The Federal Trade Commission (“FTC” or “Commission”) issued its much-anticipated privacy report on December 1, 2010. The report, titled “Protecting Consumer Privacy in an Era of Rapid Change,” sets forth the Commission’s proposed framework for how companies could address consumer privacy. In addition, Commission staff has expressed support for a universal choice mechanism with respect to online behavioral advertising, sometimes referred to as “Do Not Track.” The report suggests that this mechanism could be achieved either legislatively or through industry self-regulation. Comments on the report are due January 31, 2011. The Commission intends to issue a final report in 2011.

In general, the report provides a detailed, historical context on the evolution of privacy policy. The report calls for best practices, but does not specifically forward any legislative proposals. The report asks numerous questions on how to implement the broader framework, but does not provide much in the way of specific proposals or standards for enforcement at this time. The following is a summary of the key themes from the report.

Privacy by Design. The report calls for companies to promote consumer privacy and security throughout their organizations, business practices, and development of their products and services. This concept includes:

  1. providing reasonable security for consumer data;
  2. collecting only the data needed for a specific business purpose;
  3. retaining such data only as long as necessary to fulfill that purpose;
  4. safely disposing of data when no longer needed; and
  5. implementing reasonable procedures to promote data accuracy.  

The report also calls for companies to adopt procedures to promote privacy practices that are scaled to each company’s business operations and data practices. These procedures should include appointing personnel to oversee privacy issues, training employees, and conducting privacy reviews when developing new products and services.

Simplified Choice. The report calls for companies to provide simplified, streamlined choice to consumers with respect to their data practices. The Commission’s report does not call for universal choice for all collection and use, but instead has developed a bifurcated approach based on the purpose for which data is collected. The Commission suggests that choice is not necessary when collection and use is done for “commonly accepted” practices such as first-party marketing, product fulfillment, fraud prevention, and other internal operations (e.g., improving services offered and legal compliance).

For data practices that are not “commonly accepted,” companies should provide consumers with choice. To ensure consumers are able to make informed and meaningful choices, the Commission states that choice should be clearly and conspicuously described and offered when the consumer is making a decision about providing data.

When offering choice is appropriate, the report provides suggestions on where to offer choice in specific contexts including online and offline collection by retailers, social media, and mobile platforms. For instance, the Commission states that for retailers with direct interaction with consumers online, the disclosure and control mechanism should appear on the page on which the consumer types in his or her personal information. For offline retailers, notice and choice should be provided at the point of sale (i.e., the cashier could ask the consumer if they would like to receive offers from the retailer).

The report does not specify whether opt-in or opt-out consent is required for practices that do not fall into “commonly accepted” practices, and invites comment on this issue.

Greater Transparency. The report calls for companies to make their data practices more transparent to consumers by providing clearer, shorter, and more standardized privacy statements. The FTC stated that this approach would permit consumers to compare data practices and choices across companies.

Reasonable Access. The report recommends that companies provide reasonable access to data, particularly those companies that collect information but do not directly interact with consumers such as data brokers. The report states that the extent of access should be proportional to both the sensitivity of the data and the intended use.

Material Changes to Data Practices. The Commission reiterated its position that companies should provide robust notice and obtain affirmative consent for material, retroactive changes to data policies. Education. The Commission has proposed to undertake a broad effort to educate consumers about data collection and the availability of choices.

Education. The Commission has proposed to undertake a broad effort to educate consumers about data collection and the availability of choices.