I recently attended an IAPP Practical Privacy Series. If you are interested in or work in the Privacy Compliance arena, I would encourage you to attend one of these and/or join IAPP. They have a variety of programs, conferences, and professional certifications available.
The series was held in Washington DC and was focused on the recent guidance issued by the FTC on privacy compliance, as well as the creation of the CFPB (Consumer Financial Protection Bureau) and its expected plans for oversight of the financial industry.
I've summarized some of the key themes and take aways that I noted from the conference. Please post any questions or comments.
_______________________
FTC Commissioner Brill was the keynote speaker and took Q&A. I was pretty impressed with the FTC's knowledge and understanding of industry practices and challenges. Commissioner Brill also actively participated throughout the day conference, along with several of her colleagues from the FTC.
The FTC recently issued a proposed privacy framework, Privacy Report, for public comment that includes these themes:
a) DO NOT TRACK EXPECTATION. Consumers should have the ability to easily know what information is being tracked on them when using the internet. They should also have the choice to easily turn off tracking, when and where they want. There is an increasing expectation among consumers that they fully understand and have the option to control what information is tracked about them when they are making use of the internet. The big internet browser platforms are being eyed as key piece of the solution to enable choice for consumers. Microsoft, Apple, Google are all taking a look at what changes they can make in their solutions to enable more capability and choices for consumer to control and understand what is being tracked when they surf the internet. Individual websites will also likely have to make changes to ensure they are adhering to changes in FTC guidance, once they are finalized.
b) ACCESS. Consumers should have the ability to request and receive timely information about what personal information a company has on them and how it is being used. Safe Harbor already includes this provision, but it is not considered a clear and consistent mandate across US Privacy Regulations. This is an acute challenge for US banks, as they are not well positioned to respond to such requests today. Most banks are not Safe Harbor certified. Some even see the potential of consumers leveraging this like law firms do with over burdensome e-discovery requests.
c) SHIFT TO “General Sensitive Data Protection” from just protection of PII (Personally Identifiable Information). INFOSEC standards being viewed as helpful with this shift. This makes sense. From my perspective companies should look to common INFOSEC controls to help enable compliance. Then regulatory bodies should take a risk based approach to enforcement by focusing their enforcement efforts on the most sensitive information of consumers and the data that create the greatest impact/damages from breach or inappropriate exposure.
d) There were a number of active discussions regarding concerns with the CFPB (Consumer Financial Protection Bureau) having too much power. The CFPB was recently created by the Dodd-Frank Act, as an outcome of predatory lending “causing the housing market collapse.” The CFPB has the ability to make rules, oversee, and enforce consumer lending practices. Big banks will be impacted heavily as this bureau solidifies its role. Of course, those following the bank bailout and the housing market, shouldn't be surprised with the creation of even more regulation. Ironically, this legislation and the new bureau was created by two of the key legislators that oversaw the old regulations prior to collaspe...
By the way, the deadline for public comment for the proposed privacy framework is January 31st, 2011. Here is the link for public comments Privacy Framework Comments.
Again, let me know if you have questions or comments.
Mark Brooks
Comments