The Federal Trade Commission (FTC) issued its much anticipated final report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,on March 26. The report comes a month after the Obama Administration released a blueprint for strengthening online privacy, including a "Consumer Privacy Bill of Rights." The FTC report largely mirrors key points in the Administration's report.
The FTC announces in the report its adoption of a framework for protecting consumer privacy based on three best practices: (1) Privacy by Design whereby companies build privacy protections into every stage of the development cycle for both products and services; (2) Simplified Choice for Businesses and Consumers which gives consumers the ability to make reasonable decisions about their data, including a "Do-Not-Track" mechanism, while reducing the burden on businesses of providing unnecessary choices; and (3) Greater Transparency over information collection and use practices in order to better inform consumers and give them more access to their data. The framework applies to the handling by commercial entities of data (offline and online) that is reasonably linkable to a specific consumer, computer or device. The framework does not, however, apply to entities with fewer than 5,000 consumers per year that handle only non-sensitive data and do not share any data with third parties.
"Commonly Accepted" Practices vs. "Context" Standard. The FTC's final report adopts a "context of the interaction" standard instead of the "commonly accepted" data practices standard proposed in the prior draft report. Under this standard, companies are not required to provide consumers with a choice before collecting and using their data for practices that are: (1) consistent with the context of the transaction; (2) consistent with the company's relationship with the consumer; or (3) as required or specifically authorized by law. Complying with this standard will, of course, require important judgment calls by companies as to what is or is not reasonably within the "context" of an interaction or transaction with a consumer (e.g., behaviorally targeted advertising). The FTC states in the report that those practices previously identified in the draft report as not requiring consumer choice (i.e., fulfillment, fraud prevention, internal operations, legal compliance, public purpose and most first-party marketing) will not typically require consumer choice under the new "context of the interaction" standard.
Practices Requiring Affirmative Consent. The FTC confirms that affirmative consent should be obtained from consumers when companies make material retroactive changes to their privacy policies, and before collecting sensitive data, including information about children, financial and health information, social security number, and precise geo-location data (e.g., in the mobile app context). The FTC also states that companies targeting teens should consider additional protections such as shorter retention periods for collected data.
Effect of the FTC Report. Testifying before a House Energy and Commerce Subcommittee on March 29, FTC Chairman Jon Leibowitz explained that the FTC report is "not a regulatory document or an enforcement document," but instead is designed to provide guidelines for the industry. According to Chairman Leibowitz, while companies that follow the "best practices" outlined in the report would not violate the FTC Act (which prohibits "unfair" or "deceptive" trade practices), a failure to follow the guidelines would not necessarily invite an enforcement action. Offering a slightly different take on the report's possible ramifications, FTC Commissioner J. Thomas Rosch, in his dissenting opinion to the report, suggested that some companies might feel "obliged to comply with the best practices or face the wrath" of the FTC. These statements have caused some confusion on the part of companies that are evaluating whether their internal privacy and data security practices should (or must) fit neatly within the report's proposed framework.
FTC Report Action Items. The FTC report also previews a plan for the agency, together with industry members, to develop and implement several core framework principles over the next year to accelerate the pace of self-regulation. Specifically, the FTC plans to focus on the following five action items:
- Do Not Track: The FTC noted that industry has made significant progress in implementing "Do Not Track" technology that enables consumers to opt-out from use of data about their web-browsing behavior. The FTC points out, however, that these technologies do not go far enough, and should also include technology to allow consumers to exercise choice over collection of behavioral data for all purposes other than those that are consistent with the context of the interaction. It is worth noting that even when consumers enable Do-Not-Track functionality within their browsers, these technologies only work when the entities that are tracking actually follow the choices elected by the consumer. While the FTC is optimistic that it can work with industry groups to voluntarily adopt a "Do-Not-Track" mechanism that is persistent, easy to use, and applies to the collection as well as the use of personal information, it warned that if companies fail to adopt a satisfactory mechanism, the FTC would support congressional action to mandate its adoption.
- Mobile: The FTC calls on companies providing mobile services to work toward improved privacy protections, particularly in the development of short and meaningful disclosures that can be viewed on smaller mobile screens. The FTC is hosting a workshop on May 30, 2012, to address mobile privacy disclosures, and it hopes the workshop will generate additional guidance and spur further industry self-regulation in this area.
- Data Brokers: The FTC supports specific and targeted legislation to address consumers' lack of visibility to and control over the collection and use of consumer information by so-called "data brokers." This legislation would provide consumers with access to the information about them that is held by a data broker. Data brokers who compile this information for marketing purposes would also be required to create a centralized website where such brokers (1) identify themselves to consumers and describe how they collect and use consumer data, and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.
- Large Platform Providers: The FTC believes that heightened privacy concerns arise out of tracking of consumer activity by large platforms such as Internet Service Providers, browsers, operating systems and social media (e.g., Google and Facebook). To further explore the privacy issues raised by these large platform providers, the FTC plans to host a public workshop on this issue later in 2012 to determine if additional guidance is necessary, as well as how competition issues may bear on appropriate privacy protection.
- Promoting Enforceable Self-Regulatory Codes: The Department of Commerce, at the direction of the White House, is undertaking a project to facilitate the development of sector-specific codes of conduct. The FTC report endorses this process and states that the FTC will view as favorable adherence to any strong privacy codes that are developed.
Mobile Privacy Remains Hot. Other than data breaches, perhaps no issue has received more media and regulatory attention over the past several months than mobile data privacy and security. Last month, the FTC staff released the results of a survey of mobile apps for children, which concluded that neither the app stores nor the app developers were providing sufficient disclosures or notifications to comply with the Children's Online Privacy Protection Act (COPPA). At around the same time, media outlets began reporting on how certain mobile apps were collecting address book information and photo images from consumers' mobile devices. In response to these reports, Representative Henry Waxman (D-CA), Ranking Member on the House Energy and Commerce Committee, and Representative G.K. Butterfield (D-NC), Ranking Member of the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, sent letters on March 22, 2012, to 34 companies inquiring about their information collection and use practices.
The FTC report likewise focuses on mobile issues, calling on companies to work toward more effective disclosures and to improve methods of delivering such disclosures on the smaller mobile device screens. The FTC report also notes that the collection and use of geo-location data is of particular concern because of its highly personal nature especially when children are involved. The FTC's workshop on May 30, 2012, should offer additional insight into the types of self-regulatory actions that mobile app developers can take to minimize the risk of an FTC investigation.