The Federal Trade Commission ("FTC" or
"Commission") issued its much anticipated privacy report
on December 1, 2010. The report, titled, "Protecting Consumer
Privacy in an Era of Rapid Change", sets forth the
Commission's proposed framework for how companies could address
consumer privacy1. In addition, Commission staff has
expressed support for a universal choice mechanism with respect to
online behavioral advertising, sometimes referred to as "Do
Not Track". The report suggests that this mechanism could be
achieved either legislatively or through industry self-regulation.
Comments on the report are due January 31, 2011. The Commission
intends to issue a final report in 2011.
In general, the report provides a detailed, historical context on
the evolution of privacy policy. The report calls for best
practices, but does not specifically forward any legislative
proposals. The report asks numerous questions on how to implement
the broader framework, but does not provide much in the way of
specific proposals or standards for enforcement at this time. The
following is summary of the key themes from the report.
Privacy by Design. The report calls for companies
to promote consumer privacy and security throughout their
organizations, business practices, and development of their
products and services. This concept includes:
- providing reasonable security for consumer data;
- collecting only the data needed for a specific business purpose;
- retaining such data only as long as necessary to fulfill that purpose;
- safely disposing of data when no longer needed; and
- implementing reasonable procedures to promote data accuracy.
The report also calls for companies to adopt procedures to
promote privacy practices that are scaled to each company's
business operations and data practices. These procedures should
include appointing personnel to oversee privacy issues, training
employees, and conducting privacy reviews when developing new
products and services.
Simplified Choice. The report calls for companies
to provide simplified, streamlined choice to consumers with respect
to their data practices. The Commission report does not call for
universal choice for all collection and use, but instead has
developed a bifurcated approach based on the purpose for which data
is collected. The Commission suggests that choice is not necessary
when collection and use is done for "commonly accepted"
practices such as first-party marketing, product fulfillment, fraud
prevention, and other internal operations (e.g., improving services
offered and legal compliance).
For data practices that are not "commonly accepted",
companies should provide consumers with choice2. To
ensure consumers are able to make informed and meaningful choice,
the Commission states that choice should be clearly and
conspicuously described and offered when the consumer is making a
decision about providing data.
When offering choice is appropriate, the report provides
suggestions on where to offer choice in specific contexts including
online and offline collection by retailers, social media, and
mobile platforms. For instance, the Commission states that for
retailers with direct interaction with consumers online, the
disclosure and control mechanism should appear on the page on which
the consumer types in his or her personal information. For offline
retailers, notice and choice should be provide at the point of sale
(i.e., the cashier could ask the consumer if they would like to
receive offers from the retailer).
The report does not specify whether opt in or opt out consent is
required for practices that do not fall into "commonly
accepted" practices, and invites comment on this issue.
Great Transparency. The report calls for companies
to make their data practices more transparent to consumers by
providing clearer, shorter, and more standardized privacy
statements. The FTC stated that this approach would permit
consumers to compare data practices and choices across
companies.
Reasonable Access. The report recommends that
companies provide reasonable access to data particularly those
companies that collect information but do not directly interact
with consumers such as data brokers. The report states that the
extent of access should be proportional to both the sensitivity of
the data and the intended use.
Material Changes to Data Practices. The Commission
reiterated its position that companies should provide robust notice
and obtain affirmative consent for material, retroactive changes to
data policies.
Education. The Commission has proposed to
undertake a broad effort to educate consumers about data collection
and the availability of choices.
Footnotes
1. FTC Report.
2. The report provides the following examples of practices not "commonly accepted": (1) a retailer collecting purchase information directly from a consumer and then selling it to a third party that may be unknown to the consumer, (2) online behavioral advertising, and (3) use of deep packet inspection to create marketing profiles of consumers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.