In December 2010, the Federal Trade Commission ("FTC") and the U.S. Department of Commerce released reports on consumer privacy, each based upon a year-long review of the existing US consumer privacy regime that generated concerns that technology has outpaced consumer privacy protection. The FTC's report focuses primarily on online advertising, while the Commerce Department's report exclusively addresses commercial data privacy issues. Both reports recommend more comprehensive consumer privacy protection with broader application. Both reports are preliminary and seek further public comment regarding specific proposals set forth in the respective reports. Each group plans to issue a final report sometime in 2011. Following the release of these reports, several major browsers have taken action in response to recommendations of the reports, and potential legislation has been proposed.
Data privacy has become a featured topic of political discussion in recent weeks. Governing bodies in Europe have pledged to revisit and perhaps update and make their existing privacy framework stricter and with greater reach. In addition, the Obama administration is now actively advocating for a privacy bill of rights for consumers that echoes a number of the basic principles used under European law. Several publications, such as The Wall Street Journal, have authored articles detailing a number of corporate data practices, particularly in the advertising area, that the average consumer may not have been previously aware of.
In an effort to keep our readers current on the issues in this rapidly evolving discussion, this posting sets forth a summary of the aforementioned preliminary reports and certain reactions and industry actions taken in response to the same. We have also provided an update on the pending legislation, which promises to be outdated shortly, based on rumblings of potential new legislation that will be introduced into Congress very soon.
Federal Trade Commission's Proposed Privacy Framework
The FTC has authority under Section 5 of the Federal Trade Commission Act to take action against companies that engage in unfair or deceptive trade acts in interstate commerce.1 Under this broad power, the FTC has become the government's enforcement agency for those companies that violate either their stated privacy policies or which engage in data practices that are potentially unfair or deceptive to consumers.
The FTC issued a staff report containing a preliminary proposed privacy framework (the "Privacy Framework") on December 1, 2010.2 The stated purpose of the Privacy Framework is advisory, "to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines."3 The Privacy Framework applies broadly to commercial entities that collect, maintain, share or otherwise use consumer data, which (1) can be "reasonably linked" to a consumer, computer or other device,4 and (2) is collected or used either online or offline.5 This constitutes an expansion of the reach of generally applicable privacy schemes and a move to align the overall approach to consumer privacy with the FTC's proposals concerning online behavioral advertising.6
The Privacy Framework is structured around three main conceptual components: (a) Privacy by Design; (b) Simplified Choice; and (c) Greater Transparency.7 First, the FTC recommends that companies adopt a "privacy by design" approach, by integrating privacy protections into their daily business practices and enforcing procedurally sound privacy practices, in each case as are appropriate based on the nature of the business and data being collected.8 The second element of the Privacy Framework contemplates the division of uses of consumer data based on whether a business practice is "commonly accepted," with the goal of businesses providing more simple and streamlined choices to consumers regarding how their data will be handled.9 "Commonly accepted practices," such as product and service fulfillment, fraud prevention, legal compliance and first party marketing, require no choice before collecting and using consumers' data for the stated purpose.10 Practices that are not considered "commonly accepted," however, require simplified and more meaningful choices to be presented to consumers at the point that the consumer enters his or her information or before he accepts a product, application or service.11 The Privacy Framework specifically provides that information sharing that occurs as a default setting should be disclosed clearly and conspicuously at the time that the consumer becomes a member of the service.12 The third and final element of the Privacy Framework, increased transparency, encompasses four recommendations: (i) clearer, shorter and standardized privacy notices; (ii) reasonable consumer access to data, based on a sliding scale of sensitivity and intended use of the data; (iii) robust notice and affirmative consent for material, retroactive changes to data policies; and (iv) efforts to educate consumers about commercial data practices and the choices available to them.13
As part of the "simplified choice" component, the FTC recommends the development of a uniform, clear, easy-to-locate and comprehensive means of choosing whether to allow collection and use of data regarding online searches and browsing activities, more commonly referred to as a "Do-Not-Track" mechanism.14 The FTC recommends consideration of the feasibility of this type of mechanism, but proposes that the placement of a persistent setting on a consumer's browser, similar to a cookie, would be a practical approach.15 The Privacy Framework proposes that the mechanism could be implemented via legislation or robust self-regulation.16
The Commerce Department's Privacy Green Paper
On December 16, 2010, the Department of Commerce released a green paper focused exclusively on commercial data privacy issues, entitled "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework," (the "Commerce Report").17 The Commerce Report sets forth initial policy recommendations for a "dynamic framework to increase protection of consumers' commercial data and support innovation and evolving technology."18
