The report itself does not establish any new laws or regulations. However, in dissenting to the report (which was adopted by a 3-to-1 vote), Commissioner Thomas Rosch suggested it would be a mistake to assume that the report's recommendations are "voluntary." He wrote that companies that do not comply with the "best practices" may "face the wrath of ‘the Commission' or its staff."
The best practices recommended by the report are organized in a three-part framework:
- Privacy by Design companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy;
- Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.
- Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them.
In a press release, FTC Chairman Jon Leibowitz made clear his expectation that consumers will have "an easy to use and effective Do Not Track option by the end of the year." If they don't, he said, lawmakers will want to enact legislation.
Mobile privacy is also a major focus of the report, in large part because the industry has not coalesced around a set of standards as it has in the context of online behavioral advertising. The FTC urged companies offering mobile services to work toward improved privacy protections and noted that it will host a workshop on May 30 to address how mobile privacy disclosures can be short, effective, and accessible to consumers. The Mobile Marketing Association was the first to release a guidelines document that addresses the core privacy issues and data processes of many mobile applications. Notably, however, the guidelines acknowledge that opt-out mechanisms in the mobile ecosystem are in their infancy, stating that "We recognize that the mobile marketplace continues to experiment with different types of opt-out mechanisms—and strongly encourage the mobile application developer community to participate in these experiments to the benefit of consumer privacy interests."
The report also contains important recommendations regarding data brokers, which often buy, compile, and sell highly personal information about consumers. The report makes two recommendations to increase the transparency of such practices. First, it reiterates the Commission's prior support for legislation that would provide consumers with access to information held by data brokers. Second, it calls on data brokers that compile consumer data for marketing purposes to explore creation of a centralized website where consumers could get information about data broker practices and about their options for controlling data use.
Lawmakers immediately responded to the report's call to action. Sen. John Kerry (D-Mass.) urged Congress to take up the Consumer Privacy Bill of Rights, which he and Sen. John McCain (R-Ariz.) introduced last year. Sens. Jay Rockefeller (D-W. Va.) and Patrick Leahy (D.-Vt.) also urged Congress to seriously consider the FTC's recommendation, while others pledged to push ahead with bills that would restrict online marketing to children.
The final privacy report expands on a preliminary staff report the FTC issued in December 2010 and arrives just a few weeks after the White House release of its "privacy bill of rights." The bill of rights called on companies to be more transparent about privacy and grant consumers greater access to their data. Although the preliminary report recommended that the proposed framework apply to all commercial entities that collect or use consumer data, the final report recognizes the potential burden this would place on small businesses and thus concludes that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year.