We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” We have also published client alerts on the FTC report and the DOC green paper. In this and two subsequent blog posts, I will share some observations on themes in these proposed frameworks that have implications for how companies approach their IT contracts.
My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners.
The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations. As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider.
The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance. In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider. IT contracts also need to require that the provider comply with the customer’s policies on FIPPs.