On December 7, 2009, the Business Forum for Consumer Privacy released “A Use and Obligations Approach to Protecting Privacy: A Discussion Document" at the Federal Trade Commission’s roundtable entitled “Exploring Privacy.” The roundtable was a first step in the FTC’s effort to re-examine privacy protection in light of rapid, dynamic changes in technology, advances in data analytics and increasingly ubiquitous data collection and use. The paper is the product of a three year effort on the part of the Forum to develop an approach to protecting data that meets the needs of businesses and consumers in this emerging environment. The paper may be found at www.informationpolicycentre.com

The Forum’s paper presents the details of a model for data protection in which the use of data, rather than its collection, sets in motion an organization’s obligations to apply fair information practices. The model employs the full complement of fair information practices: notice, choice, access and correction, collection limitation, use minimization, data retention, data quality and integrity, data security and accountability. The paper describes in granular detail how each of these practices applies to various uses of data (e.g., fulfillment, internal business processes, marketing, fraud prevention and authentication and national security and legal). The approach proposes a means to implement fair information practices in a way that reflects the data environment of the 21st century.

Barbara Lawler of Intuit represented the Forum at the FTC’s “Exploring Privacy” event. In introducing the concepts presented in the paper, she built upon the observation of panelists at the FTC event that the “choice” model is of increasingly limited utility in the new data environment. Ms. Lawler noted that consumers would have to read and act on privacy notices almost constantly throughout the day to exercise any kind of control over their data, and that consumers cannot be expected to police a marketplace full of complex business models, vendor relationships and technologies.

Next year likely will be an important one, as privacy regulators, experts, advocates and business representatives continue to consider ways to provide optimal protection for data while best enabling its productive and creative use. The use-and-obligations model will likely serve as an important contribution to that discussion.