By Daniel Kahn and Kerry Monroe
Following more than a year of deliberation, the Federal Trade Commission today released its seminal report on consumer privacy, entitled Protecting Consumer Privacy in an Era of Rapid Change. The report contains “best practices” for businesses as well as recommendations to Congress for legislation. The final report issued today builds upon and revises a preliminary FTC staff privacy report previously released in December 2010. At a press conference announcing the release of today’s report, FTC Chairman Jon Leibowitz stated that in promulgating the report, the FTC does not “want to erect a stoplight” to innovation but rather to “monitor the traffic.”
The report proposes that companies adopt “privacy by design” principles, provide consumers simpler choices about privacy, and offer greater transparency into their data practices. The report also advocates data security and breach notification legislation as well as legislation concerning data brokers and asks Congress to consider baseline privacy legislation. In addition, it outlines privacy regulatory priorities for the FTC for the next year, including Do Not Track, mobile, promoting self-regulatory codes, and addressing data brokers and “large platform providers.”
Privacy Framework — Generally
The centerpiece of the report is a privacy “framework” recommended by the FTC. Unlike some federal agencies, the FTC does not have general rulemaking authority, so the framework does not provide a set of binding rules. Instead, the FTC describes its framework as a set of “best practices” designed to guide industry, consumers, and regulators. However, as Commissioner J. Thomas Rosch notes in his dissent from the report, the FTC’s framework may provide guidance on when the FTC will exercise its authority to take enforcement action against “unfair” or “deceptive” trade practices. Accordingly, the FTC’s framework is noteworthy.
Privacy Framework — Scope
Companies: The framework generally applies to almost all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device. However, contrary to the preliminary staff report issued in December 2010, the final framework excludes entities that collect “only non-sensitive data from fewer than 5,000 consumers per year and do not share that data with third parties.” Sensitive data includes, but is not necessary limited to, Social Security numbers and financial, health, children’s, and precise geolocation data. The framework does not apply to the extent that a requirement would conflict with the requirements of a sector-specific privacy law such as GLBA or HIPAA.
Data: Despite concerns raised by some commenters about the extent to which the framework should apply to data collected offline, the final report reiterated that that framework “applies in all commercial contexts, both online and offline.” It also applies broadly to all “consumer data that can be reasonably linked to a specific consumer, computer, or other device.” Companies may render data not “reasonably linked” and therefore not within the scope of the report if they: (1) take reasonable measures to ensure the data is de-identified, i.e. anonymized; (2) publicly commit to maintaining the data in de-identified form; and (3) prohibit, by contract, the re-identification of the data by any third parties to whom the company makes the data available.
Privacy Framework — Privacy By Design
In its report, the FTC continues to support the proposed “privacy by design” principles described in its draft report, which shift the burden away from consumers and place obligations on businesses to treat consumer data in a responsible manner. The FTC does, however, respond to a number of comments on the principles, noting that broad support for the privacy by design concept was especially encouraging in light of the increasingly global nature of data transfers.
Providing Reasonable Security for Consumer Data: The FTC makes note of a variety of data security protection initiatives implemented by certain private sector entities, and it calls on industry sectors to develop and implement best data security practices.
Limiting Collection of Consumer Data: In response to commenters’ concerns about vagueness and potential inflexibility in the FTC’s approach to limiting the collection of consumer data, the FTC clarifies the collection limitation principle as follows: Companies should limit consumer data collection to that which is consistent with the context of a particular transaction or to the consumer’s relationship with the business, or as required or specifically authorized by law.
Implementing Reasonable Data Retention and Disposal Policies: The FTC confirms its conclusion that companies should implement reasonable restrictions on the retention of data and should dispose of data once it has outlived the legitimate purpose for which it was collected. Retention periods, however, can be flexible and scaled according to the type of relationship and use of the data.
Maintaining Reasonable Accuracy of Consumers’ Data: The FTC agrees with commenters that the approach to maintaining the accuracy of consumers’ data should be flexible, scaled to the intended use of the data and the sensitivity of the information. The maintenance of reasonable data accuracy is particularly important if the use of such data could cause significant harm or be used to deny consumers services.
Maintaining Comprehensive Data Management Procedures: In response to comments in support of the preliminary staff report’s call for organizations to maintain comprehensive data management procedures, the FTC agrees that companies should implement accountability mechanisms and conduct regular privacy risk assessments to ensure that privacy issues are addressed throughout an organization. The FTC describes its recent Google and Facebook settlements to illustrate how procedural protections might work in practice. The FTC also calls on companies to look for new ways to protect consumer privacy throughout the life cycle of their products and services, including through the development and deployment of privacy-enhancing technologies. Finally, the FTC recognizes that, although companies need to apply the substantive privacy by design elements to their legacy data systems, companies need a reasonable transition period to update their systems.
Privacy Framework — Simplified Consumer Choice
The report criticizes the previous “notice-and-choice” approach to privacy, which it asserts has resulted in long and incomprehensible privacy policies, many of which are presented on a take-it-or-leave-it basis. The overall theme of the FTC’s framework is that, in contrast to what it describes as existing practices, consumers should have clear choices concerning their privacy, and their ability to exercise choice should be simplified.
