On December 1, 2010, the Federal Trade Commission released its long-awaited report on online privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” Observers expected the report to address the concept of privacy by design, the burdens placed on consumers to read and understand privacy notices and make privacy choices, the provision of individual access to personal data and the rights of consumers with respect to Internet tracking. The FTC report introduces a privacy framework to “establish certain common assumptions and bedrock protections on which both consumers and businesses can rely as they engage in commerce.” It includes the following elements:
- Scope - The framework applies to “to all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers.” Importantly, the framework “is not limited to those who collect personally identifiable information (‘PII’)” but also to “those commercial entities that collect data that can be reasonably linked to a specific consumer, computer, or other device.”
- Privacy by Design - Companies should “incorporate substantive privacy and security protections into their everyday business practices and consider privacy issues systemically, at all stages of the design and development of their products and services” by employing reasonable safeguards, collecting information to fulfill a specific need, implementing reasonable data retention periods, taking reasonable steps to ensure the accuracy of data they collect, and developing comprehensive, company-wide privacy programs.
- Simplified Choice - Companies should “describe consumer choices clearly and concisely, and offer easy-to-use choice mechanisms . . .at a time and in a context in which the consumer is making a decision about his or her data.” In the online context, this includes a Do-Not Track mechanism that involves “placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements.” In the offline context, this could include, for example, having a cashier in a retail store “ask the customer whether he would like to receive marketing offers from other companies.”
- Greater Transparency - Companies should “make their data practices more transparent to consumers” by developing shorter, standardized notices, providing reasonable access to the consumer data they maintain, obtaining “opt-in consent before using consumer data in a materially different manner than claimed when the data was collected, posted, or otherwise obtained” and educating consumers about commercial data privacy practices.
The FTC report is expected to be followed by a separate privacy report from the Department of Commerce. The FTC is requesting comments on “each component of the proposed framework and how it might apply in the real world” by January 31, 2011, and plans to issue a final report later in 2011.