"Protecting Consumer Privacy in an Era of Rapid Change," December 9, 2010
On December 1, 2010, the U.S. Federal Trade Commission (“FTC”) released its staff report on consumer privacy. This report outlines the FTC’s preliminary recommendations to protect consumers in the privacy arena. The report is entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers” and can be found in its complete form at: http://www.ftc.gov/os/2010/12/101201privacyreport.pdf The proposed staff framework represents a significant change in the way the FTC views data privacy. Previous FTC policy was based on the idea of “notice and opt-out”. The rationale was that it was legally sufficient if a business gave notice of its privacy practices and gave consumers the opportunity to “opt-out” of having their data collected. The proposed framework increases the burden on businesses to attempt to balance consumers’ privacy interests with the ever-changing technological innovation that requires consumer information to function. The report addresses the need to reduce the burden on consumers by simplifying choice, making privacy policies more consistent across the board, and embracing the concept of “privacy by design.” That concept, which some have criticized as vague and ambiguous, embraces the idea that businesses should develop their systems and operations from inception with the goal of protecting consumer privacy and that other commercial concerns should be secondary. In many cases, the report claims, consumers do not even realize that they are providing or sharing the information. For instance, the report specifically mentions the example of social media or online shopping sites that track a consumer’s interests and share those personal interests with other affiliates or third parties. Many companies use privacy policies to explain their information practices, but these legalistic disclosures are often lengthy, hard to find, and not understood by consumers. To deal with this problem, the FTC supports implementation of a “Do Not Track” mechanism so that consumers can easily choose whether to allow the collection of data regarding their online searching and browsing activities. However, the FTC falls short of proposing who will be responsible for developing and/or maintaining such mechanisms, and the report concedes that the FTC may lack the legal authority to mandate such a system. To reduce further the burden on consumers and increase consumer privacy protections, the report recommends that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices.” This would include reasonable procedures to promote data accuracy, reasonable security for consumer data, as well as limited collection and retention of such data. In addition, companies should implement and enforce reliable privacy practices throughout their organizations, including training employees on privacy policies and conducting privacy reviews for new products and services. The report also recommends other measures to improve the transparency of information practices, including consideration of standardized notices that allow the public to compare information practices of competing companies. The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for data brokers. The FTC staff report should be of interest to every business that collects consumer data in any form, including banks, hospitals, health care providers, social networks, online directories, Internet advertising businesses and online merchants. While the FTC staff report does not carry the weight of law, it does represent the opinions of the FTC and can form the basis for regulatory enforcement and possible future legislation. If all of the staff report’s provisions became law, most businesses with online data collection mechanisms would need to implement significant changes in the way they do business. Deadlines for comment on the proposals are January 31, 2011, and the report includes a number of specific questions on which the FTC is seeking feedback. Companies with an interest in online data collection should review the FTC staff report carefully and consider providing comments to the FTC. Taylor English attorneys regularly advise clients on online data privacy standards and risks and are available to discuss the FTC staff report. For more information please contact Jonathan Wilson, at 678.336.7185.