This post was also written by Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

On December 1, 2010 the FTC released its long-awaited Protecting Consumer Privacy in an Era of Rapid Change. This 123-page preliminary staff report proposes a sea change in US privacy law. The FTC is accepting comments on this report until January 31, 2011.

In the report, the FTC proposes a major change in the framework of US privacy law, stating bluntly that, “Industry must do better.”

  • Notice-and-consent does not work, the FTC says. People do not read or understand privacy notices as now written. The Commission’s view is that privacy policies have become “long” and “incomprehensible”.
  • The report says that waiting for harm to come to consumers is also not an effective way to enforce privacy norms. Harm has traditionally meant economic or physical harm. Per the report, privacy harms include reputational harms and even the emotional harm of having one’s information “out there,” and/or “fear of being monitored”. The FTC says the new framework must address and allay these anxieties; however, there is some disagreement among the Commissioners. Commissioner J. Thomas Rosch expressed in his concurrence that “the Commission could overstep its bounds” if it were to begin analyzing these more intangible harms when assessing consumer injury.
  • Industry self-regulation, per the report, is too little, too late and has failed to provide adequate and meaningful protection.

The report also challenges a number of assumptions in how we view data privacy and security.

  • The FTC casts severe doubt on claims that de-identified information need not be protected, citing to multiple instances and methods by which personally-identifiable information (“PII”) can be culled from data that does not include names (i.e., IP Addresses or other unique identifiers). The distinction between PII and non-PII, the FTC concludes, is “of decreasing relevance”. Consequently, the scope of the report is very broad and applies to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.”
  • The report purports to apply in the online and offline world and not just to companies that work directly with consumers.
  • The FTC suggests that consumers must be made aware of and consent to onward transfers of information to non-affiliates, regardless of the industry, universalizing consumer notice requirements that hitherto only applied as to certain highly regulated industries (i.e., telecommunications, education, healthcare, financial services) or certain types of highly sensitive data (i.e., credit report information, bank account information).
  • The report distinguished between “commonly accepted data practices” and all other data practices. Borrowing from GLBA and HIPAA, commonly accepted practices, like using data to aid law enforcement or in response to judicial process or to prevent fraud, would not require notice to or consent of consumers. All other data practices would require notice and consent, in a form easy to read and understand, ideally provided to the consumer at the point the consumer enters his or her personal data. Behavioral advertising and deep packet inspection are explicitly named as not “commonly accepted data practices”. Also, the FTC suggests that opt-in consent be obtained prior to implementing any material changes to a company’s privacy policy that would apply to data collected under a prior policy.
  • The report suggests that to promote a free and competitive market, the privacy practices of companies need to be more transparent to consumers and that companies provide consumers with “reasonable access” to their data.
  • Per the report, appropriate data retention periods should be a legal requirement. The report sites geolocation data as especially important to phase out.
  • The report also endorses a “Do Not Track” mechanism, understanding that such a mechanism would be far more complex than the National Do Not Call registry. The FTC supports either legislation or self regulatory efforts to develop a system whereby a consumer could opt not to be “tracked.” The FTC has expressed a distinction between “tracking” and “interest-based” advertising. And, in later discussions regarding the report, the FTC has stated that it will treat first-party advertising more favorably than third-party ad servers. The FTC has not decided on the technical mechanism for creating such a registry, but has proposed that a browser-level solution that could be similar to the privacy plug-in on the Firefox browser or incognito mode in Google Chrome. The FTC has not expressed whether opt-in or opt-out would be the default browser setting for any browser privacy plug-ins/modes developed.

So what should businesses do?

First, companies should carefully review the report and the 50+ questions open for public comment posed in Appendix A (there are also additional questions posed in the Commissioner dissent statements).

Second, companies should strongly consider commenting on the report. In our experience, the FTC will listen to and often address business concerns, but they must be heard. Trade associations may be a good place to start but also consider unique issues that your company may face that should be addressed.

Third, now is a good time for companies to pull back and consider their privacy programs and the extent to which they incorporate privacy into their everyday business practices. The report suggests that every company should adopt “privacy by design,” “building privacy protections into everyday business practices,” “assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services”.

The FTC’s full report is available here.