The basic rules governing privacy of customer information have been relatively stable for a number of years. But this regulatory environment is in the midst of fundamental change. This advisory provides a brief summary of existing principles of consumer1 privacy law, discusses recent developments in the area, and outlines how certain key principles are anticipated to change as a result of slowly emerging shifts in the policy-making and enforcement functions of the Federal Trade Commission, which soon may be codified by Congress into new privacy laws that would apply broadly to commercial industries.
Brief Overview of Consumer Privacy Law
Consumer privacy law – the legal and regulatory framework governing how businesses can collect, use and disclose the personally identifiable information (“PII”)2 of its existing and prospective customers – affects most consumer-facing businesses across a broad range of industry. This domestic framework, with which businesses operating in the United States must comply, arises from several sources.
The Federal Trade Commission (the “FTC” or the “Commission”) broadly regulates consumer privacy under the Federal Trade Commission Act (the “FTC Act”).3 This statute does not establish any specific standards or requirements with respect to consumer privacy, or even contain the word “privacy.” Rather, to regulate privacy, the FTC relies upon its authority under the statute to prevent and prosecute unfair and deceptive acts or practices in or affecting interstate commerce.4
Federal law also imposes privacy standards upon particular industries that receive sensitive PII from consumers. Financial institutions are subject to the privacy standards established by the Gramm-Leach-Bliley Act (the “GLB Act”) and its implementing regulations. The Health Insurance Portability and Accountability Act (“HIPAA”) imposes comprehensive privacy requirements upon healthcare organizations and their vendors who receive access to protected health information. In addition, a number of federal laws cover more discrete areas, such as children’s privacy, telemarketing, email solicitations, telecommunications services, cable television and consumer credit reports. Many states also have laws and regulations relating to consumer privacy.
Privacy regulatory schemes at the federal level tend either to establish detailed compliance frameworks (as in the case of HIPAA) or to set out baseline standards that provide businesses with some compliance flexibility by identifying the most practical and appropriate measures with which to comply (as in the case of the GLB Act). But the FTC Act is different. Because the statute does not provide any specific privacy standards, businesses subject to FTC jurisdiction are left to discern the rules governing consumer privacy from various FTC reports and guidelines, Consent Orders that arise out of settlements to enforcement proceedings, testimony of FTC officials before Congress, and reports, speeches and other public statements of FTC representatives.
The foundation for much of the guidance in these various sources is the Fair Information Practice Principles, a set of privacy principles published by the FTC as part of its seminal 1998 report, Privacy Online: A Report to Congress.5 The Principles lay out five general standards, which the FTC has attempted to refine and update through its policy making function over the past decade:
- Notice. Consumers are entitled to notice concerning how an organization uses PII in advance of the collection of PII.
- Choice. Consumers should have choices regarding uses of PII beyond those necessary to complete a specific transaction.
- Access. Consumers should have the right to access PII about them, and to contest the accuracy and completeness of PII.
- Security. Businesses should use reasonable technical and managerial efforts to protect the security of PII.
- Enforcement. Enforcement mechanisms should be available when businesses fail to comply with the Principles, such as self-regulatory schemes and access to governmental enforcement procedures.
The FTC has described the Principles as being “widely accepted,”6 but has never asserted that they constitute the law of the land. Instead, the FTC has limited its privacy enforcement activity to online privacy and online and offline data security. The standards applied by the FTC are broad: whether certain practices are “unfair,” in that they subject consumers to an unreasonable risk of harm,7 or “deceptive,” in that they are inconsistent with a company’s public pronouncements8 or reasonable consumer expectations.9
The FTC’s limited application of the Principles has led to a prevailing view of consumer privacy law in the online business community that might be summarized as follows:10
- Provide notice of online privacy practices in a privacy statement or policy that is accessible via a link at the bottom of an organization’s Internet home page and certain subsidiary Web pages.
- In the notice, describe the types of PII collected over the Internet, how the business uses the PII, to whom the PII is disclosed and the process for submitting questions about the business’s online PII practices.
- Do not sell or otherwise disclose PII collected over the Internet to others for compensation absent consent of the consumers who are the subject of the PII. Many businesses will consider consent to have been obtained if the practice is disclosed in an online privacy statement and the consumer had an opportunity not to proceed with the transaction or buy the product or service.
- Use reasonable technical and managerial efforts to protect the security of PII.
Recent developments at the FTC and newly proposed federal privacy legislation in Congress demonstrate, however, that this prevailing view — on which corporate compliance programs, revenue streams from commercialization of corporate data assets, and even entire business models have been based — is rapidly becoming outdated.
1. The Sears Consent Order
On June 4, 2009,11 the FTC announced a proposed Consent Order in an investigation of certain consumer privacy practices of Sears Holdings Management Corporation in connection with a Sears online site branded “My SHC Community.” The final Consent Order, dated September 9, 2009, embodied a new standard for how privacy notices must be presented to consumers and when prior, affirmative consumer consent is required.
