FTC Fair Information Practice
Encyclopedia
The United States Federal Trade Commission's
Fair Information Practice Principles (FIPs) are guidelines that represent widely-accepted concepts concerning fair information practice in an electronic marketplace.
The Privacy Protection Study Commission also may have contributed to the development of FIPs principles in its 1977 report, Personal Privacy in an Information Society.
As privacy laws spread to other countries in Europe, international institutions took up privacy with a focus on the international implications of privacy regulation. In 1980, the Council of Europe
adopted a Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data
. At the same time, the Organisation for Economic Cooperation and Development (OECD)
proposed similar privacy guidelines in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Guidelines, Council of Europe
Convention, and European Union
Data Protection Directive relied on FIPs as core principles. All three organizations revised and extended the original U.S. statement of FIPs, with the OECD Privacy Guidelines being the version most often cited in subsequent years.
1. Notice/Awareness
Consumers should be given notice of an entity's information practices before any personal information is collected from them. This requires that companies explicitly notify of some or all of the following:
2. Choice/Consent
Choice and consent in an online information-gathering sense means giving consumers options to control how their data is used. Specifically, choice relates to secondary uses of information beyond the immediate needs of the information collector to complete the consumer's transaction. The two typical types of choice models are 'opt-in' or 'opt-out.' The 'opt-in' method requires that consumers affirmatively give permission for their information to be used for other purposes; without the consumer taking these affirmative steps in an 'opt-in' system, the information gatherer assumes that it cannot use the information for any other purpose. The 'opt-out' method requires consumers to affirmatively decline permission for other uses; without the consumer taking these affirmative steps in an 'opt-out' system, the information gatherer assumes that it can use the consumer's information for other purposes. Each of these systems can be designed to allow an individual consumer to tailor the information gatherer's use of the information to fit his or her preferences by checking boxes to grant or deny permission for specific purposes rather than using a simple "all or nothing" method.
2-1. Problems with Choice/Consent
Consumers do not have a fair say in the consent process. For example, customers provide their health information such as their social insurance number or health card number while making an appointment for a dental check-up through on-line. Customers are commonly asked to sign an agreement stating that ‘third-party may have an access to the information you provide under certain conditions.’ The certain conditions are rarely specified in any part of the agreement. Later on, the third-party may share the information with their subsidiary institutions. Thus, access to customers’ personal information is beyond their control.
3. Access/Participation
Access as defined in the Fair Information Practice Principles includes not only a consumer's ability to view the data collected, but also to verify and contest its accuracy. This access must be inexpensive and timely in order to be useful to the consumer.
4. Integrity/Security
Information collectors should ensure that the data they collect is accurate and secure. They can improve the integrity of data by cross-referencing it with only reputable databases and by providing access for the consumer to verify it. Information collectors can keep their data secure by protecting against both internal and external security threats. They can limit access within their company to only necessary employees to protect against internal threats, and they can use encryption and other computer-based security systems to stop outside threats.
5. Enforcement/Redress
In order to ensure that companies follow the Fair Information Practice Principles, there must be enforcement measures. The FTC identified three types of enforcement measures: self-regulation by the information collectors or an appointed regulatory body; private remedies that give civil causes of action for individuals whose information has been misused to sue violators; and government enforcement, which can include civil and criminal penalties levied by the government.
Since self-regulatory initiatives fall short of ideal implementation of the principles (the 2000 FTC Report noted, for example, that self-regulatory initiatives lacked meaningful monitoring and enforcement polices and practices), the Commission recommends that the United States Congress
enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online. "The legislation recommended by the Commission would set forth a basic level of privacy protection for consumer-oriented commercial Web sites" and "would establish basic standards of practice for the collection of information online...consumer-oriented commercial Web sites that collect personal identifying information from or about consumers online... would be required to comply with the four widely-accepted fair information practices."