When Choice Is Required: The framework first identifies situations in which choice is not required. The overall principle adopted is that “whether a practice requires choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer’s existing relationship with the business, or is required or specifically authorized by law.” The report characterizes this contextual standard as a concrete approach that looks to objective factors rather than subjective consumer expectations. Examples of data collection practices for which consent is not required include fulfillment, fraud prevention, internal operation, legal compliance, public purpose, and most first-party marketing (the last of which is subject to a number of exceptions, such as for first-party marketing that relies on sensitive information).
What Choice Should Be Presented – Generally: The FTC states that companies generally should provide choices at a time and in a context in which the consumer is making a decision about his or her data. Precisely how that choice will be given will depend on factors such as the nature or context of the consumer’s interaction with a company or the type or sensitivity of the data.
What Choice Should Be Presented – Special Circumstances: The FTC identifies a number of circumstances in which special principles should apply with respect to choice:
- Take-It-or-Leave-It: The FTC states that “take-it-or-leave-it” choice for “important products or services” raises concerns when consumers have few alternatives, such as, it asserts, in the market for broadband Internet access.
- Do Not Track: The FTC continues to advocate providing a Do Not Track mechanism to give consumers choice concerning the collection of Web surfing data.
- Large Platforms: The report notes that the activity of “large platforms” such as ISPs, operating systems, browsers, and certain social networks raises special concerns due to their ability to collect information from a broad range of online activity. The FTC raises concerns, in particular, about deep packet inspection by ISPs.
- Affirmative, Express Consent: The FTC identifies at least two circumstances in which advance affirmative, express consent should be obtained: (1) before material retroactive changes to privacy practices are made, or (2) when collecting sensitive data for certain purposes.
Privacy Framework — Transparency
The report indicates that, while privacy notices should account for variations in business models, such notices should be clearer and shorter and should contain some standardized elements. The FTC calls on industry sectors to develop standard formats and terminology for privacy statements applicable to their particular industries. In the FTC workshop to be held later this year, one topic to be addressed is how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens.
The report also lays out a categorization of companies with regard to the reasonable extent of an individual consumer’s access to his or her own data. These categories reflect different levels of data sensitivity:
- First, the FTC recognizes that, for entities that maintain data for marketing purposes, the costs of providing individualized access would likely outweigh the benefits. However, the FTC supports the idea of providing consumers with a list of categories of data that such entities hold and the ability to suppress the use of such data for marketing.
- Second, the FTC observes that, where entities subject to the Fair Credit Reporting Act (“FCRA”) are concerned, the FCRA provides consumers with rights to access and correct their information.
- Third, regarding entities not subject to the FCRA, but which maintain data for non-marketing purposes, the FTC supports a sliding scale approach, with a consumer’s ability to access his or her data scaled to the use and sensitivity to the data. At a minimum, the report states, consumers should have access to the types of information such companies maintain about them and the sources of such information. In appropriate circumstances, the FTC also urges companies to provide the names of third parties with whom consumer information is shared.
Legislative Recommendations: Baseline Privacy, Data Security/Breach Notification, and Data Brokers
In addition to providing its privacy framework detailed above, the FTC also made recommendations with respect to two key pieces of privacy legislation. First, it called on Congress to “consider” enacting baseline privacy legislation that would provide clear standards and appropriate incentives across all industry sectors, while still being “technologically neutral” and “sufficiently flexible” to allow for innovation. The FTC noted that any privacy legislation enacted by Congress would be more effective if the FTC were authorized to impose civil penalties for violations. It also reiterated its earlier calls for federal data security and breach notification legislation, as well as targeted legislation allowing consumers to access and dispute data held by data brokers.
Areas of Emphasis
Finally, the FTC identified five areas where it plans to be especially active during the next year:
Do Not Track (“DNT”): The report noted that several legislative proposals had called for the creation of a DNT mechanism, and the FTC praised the efforts of the browser vendors, the DAA, and the W3C. However, the FTC warned that “the work is not done.” The FTC will collaborate with these industry groups to complete implementation of a DNT system that is universal, easy to use, persistent, enforceable, and that allows consumers to opt out of the collection of behavioral data for all purposes (other than expected contextual uses).
Mobile: The report called for improved mobile privacy protections, including better disclosures. Mobile privacy disclosures will be addressed during the workshop that the FTC is hosting on May 30, 2012, as part of its ongoing project to update the Dot Com Disclosures guidelines. The FTC also called on entities involved in the mobile ecosystem to develop standards addressing data collection, transfer, use, and disposal, particularly for location data.
Data Brokers: The report supported targeted legislation to provide consumers with access to information held by data brokers, similar to legislation that has already been introduced in data security bills in the 111th and 112th Congress. The FTC also called on data brokers to create a centralized website where consumers can learn about the data brokers’ information-handling practices and the access rights they offer.
Large Platform Providers: The FTC noted that privacy concerns are heightened when “large platforms” – including ISPs, operating systems, browsers, search engines, and social media providers – comprehensively track consumers’ online activities. The staff plans to host a public workshop in the second half of 2012 to explore collection, use, and competition issues.
Promoting Enforceable Self-Regulatory Codes: The report pledged that FTC staff will participate in the Department of Commerce’s ongoing project to facilitate the development of sector-specific codes of conduct. The report took both carrot and stick approaches to the codes: the FTC will view adherence to strong privacy codes “favorably” in connection with its enforcement actions, but the report warned that failure to abide by self-regulatory programs will continue to be an unfair or deceptive practice under the FTC Act.