On December 1, 2010, the Federal Trade Commission (“FTC”) released its report on online privacy titled, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report states that industry efforts to address privacy through self-regulation have been slow and inadequate up to this point. The report outlines a framework designed to reduce the burdens on consumers and businesses and “is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.”
The report introduced a privacy framework to “establish certain common assumptions and bedrock protections on which both consumers and businesses can rely as they engage in commerce.” The basic building blocks of the privacy framework involve:
- privacy by design,
- simplified choice, and
- greater transparency.
Scope: The framework applies to “all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers.” Significantly, the framework “is not limited to those who collect personally identifiable information.” Rather, it also applies to “those commercial entities that collect data that can be reasonably linked to a specific consumer, computer, or other device.”
Privacy by Design: According to the report, “Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.” More specifically, the report makes four recommendations of crucial importance to consumer privacy:
- companies collecting data should provide reasonable physical, technical, and administrative safeguards to protect collected data;
- companies should gather information only to “fulfill a specific, legitimate business need;”
- companies should implement reasonable data retention periods and retain data only for so long as they have a legitimate business need; and
- companies should take steps to ensure the accuracy of the data they collect, “particularly if such data could be used to deny consumers benefits or cause significant harm.”
Simplified Choice: The report proposes that companies “describe consumer choices clearly and concisely, and offer easy-to-use choice mechanisms . . . at a time and in a context in which the consumer is making a decision about his or her data.” For Web sites, this includes a Do-Not Track mechanism that would operate by “placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether the consumer wants to be tracked or receive targeted advertisements.” Unlike the Do-Not Call list, individuals would have to repeatedly opt in to the Do-Not Track mechanism (users would have to choose the Do-Not Track option each time they opened their browser).
Greater Transparency: The FTC states that “privacy notices should be clearer, shorter, and more standardized” to enable better consumer comprehension. Furthermore, the report would have companies “provide prominent disclosures and obtain . . . express consent before using consumer data” in a manner materially different than claimed when the data was collected.
What It Means
This report does not represent the governing FTC policy. Rather, the commission is seeking comment on the report. Comments on the report are due January 31, 2011. If your company is engaged in the use of personal and profiling information, online or offline, for advertising or other reasons, you should monitor this report closely and seriously consider whether it would be appropriate for your company to file a comment with the FTC.