The Federal Trade Commission (“FTC”) released this week its long-awaited consumer privacy report, Protecting Consumer Privacy in an Era of Rapid Change (the “Report”). The Report builds upon a preliminary staff report the FTC released in December 2010. The Report sets forth a privacy framework (the “Framework”) that is intended to identify the “best practices for companies that collect and use consumer data” and to “assist Congress as it considers privacy legislation.” The Report cautions, however, that to “the extent the framework goes beyond existing legal requirements, the framework is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.” The Report also states that the Framework is “not intended to conflict with requirements of existing laws and regulations.”
The Framework covers all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer or other device. Data will not be deemed “reasonably linkable” if a company (1) takes reasonable measures to de-identify the data (i.e., ensure that the data is not linkable to a specific consumer, computer or device); (2) publicly commits that it will not try to re-identify the data (i.e., link the data to a specific consumer, computer or device); and (3) contractually prohibits downstream recipients from trying to re-identify the data. The Framework does not apply to entities that collect “non-sensitive” consumer data (e.g., “data that is not a Social Security number or financial, health, children’s, or geolocation information”) from fewer than 5,000 consumers per year and do not share any of that data with third parties.
The Framework is based on three baseline principles: privacy by design, simplified consumer choice, and transparency.
Privacy by Design: Under the Framework, companies “should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.” Companies should, among other things, establish reasonable data security, reasonable limits on the collection of data, sound retention and disposal practices, and procedures to ensure data accuracy. The Report also states that companies should implement comprehensive data management procedures throughout the life cycle of their products and services, such as, for example, the designation of personnel responsible for employee privacy training and the regular assessment of the privacy impact of specific practices, products, and services.
Consumer Choice: Companies should provide mechanisms that allow consumers to choose how their personal information is handled, and should simplify the means for consumers to do that. For practices requiring choice, the Report states that companies should offer choice when a consumer is making a decision about personal data, and that companies should obtain “affirmative express consent” before (1) “using consumer data in a materially different manner than claimed when the data was collected” (e.g., “sharing consumer information with third parties after committing at the time of collection not to share the data”) or (2) “collecting sensitive data for certain purposes.” The Report, however, states that companies do not need to provide a choice “before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.” The Report also supports a Do-Not-Track regime based on five key principles: (1) universal implementation to cover all parties who would track consumers, (2) a system that is easy to find, understand and use, (3) choices offered should be persistent and should not be overridden when, for example, “consumers clear their cookies or update their browsers,” (4) a comprehensive, effective and enforceable Do-Not-Track system, and (5) a consumer’s right to opt out of the collection of behavioral data for targeted advertising and all other purposes, except those that are consistent with the context of the interaction (e.g., “preventing click-fraud or collecting de-identified data for analytics purposes”).
Transparency: Companies should provide maximum transparency of their data practices. To accomplish this, privacy notices should be clear, short, and standardized, and consumers should have reasonable access to their personal data. Companies also should expand their efforts to educate consumers about commercial data privacy practices. With regard to data brokers (i.e., companies that collect information from a wide variety of sources for the purpose of reselling such information), consumers should have access rights to information held by data brokers (this may require new legislation). Data brokers should “explore creating a centralized website where data brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”
Finally, over the course of the next year, the Report states that the FTC will be active in the following five areas.
Do-Not-Track: The FTC will work with browser vendors, the Digital Advertising Alliance, and the World Wide Web Consortium to implement an “easy to use, persistent, and effective Do Not Track system.”
Mobile: The FTC urges mobile services companies to improve privacy protections, including the “development of short, meaningful disclosures.” The FTC will hold a workshop on May 30, 2012 to address, among other issues, mobile privacy disclosures.
Data Brokers: The FTC will support data broker legislation and will urge the data broker industry to create a centralized website.
Large Platform Providers: The FTC plans to host a public workshop in the second half of 2012 to address comprehensive tracking of consumers’ online activities by providers of large platforms (e.g., “Internet Service Providers, operating systems, browsers, and social media”).
Promoting Enforceable Self-Regulatory Codes: The Report notes that the White House recently issued a “white paper” that sets forth a Consumer Privacy Bill of Rights, and that the Department of Commerce (Commerce) issued a Request for Public Comments seeking public input on the process for convening stakeholders to determine how to apply the Consumer Privacy Bill of Rights in different business contexts. The Report states that the FTC will participate in Commerce’s facilitation of the development of codes of conduct. To the extent strong codes are developed, the FTC will “view adherence to such codes favorably in connection with its law enforcement work.”