This post was also written by Christopher G. Cwalina, Amy S. Mushahwar and Frederick Lah.
This week, the Federal Trade Commission (FTC) released its long-awaited final Commission Consumer Privacy Report, entitled “Protecting Consumer Privacy in an Era of Rapid Change” (“Final Report”). The FTC emphasizes that the report only sets forth industry best practices and was “not intended” to serve as a new template for enforcement. However, this line is not exactly clear as the FTC identifies existing law and enforcement actions that form the basis of its advice (and could be the basis for Section 5 enforcement actions).
The Final Report expands on a preliminary FTC staff report issued in December 2010 and is consistent with the Department of Commerce’s (DOC) parallel privacy initiative. The Final Report calls on companies to do the following:
- Engage in Privacy by Design: Companies should build in privacy protections – including data security, data minimization, focused data retention and data hygiene – at every stage in product development (from conceptualization to end-of-lifecycle).
- Provide Simplified Choice: Companies should give consumers the ability to make choices about their data collection and use “at a relevant time and context,” including developing more automated choice functions like a “Do Not Track” mechanism.
- Exhibit Greater Transparency: Companies should make their data practices more “consumer friendly” and accessible by streamlining privacy policies, providing consumers with access to data collected about them, and engaging in consumer education campaigns to promote information-age literacy.
The framework applies to all businesses that collect or use consumer data that can be “reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” Notably, the framework, also applies to offline or paper data. Data that has been de-identified is exempt.
The FTC also calls on Congress to develop baseline privacy legislation. To this end, FTC Chairman John Liebowitz and DOC will be testifying Thursday, March 29, 2012, before the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade to advance the legislative agenda.
Over the next year, the FTC will focus on encouraging voluntary adoption of further privacy protections and be active in five main areas:
- “Do Not Track” Browser Standard: While the FTC commends the progress made by the Digital Advertising Alliance (DAA) in developing an icon-based system for self-regulation of the online advertising industry, they say that more work needs to be done. The DAA, Internet browser companies, the FTC and the DOC have publicly committed to implementing the existing DAA self-regulatory standard in a browser-based automated privacy tool that will help consumers persistently opt-out of online behavioral advertising and multi-site advertising.
- Mobile Data: On the heels of the FTC Mobile Children’s Privacy Report, the FTC continues to urge all companies offering mobile services to improve privacy disclosures. In that vein, the FTC will host a web-disclosure workshop including some mobile privacy discussions May 30, 2012, to address how mobile privacy disclosures may be streamlined for mobile screen viewing.
- Data Brokers Disclosure & Consumer Data Access: The FTC asks data brokers (those collecting information on consumers where they do not have a consumer-facing relationship) to create a centralized website where they would: (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and data choice they provide with the data that they maintain.
- Large Platform Providers: The FTC suggested that large platform providers, businesses such as ISPs, operating systems, browsers and social media companies that seek to comprehensively track consumers’ online activities, raise elevated privacy concerns. This heightened concern regarding multi-platform tracking is best exhibited in the FTC’s and state regulators concerns regarding the streamlined Google privacy policy. FTC staff intends to host a public workshop on this topic in Q3 of this year.
- Commerce’s Development of Enforceable Self Regulatory Codes: The DOC is in the process of developing sector-specific codes of conduct. FTC staff has indicated that it will participate in this process, and if strong privacy codes are developed in the Commerce process, the Commission will view adherence to such codes favorably when it is reviewing company practices under a Section 5 action.
Please click here to view additional information from the Reed Smith Teleseminar “FTC Issues Final Commission Report on Consumer Privacy: Agency Calls on Companies to Develop Privacy Best Practices.”