The Federal Trade Commission ("FTC") recently issued revised consumer privacy guidelines. Retailers should be cognizant of the report released by the FTC and re-evaluate privacy policies regarding the collection and use of customer information.
While the preliminary report recommended that the framework and policies apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer, or other device, the final Report narrowed its scope recognizing the potential burden on small businesses. The Report concludes that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year, and that such data is not "reasonably linked" if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.
Stressing that the distinction between personally identified information and non-personally identified information is "of decreasing relevance" and, as a result, de-identified information also should be protected. The Report calls on companies handling consumer data to implement policies for protecting privacy which encompass, among others, the following concepts:
- Privacy by Design. Consumer privacy protections should be built in at every stage in business and should include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy. The FTC recommends: (i) assigning personnel to oversee privacy issues from the earliest stages of research and development; (ii) training employees on privacy issues; and (iii) conducting privacy reviews of new products and services to determine the privacy implications of such innovations. Appropriate data retention periods should be a requirement.
- Simplified Choice for Businesses and Consumers. The Report refines guidance for when companies should provide consumers with a choice about how their data is used. Consumers should have the option to decide what information is shared about them, and with whom, using a "Do Not Track" mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.
- Greater Transparency. Companies should disclose details about their collection and use of consumer information, and provide consumers access to the data collected about them, as they don't read or understand data policies as currently written. The Report calls on data brokers, who buy, compile, and sell highly personal information for marketing purposes, to explore creation of a centralized website where consumers could access information about the data brokers' practices and their options for controlling data use.
The FTC recommends that Congress consider enacting general privacy, data security, breach notification, and data broker legislation. While Congress considers such legislation, the FTC urges individual companies and self-regulatory bodies to accelerate the adoption of the principles contained in the Report, to the extent they have not already done so.
In conclusion, retailers should reassess their policies regarding collection, protection, and use of consumer information to ensure that they are consistent with the FTC framework, as the Report recommends additional protection for a broad base of information as well as more transparency and choices on how consumer information is being used.