By now, you have almost certainly seen the reports that the White House and the Federal Trade Commission want a Consumer Privacy Bill of Rights with seven principles:
- Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
- Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure handling of personal data.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequence to consumers if the data is inaccurate.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
Today, the FTC took a significant step toward establishing a framework that would implement that last principle, Accountability. In outlining the new framework, the FTC report (PDF) suggested several significant changes for businesses who interact with consumers online:
First, the FTC expects consumers will have an “easy to use and effective ‘Do Not Track’ option by the end of the year.” According to the Washington Post, the FTC, the Commerce Department and the Digital Media Alliance are working together to create a one-click icon that will permit consumers an easy way to “opt-out” of online tracking. The Digital Advertising Alliance represents 90 percent of all web sites with advertising.
Second, the FTC urged companies offering mobile services to voluntarily improve privacy protections, including in particular, the retrieval and storage of location information. As the Wall Street Journal (subscription required) noted under the headline "Your Apps are Watching You", over one-half of tested mobile apps sent unique ID or location information without informing the app user first.
Third, FTC called on big data brokers to develop a centralized website that would allow people to view all the entities that hold their data and how that data is used. The FTC also called for the passage of legislation that will allow people to view their data and correct inaccuracies, similar to what is currently permitted for credit reports. As previously announced, the FTC will continue to bring enforcement actions against companies that engage in deceptive or unfair practices.
Finally, and of particular interest to the franchise community, while the framework applies to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer, or other device, the FTC report explicitly recognizes “the potential burden on small businesses” and accordingly “concludes that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year.” The details of this “small business” option will need to be fleshed out and seem narrow upon initial review. For example, the Commission defines “non-sensitive data” as data that is not a Social Security number or financial, health, children’s, or geolocation information.
There was a dissent from the report by Commissioner Thomas Rosch. The dissent seems principally concerned that the framework is too focused on what consumers may believe is unfair, as opposed to what is actually deceptive. It also noted that the recommendations probably aren’t voluntary in practice, because most firms will feel obliged to comply the proposed best practices or face the wrath of the FTC.
As expected for several years now, the FTC has staked out a strong position in favor of “opt-in” online privacy controls for consumers combined with substantial transparency regarding how personal information gathered online will be used. The good news is that the framework is voluntary and permits significant industry involvement in crafting best practices. The bad news, as Commissioner Rosch correctly notes, is that the FTC report and rhetoric strongly implies that adoption of the best practices will be nearly mandatory and that it will enforce those practices against those who opt-in.