A FIPPs-based framework would allow for comprehensive coverage to foster clarity and informed consumer consent, but the flexibility of using a principle-based framework could also ensure continuity between industries and as new technologies are adopted.23 Notably, the Commerce Report does not provide a specific recommendation as to the mechanism for adoption of these FIPPs, and seeks commentary regarding the advisability of developing legislation in this area.24 The Commerce Report contemplates that the baseline commercial data privacy framework would be modeled from existing state privacy laws, and would supplement and fill gaps in, but not preempt, existing sectoral privacy laws such as the Gramm-Leach-Bliley Act ("GLBA") and the Health Insurance Portability and Accountability Act ("HIPAA").25 The Commerce Report notes that commenters expressed mixed opinions concerning whether a baseline commercial privacy framework should preempt state law regimes and asks for further commentary on this point.26
With respect to enforcement, the Commerce Report contemplates that the PPO would work with the FTC to develop voluntary enforceable codes of conduct, but the Commerce Report makes clear that the FTC will remain the exclusive enforcement body for compliance with such codes of conduct.27
Finally, the Commerce Report includes a separate recommendation for review of the Electronic Communications Privacy Act ("ECPA") in light of new technologies, including cloud computing and location-based services.28 Although not part of the initial focus of the report, many commenters expressed concern that technology has outpaced the protection provided by ECPA, and that consumers need clarity regarding protection of emails and information such as location-based and transactional non-content data, as well as cloud-stored documents.29
Reactions to the Privacy Framework and the Commerce Report
- Commentary Regarding the Reports
There has been a great deal of public comment and debate on the privacy issue. Criticisms of the Privacy Framework focus primarily on the proposed do-not-track mechanism.30 For example, the Interactive Advertising Bureau ("IAB") has commented that such a tool has significant problems, in that, unlike the Do Not Call Registry, "turning off" sharing on the Internet is essentially impossible.31 Google commented that many options are emerging for consumers to set a do-not-track preference, and therefore, "do-not-track can be achieved without large-scale blocking of third-party content, including advertising."32 Microsoft similarly supports industry self-regulation, and has urged the FTC to remain technology neutral and avoid mandating any particular do-not-track mechanism over others.33 In response to the Privacy Framework, Facebook commented that legislation imposing a do-not-track mechanism would be premature, and that the private sector will be better able to develop solutions to address user concerns about behavioral advertising and protect personal information.34
However, consumer and privacy groups such as Consumer Watchdog and the Electronic Privacy Information Center ("EPIC") have commented that self-regulation has not worked and that a universal do-not-track mechanism needs to be implemented through legislation.35 Consumer Watchdog additionally recommended a browser-based do-not-track mechanism where consumers would need only one location to express their preferences, and favored the header system adopted by Mozilla's Firefox.36 However, unlike the other privacy groups, the Electronic Frontier Foundation stated that "do-not-track legislation is not necessary at this point" because browser vendors are likely to integrate do-not-track tools into browsers.37 Other comments included: (1) de-identified data should be protected with the same privacy practices as other sensitive consumer data;38 and (2) notice and choice is "not stable or meaningful," and privacy protection must be based on the implementation and enforcement of Fair Information Practices.39
In response to the Commerce Report, Google and Microsoft both commented that they support comprehensive privacy legislation that sets forth baseline privacy protections, but recommended that such legislation should not be specific to any one technology, industry or business model.40 Microsoft also strongly recommended that such privacy legislation should include safe harbors whereby a company that complies with a self-regulatory program approved by the FTC is deemed to comply with statutory requirements.41 Such safe harbor type provisions would arguably encourage a general minimum level of compliance in exchange for shielding companies from class action lawsuits or agency enforcement actions. Facebook, however, is opposed to new legislation and commented that the FIPPs would be best implemented through industry self-regulation, in combination with judicious enforcement by the FTC under its existing authority.42 Visa has also commented that the notice and choice FIPPs should not be applied to intermediary entities that do not directly interact with consumers.43 Additionally, Visa has raised concerns that requiring companies to publicize their Privacy Impact Assessments ("PIAs") would expose company trade secrets.44 Finally, Visa has commented that employee data should not be subject to the full set of FIPPs obligations that would apply to consumer data.45 Another question that remains open is how business information, such as that which would be freely transferred by an exchange of business cards, should be treated.
EPIC has recommended that the proposed comprehensive federal privacy legislation be based on Fair Information Practices.46 Consumer Watchdog and EPIC also suggested the creation of an independent Privacy Protection agency outside of the Department of Commerce to better protect consumer privacy interests instead of the proposed privacy office within the Department since the Department by definition is focused on business interests.47 Both groups further urged the Department of Commerce to support comprehensive international privacy protection, particularly the Council of Europe Privacy Convention.48 There can be no dispute that some form of international harmonization in privacy regulation would benefit both consumers and companies.
