Earlier today, the Federal Trade Commission issued its long-awaited report on privacy that is intended to provide guidance and best practices for businesses and suggestions for policy makers regarding privacy laws.

In the report, the FTC states that industry efforts to address privacy through self-regulation have been too slow, and up to now have failed to provide adequate and meaningful protection. The FTC specifically addresses the inadequacy of privacy notices that are difficult for consumers to understand and sometimes difficult to find.

Acknowledging the rapid changes in technology, increased collection of consumer data, and the benefits of such practices, the FTC proposes a new "framework" for the collection and use of consumer data comprised of the following three principles: (1) privacy by design, (2) simplified choice, and (3) greater transparency. As part of this framework, the FTC supports the development of a "do not track" mechanism for online behavioral advertising, that would enable people to avoid having their actions monitored online, a move the online-advertising industry has opposed. The report suggests that the most practical method of providing a do not track system would be to include a setting similar to a persistent cookie on a consumer's browser that would broadcast a consumer's desire not to be tracked or receive targeted advertisements.

Although the report does not propose specific changes to any FTC privacy rules, it does state that it is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy.

The report issued today is a preliminary report and the FTC is accepting public comments until January 31, 2011. Based on comments received, the Commission plans on issuing a final report in 2011. In the meantime, the FTC stated that it will continue its "vigorous law enforcement in the privacy area, using its existing authority under Section 5 of the Federal Trade Commission Act and the other consumer privacy laws it enforces."

Below is a summary of the new framework:

The proposed framework is not limited to companies that collect personally identifiable information, but would apply broadly to online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer or device.

The framework contains three main components.

  1. Privacy by Design
  • Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.
  • Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.
  • Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.
  1. Simplified Choice
  • Companies should simplify consumer choice.
  • Companies do not need to provide choice before collecting and using consumers' data for commonly accepted practices, such as product fulfillment.
  • For practices requiring choice, companies should offer easy to use choice mechanisms, at a time and in the context in which the consumer is making a decision about his or her data.
  1. Greater Transparency
  • Companies should increase the transparency of their data practices.
  • Privacy notices should be clearer, shorter, and more standardized, to enable better comprehension and comparison of privacy practices.
  • Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.
  • Companies must provide prominent disclosures and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
  • All stakeholders should work to educate consumers about commercial data privacy practices.