The FTC and Sears entered into the Consent Order following an investigation into the operation of a software program Sears distributed to consumers to interoperate with the My SHC Community site. Sears presented certain visitors to Sears.com and Kmart.com with an invitation to join the My SHC Community. This process required users to download a software program that Sears identified as “research software.” Sears agreed to pay consumers $10 if they retained the software on their computer systems for at least one month.
The software program collected data concerning the Internet browsing activities of users for the purported purpose of enabling Sears to create “more relevant future offerings” for the users and other shoppers. According to the FTC, the data collected by the program extended far beyond online shopping, however, and included the text of secure Web pages, such as online banking statements, video rental transactions, library borrowing histories, online drug prescription records, and select header fields that could show the sender, recipient, and subject of Web-based email messages.
Despite having provided many layers of consumer notice online (as part of the original ad), via email (following a consumer’s voluntary input of an email address) and during the registration process for My SHC Community, Sears only fully disclosed the breadth of the software’s collection capabilities in detail in a document titled “Privacy Statement and User License Agreement” (the “PSULA”). After multiple instances of opting-in to the service, registering users were required affirmatively to accept the terms of the PSULA by checking a blank checkbox during the My SHC Community registration process.
The FTC acknowledged that the PSULA fully described how the software collected PII and how Sears used that data. Based on that alone, the traditional consumer privacy analysis would have found Sears to have fulfilled its disclosure obligations under the FTC Act. But here, the FTC disagreed and introduced a new construct. The Commission held that the notice was not sufficiently “prominent” and, as a result, was inadequate; it held that Sears therefore had not obtained consumer consent. Based on this analysis, the FTC concluded that Sears’s PII collection practices were deceptive and violated the FTC Act.
2. Reports, Speeches and Public Statements of the Commission, its Chairman and Other Senior Officials
Following publication of the Sears Consent Order, through staff reports, various speeches and interviews with major media outlets, the Commission, its Chairman and other senior officials have further signaled that significant shifts in how the FTC approaches privacy regulations and enforcement actions are imminent.
- Extension of FTC Privacy Enforcement Authority to Practices Causing Non-Economic Harm. In a speech at New York University last October, David Vladeck, Director of the FTC Bureau of Consumer Protection, laid the foundational arguments for what would constitute a fundamental expansion of the authority of the FTC to enforce consumer privacy standards.12
Businesses that misrepresent their privacy practices to consumers, or that engage in PII collection and use practices that are inconsistent with reasonable consumer expectations,13 are at risk of being targeted for an FTC enforcement action for engaging in a fraudulent or deceptive act or practice (i.e., for violating the “deception” prong of the FTC Act). The FTC Act also prohibits “unfair” business practices, including privacy practices, which have been typically measured by the amount of economic or financial harm imposed on consumers. Director Vladeck’s speech reflected a desire, however, to extend the FTC’s authority to prosecute unfair privacy practices to those that cause non-economic harms to consumers. According to Director Vladeck:
The range of privacy-related harms is not limited to those that cause physical or economic injury or unwarranted intrusion into one’s personal time. The actual range of privacyrelated harms is wide, and includes reputational harm, fear of being monitored or having private information “out there,” or having one’s data used in a manner contrary to his or her expectations.14
This view was reinforced in a speech by FTC Chairman Jonathan Leibowitz before the National Cable & Telecommunications Association in May of this year. If adopted, this theory would place sweeping discretion in the hands of the FTC to determine what uses of PII are “unfair” based on a subjective determination of when a consumer may be “harmed” in some undefined, non-economic respect.
- Extension of FTC Consumer Privacy Standards to New Categories of Information. In an interview with The New York Times in August 2009, Director Vladeck opined that the concept of PII — the information subject to FTC Act consumer privacy standards — must be interpreted broadly to include both immediately identifiable information and information that could potentially be matched with other data in order to derive someone’s identity.15 Others within the FTC have since echoed this view. An FTC Staff Report issued in February 2009, which detailed a set of Self-Regulatory Principles for Online Behavioral Advertising, went even further, suggesting that non-identifiable information may be subject to the FTC Act if a consumer would nevertheless have a privacy interest in the information.16 The report explained the FTC’s view that, in the online environment, the line between PII and non-PII is increasingly blurred, and it suggested that online privacy regulations may no longer need to be based on that distinction or applied only to data that is collected as PII but should cover all data that might become PII by being linked to or associated with PII in the future.
