Earlier this month, the Federal Trade Commission (“FTC”) released a preliminary staff report entitled, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers." According to the FTC, the report is intended “to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.” Judging from the initial wave of public commentary, consumer support for the proposed framework is widespread.
While the framework will undoubtedly impact the for-profit sector, its application to non-profit organizations remains unclear. As currently drafted, the FTC’s proposal would apply to “all commercial entities that collect or use consumer data that can reasonably be linked to a specific consumer, computer or other device.” The term “commercial entities” remains undefined.
As currently drafted, the FTC’s proposals could impact any organization that collects consumer/donor information. While the typical non-profit organization collecting donor information will likely be exempt from the “Do Not Track” provisions under the “commonly accepted business practices” exception, the framework’s requirements relating to data privacy, security and transparency could potentially apply to non-profit organizations.
In the absence of additional guidance, the FTC’s approach to this question in other consumer privacy contexts may be instructive. Specifically, in 2003, the FTC promulgated the Telemarketing Sales Rule (“TSR”), commonly known for establishing the national “Do Not Call” registry. Although the TSR does apply to so-called “telefunders” (for-profit telemarketers who solicit charitable contributions on behalf of non-profit entities), the FTC’s position was that non-profit entities were beyond the scope of TSR. In doing so, the FTC noted the jurisdictional limits imposed by the FTC Act, which provides the FTC with jurisdiction over persons, partnerships, or corporations organized to carry on business for their own profit or that of their members.
In 2008, however, the FTC came to a different conclusion with respect to non-profit entities in issuing new rule provisions under the CAN-SPAM Act (the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003”). In its Statement of Basis and Purpose and Final Discretionary Rule, the FTC refused to exempt non-profit entities from application of the CAN-SPAM Act, which regulates the sending of unsolicited commercial e-mails. In doing so, the FTC noted that that the Can-Spam Act does not set up a dichotomy between “commercial” and “non-profit” messages. Accordingly, the FTC concluded that “when nonprofit organizations send emails the primary purpose of which is the advertisement or promotion of a commercial product or service, recipients are entitled to the Act’s protections.”
The question of the framework’s application to non-profit entities will likely be further vetted during the public comment period which continues through January 31, 2011. Apparently cognizant of the difficulties engendered by a uniform approach, the FTC asked for public comment on “practical considerations that support excluding certain types of companies or businesses from the framework.” Public comments on the proposed framework may be submitted here.