Companies that may be subject to new privacy rules for consumer, employee, and other personal information, which are expected to be adopted in the first half of 2011, should consider filing comments on recommendations contained in the reports recently issued by the Federal Trade Commission ("FTC") and the Department of Commerce ("Commerce").

Comments on the Commerce report are due January 28, 2011 and comments on the FTC report are due January 31, 2011.

The FTC in December released a preliminary staff report entitled: "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" ("FTC Report"). The FTC proposed major changes to its existing regulatory framework to accommodate the rapidly-changing privacy/technology landscape, focusing on three components:

  • Privacy by Design – incorporating privacy protections into the design of products, services, and processes;
  • Simplified Choice – enabling consumers to readily opt into or out of personal data collection; and
  • Greater Transparency – clearly disclosing data collection practices.

One of the most controversial elements of the FTC Report is its recommendation that a "Do Not Track" mechanism akin to the FTC’s successful "Do Not Call" list be implemented to limit online data collection and targeted advertising.

The FTC posed a series of 64 questions for comment. It is anticipated that comments submitted by businesses, particularly regarding the cost and feasibility of implementing Do Not Track and other recommendations in the FTC Report, will have a significant influence on how the agency will regulate the collection and handling of personal information going forward. For example, the FTC is seeking comments on what types of data collection should be considered "commonly accepted" and not requiring prior consent, and whether opt-out or opt-in regimes are appropriate for data falling outside the "commonly accepted" definition – a crucial distinction for many businesses, which will significantly impact the cost of compliance.

Also in December, Commerce issued its own set of recommendations in a "Green Paper" entitled "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework." The Green Paper sets forth 10 recommendations which could substantially alter U.S. privacy regulation. Commerce recommends establishing a baseline set of privacy requirements (a so-called "Privacy Bill of Rights") through recognition of the "Fair Information Practice Principles," which would help fill gaps where certain businesses are not subject to one of the existing, sector-specific privacy laws such as The Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act. The Green Paper also proposes the creation of a Privacy Policy Office within Commerce, which would offer safe harbors as an incentive for businesses to comply with voluntary codes of conduct, and would encourage global interoperability in effectuating trans-border data transfers. Perhaps most importantly for those businesses struggling to comply with 45 (and counting) different state data breach notification laws is Commerce’s proposal to enact a federal data breach notification law. Commerce has requested comments on 42 questions presented in the Green Paper.