The Federal Trade Commission is urging companies that collect and use consumer data to adopt the best practices described in its recently released final report on privacy titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policy Makers.”
The FTC’s report follows closely on the heels of the Obama Administration’s recently released white paper on consumer privacy that urged Congress to enact legislation to enact a “Consumer Privacy Bill of Rights.” (For more on the administration’s report, see our March 14, 2012, legal alert.)
Referring to the best practices as a “privacy framework,” the FTC states in the report that it intends the framework not only to guide companies in the development of self-regulatory measures but also to “assist Congress as it considers privacy legislation.” Citing the need for clear standards and “adequate legal incentives” such as civil penalties and other remedies to deter companies from cutting corners on consumer privacy, the FTC calls on Congress to consider enacting technologically neutral and flexible baseline privacy legislation.
The FTC also reiterates its call for federal data security legislation and voices its support for legislation that would provide consumers with access to information about them held by data brokers. At the same time, the FTC indicates that “to the extent the framework goes beyond existing legal requirements,” the FTC does not intend to use the framework “as a template for law enforcement actions or regulations” under laws currently enforced by the FTC.
The framework is intended to apply to all commercial entities that collect (online or offline) or use consumer data that reasonably can be linked to a specific consumer, computer or device. While generally adopting the framework proposed by the FTC in 2010, the final report would exclude companies that collect or use only non-sensitive data (e.g., data that is not a Social Security number or financial, health, children’s, or geolocation information) from fewer than 5,000 individuals per year and do not share the data with third parties. It also includes steps a company can take to “de-identify” data so that it would not be considered “reasonably linkable.”
The framework consists of the following best practices:
Privacy By Design
Companies should (1) incorporate substantive privacy protections into their everyday business practices, such as data security, reasonable limits on collection and retention, and data accuracy, and (2) maintain comprehensive data management procedures covering the entire life cycle of their products and services. The report includes a “data collection and disposal case study” focused on concerns raised by mobile devices.
Simplified Consumer Choice
Companies should provide easy-to-use choice mechanisms that allow consumers to control whether their data is collected and how it is used. However, companies need not offer choice before collecting and using data for practices that are (1) consistent with the context of the interaction between the company and consumer, or (2) required or specifically authorized by law. Examples of such practices include product and service fulfillment, fraud prevention, internal operations, legal compliance and public purpose. The report includes a discussion of when the use of data in first-party marketing would meet the consistency standard as well as the permissibility of a “take-it-or-leave-it” approach to choice. Choice, when required, should be offered at a time and in a context that is relevant to the consumer’s decision about whether to allow data collection or use (which would typically be before or at the time of collection). Affirmative express consent should be obtained before a company uses consumer data in a way that is materially different from that claimed at the time of collection or when collecting sensitive data for certain purposes.
Privacy notices should be clearer, shorter, and more standardized. The report raises the particular challenges associated with providing notice in the mobile context and notes that mobile privacy disclosures will be among the topics addressed at a workshop the FTC has scheduled for May 30, 2012, on advertising disclosures in online and mobile media. At a minimum, companies should offer consumers reasonable access to the types of consumer data they maintain about them and the data’s sources, and, when warranted by the data’s use or sensitivity, provide access to individualized data and correction rights. All stakeholders—businesses, industry trade groups, consumer groups and government—should increase their efforts to educate consumers about data privacy practices.
Although it appears the FTC does not intend to use the framework as a basis for bringing enforcement actions, the FTC plans to promote voluntary implementation of the framework by industry through its policymaking efforts.
The five main areas on which the FTC will focus those efforts are:
- Development by industry of “an easy-to-use, persistent, and effective Do Not Track system” that consumers can use to control the tracking of their online activities
- Improvement by providers of mobile services of existing privacy protections for such services, including the development of “short, meaningful disclosures” for mobile services
- Creation by data brokers of a centralized website on which brokers would identify themselves to consumers, describe how they collect and use consumer data, and explain what rights consumers have to access data and make choices
- Further study of privacy and other issues relating to the tracking of consumer online activity by large platform providers
- Encouraging the development by industry stakeholders of sector-specific, self-regulatory codes while enforcing the FTC Act “against companies that engage in unfair or deceptive practices, including the failure to abide by self-regulatory programs they join”