The principles, however, form the basis of many individual laws at the both federal and state levels -- called the "sectoral approach." Examples are the Fair Credit Reporting Act
, the Right to Financial Privacy Act
, the Electronic Communications Privacy Act
, the Video Privacy Protection Act
(VPPA), and the Cable Television Protection and Competition Act
. Additionally, the principles continue to serve as a model for privacy protections in newly developing areas, such as in designing Smart Grid programs.
Main article: FTC Fair Information Practice
The four critical issues identified in Fair Information Principles are:
Notice – data collectors must disclose their information practices before collecting personal information from consumers
Choice – consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided
Access – consumers should be able to view and contest the accuracy and completeness of data collected about them
Security – data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use.
In addition the Principles discuss the need for enforcement mechanisms to impose sanctions for noncompliance with fair information practices.
(OECD) and European Union
, among others, have adopted more comprehensive approaches to fair information practices. The OECD principles provide added protections via the Individual Participation principle where specific requirements are made for access and modification of personally collected information by the individual and the Accountability principle (a data controller should be accountable for complying with measures which give effect to the principles stated above).
The European Union
Data Protection Directive is another model for comprehensive privacy protections.
Some in the privacy community criticize the FIPs for being too weak, allowing too many exemptions, failing to require a privacy agency, failing to account for the weaknesses of self-regulation, and not keeping pace with information technology. Many privacy experts have called for omnibus privacy protection legislation in the US in lieu of the current blend of self-regulation and selective codification in certain sectors.
Critics from a business perspective often prefer to limit FIPs to reduced elements of notice, consent, and accountability. They complain that other elements are unworkable, expensive, or inconsistent with openness or free speech principles.
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
Fair Information Practice Principles (FIPs) are guidelines that represent widely-accepted concepts concerning fair information practice in an electronic marketplace.
Introduction
FTC Fair Information Practice Principles are the result of the Commission's inquiry into the manner in which online entities collect and use personal information and safeguards to assure that practice is fair and provides adequate information privacy protection. The FTC has been studying online privacy issues since 1995, and in its 1998 report, the Commission described the widely-accepted Fair Information Practice Principles of Notice, Choice, Access, and Security. The Commission also identified Enforcement, the use of a reliable mechanism to provide sanctions for noncompliance as a critical component of any governmental or self-regulatory program to protect online privacy.History and development
Fair Information Practice was initially proposed and named by the US Secretary's Advisory Committee on Automated Personal Data Systems in a 1973 report, Records, Computers and the Rights of Citizens, issued in response to the growing use of automated data systems containing information about individuals. The central contribution of the Advisory Committee was the development of a code of fair information practice for automated personal data systems.The Privacy Protection Study Commission also may have contributed to the development of FIPs principles in its 1977 report, Personal Privacy in an Information Society.
As privacy laws spread to other countries in Europe, international institutions took up privacy with a focus on the international implications of privacy regulation. In 1980, the Council of Europe
Council of Europe
The Council of Europe is an international organisation promoting co-operation between all countries of Europe in the areas of legal standards, human rights, democratic development, the rule of law and cultural co-operation...
adopted a Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe of 1981 extended the safeguards for everyone's rights and fundamental freedoms, and in particular the right to the respect for privacy, taking account of the increasing...
. At the same time, the Organisation for Economic Cooperation and Development (OECD)
Organisation for Economic Co-operation and Development
The Organisation for Economic Co-operation and Development is an international economic organisation of 34 countries founded in 1961 to stimulate economic progress and world trade...
proposed similar privacy guidelines in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Guidelines, Council of Europe
Council of Europe
The Council of Europe is an international organisation promoting co-operation between all countries of Europe in the areas of legal standards, human rights, democratic development, the rule of law and cultural co-operation...
Convention, and European Union
European Union
The European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
Data Protection Directive relied on FIPs as core principles. All three organizations revised and extended the original U.S. statement of FIPs, with the OECD Privacy Guidelines being the version most often cited in subsequent years.
