time to think about your data collection practices, review your privacy policy…and most of all comment here and let me know how these suggested changes would affect your business so we can work together to provide useful feedback to policymakers.
Ken Brand
January 10, 2010 at 9:02 am
Wow. I’ll be looking forward to you updates. Thanks.
Ken Brand
January 10, 2010 at 9:03 am
you = your. Wish comments let you go back in and edit. Cheers.
Joe Loomer
January 10, 2010 at 9:13 am
I’ll be looking for updates too, Melanie – thanks for the info!
This has such broad implications it’s almost incomprehensible. Everything from tagging client’s houses in Facebook pics to ensuring your own database is protected.
Navy Chief, Navy Pride
Melanie Wyne
January 10, 2010 at 9:35 am
Joe–you are spot on. This has the potential to have broad impact in an area where many in real estate have not paid attention for a long time.
Data security is a slightly different but related topic and Washington is poised to take action there too. Its really important for businesses to protect PII. The FTC has good, easy to digest information on the topic here https://www.ftc.gov/infosecurity/
Benn Rosales
January 10, 2010 at 3:52 pm
Melanie, I think where real estate agents are going to be the most challenged is quantified messaging as email. What I mean by that is agents are required in most cases to document in one place and store all electronic communications (quantified today email). Texting, Facebook messaging, Tweets, Direct Messages, Blog comments, etc, what would fall into that, and the challenge of collecting it all into one place boggles the mind- the problem is, you can’t ignore it because for our protection and you want it to qualify as email, but what makes sense?
Also, how does one protect who their consumers are if our ‘friends’ can be seen by anyone?
What constitutes the line in marketing to the consumer and permission to do so?
Are social networks going to fall into the same category of the telephone? DNC protections and all?
These are just a few things I can see as challenges.
Craig J Frooninckx
January 10, 2010 at 6:00 pm
For a long time, privacy hasn’t been looked at in Real Estate and that day is fast approching where that will have to be corrected. Too many agents don’t understand what data should be protected and how to protect it. The consumer is only trusting us to secure their documents. More training in this area will be a good idea.
Melanie Wyne
January 10, 2010 at 7:48 pm
Ben,
Interesting questions–As usual, you are thinking a few steps ahead. Most of the proposals currently on the table deal with PII stored by the business–i.e. on a laptop or on a server the business has under its control– (and some proposals for that matter deal with hard copy PII.)
Facebook,Twitter and other social media messages are technically controlled by Facebook and Twitter so, at the moment I don’t see much risk of rules implicating Realtors unless of course they are harvesting that data and keeping stored in a database.
It makes good sense for Realtors to think strategically about what Personally Identifiable Information they collect and store, and only keep that information that is critical to doing business.
Melanie Wyne
January 10, 2010 at 7:57 pm
Craig,
I agree. Training is critical as, the best privacy policy in the world doesn’t amount to much if your employees don’t follow it. The FTC link I posted in the earlier comment is a good place to start. NAR is working on additional resources too–I’ll keep you posted.
Melanie Wyne
January 11, 2010 at 1:41 pm
Hey Benn,
You were more prescient than I realized. Just found this on the Twitter. Looks like the FTC will hold another workshop this month on privacy implications of the cloud, mobile and social networking. I’ll be there, tweeting oh..and summarizing for the AG tribe.
https://www.datacenterknowledge.com/archives/2010/01/11/ftc-to-explore-cloud-security-privacy/
Benn Rosales
January 11, 2010 at 2:43 pm
If only my crystal ball would give me lottery numbers! Thanks, Melanie! Looking forward to the play by plays- one thing I have to say about the FTC is how they’re going about all of this, it’s a government agency that’s actually doing more listening and engaging rather than shoving policy or intimidating rhetoric down anyone’s throats. They’ve really been hands on, and I think it’s commendable.
Melanie Wyne
January 11, 2010 at 8:46 pm
In Today’s NYT more from the FTC in a story titled “Has the Internet Gone Beyond Privacy Policies?”
Its worth a read. https://mediadecoder.blogs.nytimes.com/2010/01/11/ftc-has-internet-gone-beyond-privacy-policies/