FTC Wants Piece of Set-Top Privacy Enforcement

Says third-party certifications should be to consumers as well

Jessica Rich, the director of the Federal Trade Commission's Bureau of Consumer Protection, has advised the FCC to require third-party navigation device providers to certify to consumers, as well as MVPDs, that their devices or apps comply with the statutory privacy protections that apply to MVPD set-top information.

That would be a way for the FTC to help enforce privacy protections on that information.

That came in comments to the FCC on chairman Tom Wheeler's proposal to "unlock" MVPD set-top box info and share it with third-party navigation devices.

The FCC has conceded that its MVPD privacy policies for set-top info, like what VOD channels they are accessing, don't necessarily apply to third parties but that it would require those third parties to self-certify to MVPDs they were complying with similar rules or the MVPDs would not have to share the data.

Rich applauded that approach, saying it would provide "valuable privacy protections" (cable operators aren’t so sure self-certification should be the benchmark).

But Rich wants it to go further, if the FCC decides to approve the proposal, and require consumer notification so the FTC can help enforce. That could put more teeth into a privacy protection promise Wheeler has made about the proposal, so the chairman would likely be open to the proposed change.

"Requiring third-party set-top box manufacturers to promise that they will comply with cable and satellite statutory privacy provisions will be effective only if such promises are enforceable. The FTC can enforce manufacturers’ promises by using its Section 5 authority to prohibit deceptive practices, as it has done in the types of cases described in Section II." And the FTC can get involved if the promise is made to consumers as well as MVPDs.

"The FCC’s final rule on set-top boxes should require that MVPDs provide access only to those third-party set-top boxes that have provided consumer-facing statements promising to comply with the privacy obligations that apply to MVPDs.30 The FTC’s deception authority is clearly implicated by certifications to consumers."

"Such a representation would be analogous to manufacturers voluntarily committing to a privacy code of conduct," said Rich, and would "facilitate FTC enforcement against third-party set-top box manufacturers under the jurisdiction of the FTC. The FTC’s ability to enforce promises made by these entities serves as an important backstop to ensure that they are abiding by the required consumer privacy protections."

The FTC has limited rulemaking authority, with most of its power coming from enforcing breaches in privacy promises.

Google has pushed for the set-top proposal and has been accused of doing that pushing in an effort to scrape data and monetize it. So, it was appropriate that one of the examples Rich used of FTC privacy enforcement was its $22.5 million settlement with the company for allegedly providing "deceptive instructions for opting out of third-party cookies on Apple’s Safari browser." A settlement means Google did not have to acknowledge any wrongdoing. "The complaint alleged that Google’s deceptive opt-out instructions contradicted its promise to abide by the Network Advertising Initiative’s (NAI) code of conduct, which requires truthful disclosure of data practices," Rich pointed out. "The FTC’s complaint alleged, among other things, that Google’s representation of compliance with the NAI code was deceptive."

Consumer notifications about navigation privacy would insure the FTC could take similar action in that space if promises were not kept.