Here’s a five-minute overview of the five major bodies that will influence the privacy, data protection and data security areas as we start 2011.
1. The Federal Trade Commission. The FTC’s privacy efforts focus on the FTC Act’s broad prohibition against “unfair or deceptive” acts or practices. The FTC also has played a valuable role in providing guidance to companies on appropriate privacy practices and has fostered valuable groups heading up industry self-regulatory efforts. But in December 2010, the FTC signaled that “self-regulation has not kept pace with technology.” The FTC’s report suggests a new normative framework for all commercial entities — online and offline — that handle any data that “can be reasonably linked to a specified consumer.” The report has three core principles:
- Privacy by Design. Companies should adopt practices to limit data collection, protect data that is collected, implement reasonable data retention periods, and ensure the accuracy of data as part of the design of their products and services.
- Choice. Companies should provide real choices to consumers, unless data is collected for “commonly accepted practices.” These choices should be clear and presented at the point where data is provided. A do-not-track option for targeted advertising also is suggested.
- Transparency. The FTC calls for privacy policies that are short, clear and standard.
Comments are due February 18, and the FTC will issue a final report in the late spring.
2. The Obama Administration. The Department of Commerce in December 2010 issued a “green paper” on privacy practices in the commercial sector. It recommends adoption of a national framework that would be built around a set of “fair information practice principles,” many of which would track the FTC’s recommendations. However, the Commerce approach is more encouraging to industry self-regulation than the FTC. It suggested that those adhering to self-regulatory guidelines might gain the benefit of a safe harbor. Comments on its report are due on January 28.
3. Congress. Privacy bills were introduced in the last Congress, after much study and debate, but the 111th Congress expired without new legislation. Whether the 112th Congress will start with a march toward legislation is an open issue. My colleague Gerry Waldron has a post that provides a great look at the prospects for legislation. In short, the Senate Commerce Committee may be able to move more quickly than the House Commerce Committee, given the significant changes in membership on the House side.
4. The Plaintiffs’ Trial Bar. More than 35 major privacy lawsuits were filed in 2010. The lawsuits have targeted unexpected sharing of consumer data with third parties. They also have focused on new tracking technologies that are alleged to circumvent user control, such as “Flash cookies,” “history sniffing,” “cookie re-spawning” and “deep packet inspection.” Privacy litigation can be expected to be a significant focus in 2011.
5. The European Commission. And if the developments on this side of the Atlantic weren’t enough, consider that the 1995 EU Data Protection Directive will be reconsidered in 2011. The safe harbor — the EU regulation that permits data to pass from countries that have privacy laws on par with Europe and those, like the U.S., that don’t — also is being reconsidered on its 10-year anniversary. Some 2,500 companies and organizations now are certified under the safe harbor, which raises the stakes for American industry.