FTC Issues Final Report on Protecting Consumer Privacy - Some Key Points
Saturday, March 31, 2012

The Federal Trade Commission (FTC) recently issued its final report concerning best practices for businesses to protect consumer privacy, including offering consumers greater control over the collection and use of their personal data.

The final report expands on the preliminary FTC staff report issued in December of 2010 and calls on companies handling consumer data to implement recommendations for protecting privacy. Following are some key points from the Commission’s final report, which is available for download on the FTC website at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.

Focus on Core Privacy Principles

The report advises companies to focus on three core privacy concepts when handling consumer data:

  • Build consumers' privacy protections into every stage of product development. This concept, known as Privacy By Design, means ensuring that consideration of privacy issues Is an integral part of the design and development process of a product or service from the very beginning, including establishing reasonable security for consumer data, appropriately limiting collection and retention of consumer data, and creating procedures that promote data accuracy.
  • Provide consumers with simplified options to choose what information is shared about them, and with whom it is shared. Offering a clear, simple Do-Not-Track mechanism that allows consumers to control the monitoring their online activities is a key issue.
  • Disclose details about their data collection and how consumer information is used. Greater transparency is important, and companies should provide consumers with details about the information they collect and how that information is used and give consumers access to that data.

Key Revisions to Preliminary Recommendations

The FTC revised several of its initial recommendations based on hundreds of comments and on the latest technological and industry developments.

  • Recognizing the potential burden on small businesses, the report concludes that the original “one size fits all” framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year.
  • The concern that data could be "reasonably linked" to specific consumers, computers, or devices via advanced technologies was explored. The conclusion: data is not "reasonably linked" if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.
  • Offering consumers options about how their personal data is used should be based on context. That is, is the collection and use of the data consistent with the context of the transaction, or with a consumer's existing relationship with the business? Is it required or specifically authorized by law?

Anticipating Legislation — Establishing a Privacy Framework

The FTC supports certain general privacy and data security legislation, and encourages companies to accelerate the adoption of consumer privacy principles. The report discusses five main action areas in its final report.

  • The Commission is encouraged by progress made regarding the Do-Not-Track issue. Developers and leading industry groups have demonstrated their commitment to develop and implement effective and easy-to-use Do Not Track mechanisms.
  • The FTC is hosting a workshop on May 30, 2012 to address how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens.
  • Data brokers are urged to add transparency to their operations. It urges the industry to consider a centralized website, where brokers can identify themselves, disclose how they collect and use consumer data, and allow consumers to make choices about their information.
  • The FTC will host a public workshop in the second half of 2012 to explore issues related to comprehensive tracking platforms, e.g., how the Internet’s “middle men” — such as internet service providers (ISPs), operating systems, browsers, and social media companies track consumers' online activities.
  • Working with the Department of Commerce and industry stakeholders, the FTC is aiming to develop and promote enforceable self-regulatory codes of conduct. Companies that acknowledge and adhere to the codes will benefit should they be subject to enforcement actions.

Some Dissent

According to the FTC’s resent press release, the vote approving the report was 3-1. The one dissenter, Commissioner J. Thomas Rosch, dissented from the issuance of the Final Privacy Report.

“[Commissioner Roach] agrees that consumers ought to be given a broader range of choices and applauds the Report's call for targeted legislation regarding data brokers and data security. However, Commissioner Rosch has four major concerns about the privacy framework because he believes: (i) in contravention of our promises to Congress, it is based on "unfairness" rather than deception; (ii) the current state of "Do Not Track" still leaves unanswered many important questions; (iii) "opt-in" will necessarily be selected as the de facto method of consumer choice for a wide swath of entities; and (iv) although characterized as only "best practices," the Report's recommendations may be construed as federal requirements.”

Conclusion

The FTC’s final report was issued after the receipt of wide-ranging input from industry members, privacy advocates and individual consumers. While the final report does not change the structure of the framework proposed by the FTC staff in the preliminary 2010 report, the final report contains additional guidance and details that make it easier for businesses to understand the direction that privacy regulation is moving, and it offers more certainty with respect to actions that can be taken to implement best practices and avoid costly and distracting legal proceedings. Many businesses are moving very quickly to implement new technologies and adopt new business models enabled by these technologies. It is clear that we will see increased regulation of privacy practices and greater enforcement against companies engaging in what the FTC considers to be unfair or deceptive practices, and addressing core privacy principles and seeking legal counsel at all stages of the design and development of a new product or service today will significantly reduce the risks of future legal problems.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins