In a preliminary report to Congress, released by the FTC last week, the agency proposed sweeping changes to how it believes companies should approach consumer privacy. This report marks a major change in the way the FTC approachs privacy, essentially creating an EU-like approach for all entities that collect and maintain personal information. The FTC has sought industry input by January 31, 2011. Although the FTC’s comments about online behavioral advertising and a “do not track” functionality (under which a consumer could set his or her browser to stop any online behavioral advertising) have received a great deal of publicity, the report includes many other proposals that would have significant impact.
In particular, the FTC contemplates a three-pronged approach to privacy. First, it recommends that companies incorporate privacy protections at every stage of their business, treating privacy as a “basic consideration – similar to keeping track of costs and revenues.” Under this prong companies would need reasonable security to protect personally identifiable information, reasonable limits on collection, sound retention practices, safe disposal of data that is no longer needed, and efforts around data accuracy. These types of procedural recommendations about business operations have arisen not only abroad, but also in state laws and laws specific to certain types of information (health, financial). This is the first time, however, that the FTC has issues such sweeping recommendations about procedural steps companies should put in place for general personally identifiable information.
Finally, the third prong would require companies to give better transparency about their data practices. These include improving privacy policies to make them easier to understand and compare, giving consumers reasonable access to information maintained by the company about them, obtaining consent prior to changing practices, and increasing consumer education. Many of the specific steps in these three prongs have already been enforced by the FTC under its authority through the FTC Act, although some are new, or some have not been fully fleshed-out under current FTC case law.
TIP: Companies should consider getting involved in the comment process. The suggestions from the FTC could have far-reaching implications on how companies operate their businesses, and portions could be enforced – without new legislation – under existing authority from the FTC Act. For other areas, at least three legislators appear to be looking into proposing new broad privacy laws in 2011. Companies that maintain personal information should begin to think about what parts of the proposed approach they already follow, and what parts might require changes to their internal procedures, and how such changes could be effectuated.