- Industry Action
After encouraging the industry to self-regulate for a number of years, it appears the U.S. government believes legislation or enforced regulation may be necessary. With the threat of government action and change looming, leading Internet browser manufacturers have started implementing changes. The question remains as to whether it is a case of too little change, too late.
Following the release of the Proposed Privacy Framework and the Commerce Report, Microsoft, Mozilla and Google all rolled out new browser features that provide additional privacy protections to consumers online. On January 23, 2011, Mozilla Corporation announced that it plans to add an opt-in do-not-track feature to its Firefox Web browser, which would allow consumers to opt out of online behavioral advertising by setting a browser preference that would transmit a do-not-track HTTP header with each page view in Firefox, communicating to third party advertisers a request to receive non-personalized ads and log the user's activity anonymously.49 Microsoft's Internet Explorer version 9 ("IE9"), released on March 15, 2011, includes a do-not-track tool as well as an opt-in privacy tool, Tracking Protection Lists, which allow users to input a list of websites that will be blocked from receiving that user's information unless the user visits the website directly.50 In response to the release, the IAB publicly commented that its members do not know how to respond to a do-not-track mechanism, citing lack of context and standards for reacting to such requests from users.51 Google has announced a download extension for Google Chrome called "Keep My Opt-Outs," which allows users to permanently opt-out of ad tracking cookies from online advertisers that participate in self-regulatory opt-out programs such as the Network Advertising Initiative.52 Neither Google nor Apple has announced an intention to implement a do-not-track mechanism in their respective browsers.53
The consent agreement, if finally approved by the FTC, would prohibit Google from misrepresenting the manner in which it collects and uses personal information and the extent to which its users have control over the same, as well as the extent to which Google complies with the provisions of privacy programs including the US-EU Safe Harbor.59 The agreement requires Google to implement a comprehensive privacy program that will be audited every two years, and requires that Google obtain express affirmative consent from its users prior to changing any of Google's personal information practices.60 The proposed consent agreement was issued with a cautionary concurring statement from Commissioner J. Thomas Rosch, expressing concern that (and requesting public comment regarding whether) the opt-in consent portion of the proposed consent order may be contrary to both Google's and the public interest.61 The FTC's pursuit of and restrictive proposed settlement with Google suggests that the FTC's patience with self-regulation may have worn out. It is also significant because the proposed consent order incorporates the principles of the Privacy Framework, significantly, the privacy by design principle, mandating that Google make privacy audits a part of the fabric of its daily operations, and indicating that companies may be well advised to start considering this principle as a requirement rather than a recommendation.
- Proposed Legislation
There has also been significant activity in proposed US privacy legislation following the release of the two reports. On February 10, 2011, Representative Bobby Rush re-introduced privacy legislation that he initially proposed in 2010.62 On February 11, 2011, California Congresswoman Jackie Speier held a press conference to introduce two federal privacy bills.63 First, the "Do Not Track Me Online Act of 2011" (H.R. 654) would authorize the FTC to develop do-not-track mechanism regulations, which would require covered entities to respect a consumer's choice to opt out of collection and use of its personal information for activities not considered to be commonly accepted commercial practices, the failure to do so which would be enforced by the FTC as unfair and deceptive trade practices.64 The "Financial Information Privacy Act of 2011" (H.R. 653) is a proposed amendment to the GLBA, focused on increasing consumer control of financial information and requiring, among other things, opt-in consent for disclosures of consumer information to non-affiliated third parties.65
There has also been discussion of additional federal legislation being introduced in 2011. Representative Ed Markey suggested that he will propose a bill featuring a do-not-track mechanism targeted to children's privacy, and representative Cliff Stearns stated that he will revive the bill proposed in 2010 with representative Rick Boucher.66 The Children's Online Privacy Protection Act ("COPPA") was enacted in 1998 and admittedly has fallen behind in terms of its applicability to modern technology.67 Senators John Kerry and John McCain are circulating proposed legislation to create an "Online Privacy Bill of Rights," which would cover data collected across all industries ranging from names and addresses to fingerprints and unique IDs assigned to individuals' cell phones and computers.68 The Obama administration also supports a "Privacy Bill of Rights" and is pushing Congress to pass legislation to protect consumers from intrusive data gathering.69 The Kerry/McCain bill is perhaps the most anticipated of the privacy bills as it will apparently draw on a number of recommendations from the agencies' reports and privacy principles that underlie the European laws. It also seems that once completed, it will be consistent with the stated goals of the Obama administration.
The regulation of consumer privacy in the gaps between existing sectoral and state legislation is an area that is receiving consistent media attention, which is likely to continue. Although no definitive solution has yet been established, the sheer volume of activity in this space is notable and should be monitored in the near future.