After a year of public roundtables designed to gather input on privacy issues from many sectors, on Dec. 1, 2010 the Federal Trade Commission (FTC) released its preliminary report, Protecting Consumer Privacy in an Era of Rapid Change. The FTC seeks comments on the proposed framework by Jan. 31, 2011, and will issue its final report in 2011.
The major themes that emerged from the FTC roundtables were:
- The ubiquitous collection and use of consumer data.
- Consumers’ lack of understanding and ability to make informed choices about the collection and use of their data.
- The importance of privacy to consumers.
- The significant benefits enabled by the increased flow of information.
- The blurring of the distinction between personally identifiable information and supposedly anonymous or de-identified information.
According to the FTC, the framework, outlined below, is designed to improve transparency and simplify the ability of consumers to exercise choice while preserving the consumer benefits inherent in the free flow of information.
Applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer or other device.
- Both offline and online context, regardless of whether such entities interact directly with consumers.
- Not limited to only those who collect personally identifiable information (PII). The distinction between PII and non-PII is blurred due to technology that allows data to be combined and re-identify consumers.
The Three Main Principles
1. Privacy By Design – Businesses should promote consumer privacy at every stage of development.
- Establish reasonable safeguards (physical, technical and administrative) to protect information, including attention to data security, reasonable collection limits, sound retention practices, and data accuracy.
- Designate specific personnel responsible for privacy programs, training programs and promoting accountability.
- Special attention needed for peer-to-peer (P2P) file-sharing software use.
- Use of privacy-enhancing technologies, such as identity management, data tagging tools and use of encryption technology is encouraged.
2. Simplified Choice - Guidance on choice and consent requirements.
Consumer Choice NOT Required – narrow set of collection and use activities
- “Commonly Accepted Practices” – including product & service fulfillment; internal operations (customer service); fraud prevention; legal compliance and first-party marketing (recommendations based on consumer’s prior purchases on the website).
- Data collection is obvious from the context of transaction and consumer consent is inferred.
- First party marketing includes only the collection of data from the consumer with whom the company interacts directly for purpose of marketing to that consumer. Does NOT include data shared with third party, including business affiliate unless the affiliate relationship is clear to consumers through common branding or similar means.
Consumer Choice Required – informed and meaningful choice
- Timing: Give consumer the choice at the time and in a context in which consumer is making the data decision. Displayed clearly and conspicuously on the page where consumer types in personal information or at the point of sale.
- Choices buried in long privacy policies and pre-checked boxes are not effective means of obtaining meaningful, informed consent.
- Sensitive information warrants special protection and affirmative express consent: Includes information about children, financial and medical information, and precise geolocation data.
- Tracking of a consumer’s online activities by the consumers’ Internet Service Provider (ISP) through use of “deep packet inspection” is not something consumers would anticipate and therefore is not considered a commonly accepted practice and consumer consent should be required.
- DO NOT TRACK option for online behavioral advertising. Allows consumers easy to understand method to control online tracking.
FTC requests comments on whether DO NOT TRACK should be a total block or if it should include varying degrees of restrictions as to the type of advertising received or the type of data collected about the consumer.
3. Greater Transparency
- Privacy notices should be clearer, shorter and more standardized.
- Businesses should provide reasonable access to the consumer data it maintains, especially as to sensitive data.
- Any material change in how consumer data is collected or maintained requires a prominent disclosure and affirmative express consent from consumers.
- Consumer education programs by businesses regarding their data policies are encouraged.
The FTC’s online privacy report left a number of issues open for additional comment, including whether the procedure for consent should be "opting in" or "opting out" and the impact on affiliate marketing.