- Heightened Standards for Notice and Consumer Consent to Use of PII for Secondary Purposes. In the same 2009 interview with The New York Times, Director Vladeck stated that businesses should be required to obtain the affirmative (opt-in) consent of consumers to use PII for purposes outside the scope of the original transaction in which it was collected. To obtain consent, Director Vladeck opined, businesses should present consumers prior to such use with concise written disclosures, in plain English, separate from other more generalized privacy statements or policies.17 He suggested the FTC might issue a new regulation to mandate this approach, should the business community fail to adopt it on its own.
Notably, Chairman Leibowitz, along with Director Vladeck, gave a follow-up interview to The New York Times in January 2010 in which they strongly criticized the settled practice of satisfying consumer notice and consent obligations through traditional online privacy statements and policies. According to Director Vladeck,
[Businesses] haven’t given consumers effective notice, so they can make effective choices... [Notice-and-consent has] depended on the fiction that people were meaningfully giving consent.18
Chairman Leibowitz continued the thought, stating, “I have a sense, and it’s still amorphous, that we might head toward opt-in [for secondary uses of PII].”19
3. The FTC Privacy Roundtables
The FTC hosted a series of three public forums, entitled “Exploring Privacy: A Roundtable Series,” which began in late 2009 and concluded in March of this year. The roundtables addressed topics such as consumer data and consumer expectations, how technology impacts consumer privacy, and special considerations for sensitive consumer data.
The purpose of the roundtables, as described by Chairman Leibowitz, was to “take a broader look at privacy writ large.”20 According to the Chairman, several common themes emerged, which he characterized in testimony this past July before the Senate Commerce Committee, as follows:21
- Consumers do not understand the extent to which companies are collecting, using, aggregating, storing, and sharing their personal information.
- Consumers’ data may be used in ways that they never contemplated.
- The distinction between PII and non-PII is losing its significance. Thus, information practices and restrictions that rely on this distinction may be losing their relevance.
- The FTC appreciates and is considering the call by consumer and public interest commentators for it to take a more expansive view of privacy harms that goes beyond economic or tangible harms.
The FTC is expected to issue a staff report this fall summarizing its findings from the roundtables and setting forth some initial principles or guidelines for updated privacy practices. Many observers expect this report to include new guidelines on consumer privacy similar to the principles provided in the staff report on online behavioral advertising practices noted above. Though not a formal FTC rule or regulation, such suggested principles for industry to adopt may have substantially the same practical effect as a new regulation, as they would embody the view of the current Commission on which consumer privacy practices constitute unfair or deceptive trade practices in violation of the FTC Act.
4. Recent Legislative Developments
During this past year, we have also seen the most significant legislative activity by Congress in the area of comprehensive consumer privacy law in nearly a decade.
Following its 2009 release of online behavioral advertising principles and the series of publicly held roundtables it concluded in early 2010, FTC officials, including Chairman Leibowitz himself, have much more actively engaged members of Congress and their staffs in efforts to provide expert guidance on legislative proposals that would codify an expanded and more regulatory framework for the collection and use of customer data by businesses and other organizations. All of the proposed bills to date fall under the ambit of consumer privacy legislation that is within the jurisdiction of the House Energy & Commerce Committee and Senate Commerce Committee, the committees with oversight authority with respect to the FTC. Accordingly, this legislation, if enacted, would statutorily empower the FTC with expanded and expedited rulemaking authority, and would require the Commission to use this new authority to create a robust set of new rules for a broad segment of industry that fully flesh out the federal privacy regulatory regime created by the act of Congress.
Coupled with its new activism in its policy making function, the FTC’s enforcement actions, public forums, staff reports, speeches and other public statements have also driven Congress to engage in its own thorough review of data privacy and online marketing practices, most notably through a series of joint subcommittee hearings held by the House Energy & Commerce Committee over the course of the past year. The Committee’s work has ultimately resulted in the drafting of two proposed bills, one of which was formally introduced by Consumer Protection Subcommittee Chairman Bobby Rush (D-IL) on July 19, 2010. That bill — H.R. 5777, the BEST PRACTICES Act — is the first comprehensive consumer privacy bill to be introduced by a subcommittee chairman this Congress and is likewise slated to be the first to receive formal committee consideration in the form of a subcommittee markup hearing expected this fall.22
Rep. Rush’s bill was based on an earlier staff discussion draft of a privacy bill widely circulated this past May by Communications Subcommittee Chairman Rick Boucher (D-VA). At the request of Chairman Boucher and the subcommittee’s ranking Republican member Cliff Stearns (R-FL), more than 60 organizations filed comments on the draft legislation that will be considered by the Communications Subcommittee before Chairman Boucher and Ranking Member Stearns formally introduce a revised version of the bill.