Principles
The core principles of privacy addressed by these principles are:1. Notice/Awareness
Consumers should be given notice of an entity's information practices before any personal information is collected from them. This requires that companies explicitly notify of some or all of the following:
- identification of the entity collecting the data;
- identification of the uses to which the data will be put;
- identification of any potential recipients of the data;
- the nature of the data collected and the means by which it is collected;
- whether the provision of the requested data is voluntary or required;
- the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.
2. Choice/Consent
Choice and consent in an online information-gathering sense means giving consumers options to control how their data is used. Specifically, choice relates to secondary uses of information beyond the immediate needs of the information collector to complete the consumer's transaction. The two typical types of choice models are 'opt-in' or 'opt-out.' The 'opt-in' method requires that consumers affirmatively give permission for their information to be used for other purposes; without the consumer taking these affirmative steps in an 'opt-in' system, the information gatherer assumes that it cannot use the information for any other purpose. The 'opt-out' method requires consumers to affirmatively decline permission for other uses; without the consumer taking these affirmative steps in an 'opt-out' system, the information gatherer assumes that it can use the consumer's information for other purposes. Each of these systems can be designed to allow an individual consumer to tailor the information gatherer's use of the information to fit his or her preferences by checking boxes to grant or deny permission for specific purposes rather than using a simple "all or nothing" method.
2-1. Problems with Choice/Consent
Consumers do not have a fair say in the consent process. For example, customers provide their health information such as their social insurance number or health card number while making an appointment for a dental check-up through on-line. Customers are commonly asked to sign an agreement stating that ‘third-party may have an access to the information you provide under certain conditions.’ The certain conditions are rarely specified in any part of the agreement. Later on, the third-party may share the information with their subsidiary institutions. Thus, access to customers’ personal information is beyond their control.
3. Access/Participation
Access as defined in the Fair Information Practice Principles includes not only a consumer's ability to view the data collected, but also to verify and contest its accuracy. This access must be inexpensive and timely in order to be useful to the consumer.
4. Integrity/Security
Information collectors should ensure that the data they collect is accurate and secure. They can improve the integrity of data by cross-referencing it with only reputable databases and by providing access for the consumer to verify it. Information collectors can keep their data secure by protecting against both internal and external security threats. They can limit access within their company to only necessary employees to protect against internal threats, and they can use encryption and other computer-based security systems to stop outside threats.
5. Enforcement/Redress
In order to ensure that companies follow the Fair Information Practice Principles, there must be enforcement measures. The FTC identified three types of enforcement measures: self-regulation by the information collectors or an appointed regulatory body; private remedies that give civil causes of action for individuals whose information has been misused to sue violators; and government enforcement, which can include civil and criminal penalties levied by the government.
Enforcing the principles
Currently the FTC version of the Fair Information Principles are only recommendations for maintaining privacy-friendly, consumer-oriented data collection practices, and are not enforceable by law. The enforcement of and adherence to these principles is principally performed through self-regulation. The FTC has, however, undertaken efforts to evaluate industry self-regulation practices, provides guidance for industry in developing information practices, and uses its authority under the FTC Act to enforce promises made by corporations in their privacy policies.Since self-regulatory initiatives fall short of ideal implementation of the principles (the 2000 FTC Report noted, for example, that self-regulatory initiatives lacked meaningful monitoring and enforcement polices and practices), the Commission recommends that the United States Congress
United States Congress
The United States Congress is the bicameral legislature of the federal government of the United States, consisting of the Senate and the House of Representatives. The Congress meets in the United States Capitol in Washington, D.C....
enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online. "The legislation recommended by the Commission would set forth a basic level of privacy protection for consumer-oriented commercial Web sites" and "would establish basic standards of practice for the collection of information online...consumer-oriented commercial Web sites that collect personal identifying information from or about consumers online... would be required to comply with the four widely-accepted fair information practices."
