As a result of the issuance by the Federal Trade Commission (FTC) of its new privacy guidelines, retailers should re-evaluate their privacy policies regarding the collection and use of consumer information.
On Dec. 1, 2010, the FTC issued its long-awaited report, titled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers." The report was developed after a series of roundtable discussions designed to explore privacy issues in the 21st century. The framework attempts to balance the privacy interests of consumers against the interests of businesses to utilize consumer information to sell products and services. According to the report, the distinction between personally identified information and non-personally identified information is "of decreasing relevance" and, as a result, de-identified information should also be protected.
The report is applicable to all "commercial entities that collect data that can be reasonably linked to a specific consumer, computer, or other device." Consequently, the scope of the report is very broad. Furthermore, the report purports to apply to the online and offline world and not only to companies that work directly with consumers.
In summary, the report states that companies (i) should promote consumer privacy throughout their organizations and at every stage of the development of their products and services; (ii) should simplify consumer choice; and (iii) should increase the transparency of their data practices.
As stated above, the report proposes that companies address privacy issues from the start of any development of new products, services and business models, and should adopt a "privacy by design" policy by building privacy protections into a company’s everyday business practices. These policies should include issues relating to data security, reasonable collection limits, sound retention practices, and data accuracy. The FTC recommends (i) assigning personnel to oversee privacy issues from the earliest stages of research and development, (ii) training employees on privacy issues, and (iii) conducting privacy reviews of new products and services to determine the privacy implications of such innovations. Appropriate data-retention periods should be a legal requirement.
The report also suggests that companies provide simple, streamlined choices to consumers about their data practices. For "commonly accepted" data practices – such as collecting a consumer’s name and address to deliver a product – consumer choice would not be necessary. But for data practices that are not "commonly accepted (including data practices such as behavioral advertising)," consumers would be provided meaningful choices about how their data will be used.The report also proposes the establishment of a uniform "do not track" option, by which consumers would be able to opt-out of having their online activities tracked for advertising purposes.
Finally, the report proposes that companies make their data practices more transparent because people don't read or understand data policies as currently written. This part of the report focuses on providing consumers with clear, concise, easy-to-read policies, access to the data that companies maintain about them, as well as notice and consent for significant retroactive changes to data policies.
Companies should reassess their policies regarding collection, protection and use of consumer information to ensure that they are consistent with the FTC guidelines because the report recommends additional protection for a broad base of information as well as more transparency and choice about how a consumer's information is being used.