Following the circulation of these two proposals, Congressional hearings were held this past July on the merits of federal privacy legislation. The first hearing was held on July 22 in the House Energy & Commerce Committee’s Consumer Protection Subcommittee and was chaired by Rep. Rush. The second hearing was held in the Senate Commerce Committee on July 27 and was chaired by Senator Jay Rockefeller (D-WV). The FTC testified at each hearing, along with representatives from industry, public interest groups and/or academia. Chairman Leibowitz testified during the Senate hearing on behalf of the Commission, laying out some initial findings from the roundtables (discussed above) and promising that the FTC would issue a report this fall on its findings from the roundtables and its recommendations on how industry should better protect the consumer data it collects, uses and discloses. Chairman Leibowitz also stated, in response to questioning from Chairman Rockefeller and other senators, that the FTC would recommend that Congress take up and pass comprehensive privacy legislation in the next Congress (2011-12) if industry does not improve its privacy practices in light of the FTC’s forthcoming recommendations.
While the two House proposals are starting points for discussion, many businesses remain concerned that the unintended consequences of the proposed bills (if they were to be enacted) could stifle innovation and growth at this critical time in the nation’s economic recovery. Because the Rush bill, H.R. 5777, was based on the Boucher discussion draft, the two bills share many provisions in common, which may be generally summarized as follows:
- Applies to nearly every business collecting customer data, whether online or offline, with some limitations based on the amount of customer data collected in a given year;
- Regulates the collection, use and disclosure of a set of “covered information” that includes both PII and non-PII, such as any “unique persistent identifier,” including IP addresses, customer numbers and similar non-personal data;
- Generally requires covered entities to provide a detailed, multi-point customer notice prior to the collection of any covered information from that customer;
- Except for a narrow, business model-specific exemption for network advertisers, generally prohibits the sharing of any covered information with any unaffiliated third party without the prior, affirmative (opt-in) consent of the customer; and
- Prohibits, without prior affirmative (opt-in) consent, the collection and use of “sensitive information,” which is defined as PII related to medical records, race, ethnicity, religious beliefs, sexual orientation, financial records and other financial information (i.e., account information, credit and debit card information, etc.) and precise geolocation information.
As suggested by the Rush bill’s short title, the key distinguishing feature between the two proposed bills is H.R. 5777’s inclusion of a provision addressing industry best practices with respect to the collection, use and disclosure of customer data. In taking this approach, the bill provides a potential workable model for more refined versions of privacy legislation going forward by providing exemptions for certain data practices and industry self-regulatory privacy programs. The details of these provisions, however, will likely change as the legislation is considered and further modified in the remaining Congressional session this year.
What Changes Can We Expect from the FTC?
The FTC has signaled in an unmistakable manner that its views concerning how businesses must protect consumer privacy are changing, and that new rules and regulations may soon follow suit if industry does not reform its current data collection and use practices. From the indicators noted above, this new framework would appear likely to include some or all of the following elements:
- Expanded FTC Privacy Enforcement Authority. The FTC appears to be positioning itself to assert authority to enforce the FTC Act against consumer privacy practices it deems unfair based upon a risk of harm to a consumer’s privacy or dignity interests. The FTC’s privacy authority has traditionally been limited to cases where a business has violated the deception prong of the FTC Act by making a material misstatement or omission in its disclosures to consumers about its PII practices. Prosecuting privacy violations based on the unfairness prong of the FTC Act would be a significant expansion of the FTC’s authority — potentially forming the basis for the FTC to implement the Fair Information Practice Principles fully, including with respect to both online and offline PII practices.
- Application of FTC Act Consumer Privacy Standards to Non-PII. The FTC is poised to hold that the FTC Act extends to anonymous information — whether initially non-identifiable or de-identified after collection — if consumers could be deemed to have a “privacy interest” in that information. As noted above, that privacy interest may arise out of the potentiality for information that is non-identifiable upon collection to be subsequently identifiable or associated with a particular customer, computer or mobile device.
- Heightened Standards of Notice and Consent. The FTC is expected to announce new guidelines around the presentation and content of notices to consumers of any use of PII outside the scope of the immediate consumer transaction in which it is collected and/or used, and of any collection of PII that is not reasonably apparent to consumers. We may see standard notice formats proposed, as these were suggested by consumer advocates in the FTC roundtable series. Any new guidelines may also specify that the type of consent required for the use of PII for “secondary” purposes means affirmative, opt-in consent. These developments signal the FTC’s desire to end the widespread practice of simply relying upon a privacy statement, accessible through a link at the bottom of a Web page, to satisfy consumer notice and consent obligations.
Businesses should monitor the FTC and the Congress closely in the coming months for new developments in the area of consumer privacy. In the meantime, organizations should be considering these anticipated changes in consumer privacy law as they design and develop new products and services that use consumer data, in the structure of strategic initiatives to leverage value from consumer data, and in continuing operation of business models dependent upon the use of consumer data. Businesses should also consider engaging in the legislative and FTC regulatory processes to help shape any new statute or regulation in ways that will minimize compliance costs and the potential disruption of legitimate business practices while standardizing consensus best practices for the collection and use of customer data.