The principles, however, form the basis of many individual laws at the both federal and state levels -- called the "sectoral approach." Examples are the Fair Credit Reporting Act
Fair Credit Reporting Act
The Fair Credit Reporting Act is a United States federal law that regulates the collection, dissemination, and use of consumer information, including consumer credit information. Along with the Fair Debt Collection Practices Act , it forms the base of consumer credit rights in the United States...
, the Right to Financial Privacy Act
Right to Financial Privacy Act
The Right to Financial Privacy Act is a United States federal law that gives the customers of financial institutions the right to some level of privacy from government searches. Before the Act was passed, the United States government did not have to tell customers that it was accessing their...
, the Electronic Communications Privacy Act
Electronic Communications Privacy Act
The Electronic Communications Privacy Act is a United States law.- Overview :The “electronic communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or...
, the Video Privacy Protection Act
Video Privacy Protection Act
The Video Privacy Protection Act was a bill passed by the United States Congress in 1988 as and signed into law by President Ronald Reagan...
(VPPA), and the Cable Television Protection and Competition Act
Cable Television Protection and Competition Act
The Cable Television Consumer Protection and Competition Act of the United States Congress which was approved in 1992, required cable systems to carry most local broadcast channels and prohibited cable operators from charging local broadcasters to carry their signal.In adopting the 1992 Cable Act,...
. Additionally, the principles continue to serve as a model for privacy protections in newly developing areas, such as in designing Smart Grid programs.
Main article: FTC Fair Information Practice
The four critical issues identified in Fair Information Principles are:
Notice – data collectors must disclose their information practices before collecting personal information from consumers
Choice – consumers must be given options with respect to whether and how personal information collected from them may be used for purposes beyond those for which the information was provided
Access – consumers should be able to view and contest the accuracy and completeness of data collected about them
Security – data collectors must take reasonable steps to assure that information collected from consumers is accurate and secure from unauthorized use.
In addition the Principles discuss the need for enforcement mechanisms to impose sanctions for noncompliance with fair information practices.
Other proposals regarding 'fair information'
The Organisation for Economic Co-operation and DevelopmentOrganisation for Economic Co-operation and Development
The Organisation for Economic Co-operation and Development is an international economic organisation of 34 countries founded in 1961 to stimulate economic progress and world trade...
(OECD) and European Union
European Union
The European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
, among others, have adopted more comprehensive approaches to fair information practices. The OECD principles provide added protections via the Individual Participation principle where specific requirements are made for access and modification of personally collected information by the individual and the Accountability principle (a data controller should be accountable for complying with measures which give effect to the principles stated above).
The European Union
European Union
The European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
Data Protection Directive is another model for comprehensive privacy protections.
Criticism of the FTC Principles
The FIPs are criticized by some scholars for being less comprehensive in scope than privacy regimes in other countries, in particular in European Union and other OECD countries. Additionally, the FTC's formulation of the principles has been criticized in comparison to those issued by other agencies. The FTC's 2000 version of FIPs is shorter and less complete than the privacy protection principles issued by the Privacy Office of the Department of Homeland Security in 2008, which include eight principles closely aligned with the OECD principles.Some in the privacy community criticize the FIPs for being too weak, allowing too many exemptions, failing to require a privacy agency, failing to account for the weaknesses of self-regulation, and not keeping pace with information technology. Many privacy experts have called for omnibus privacy protection legislation in the US in lieu of the current blend of self-regulation and selective codification in certain sectors.
Critics from a business perspective often prefer to limit FIPs to reduced elements of notice, consent, and accountability. They complain that other elements are unworkable, expensive, or inconsistent with openness or free speech principles.
See also
- Federal Trade CommissionFederal Trade CommissionThe Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
- Information protection policyInformation Protection PolicyInformation protection policy is a document which provides guidelines to users on the processing, storage and transmission of sensitive information. Main goal is to ensure information is appropriately protected from modification or disclosure. It may be appropriate to have new employees sign policy...
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- Data Protection Directive