FTC Releases Final Staff Report on Protecting Consumer Privacy
March 26, 2012
On March 26, 2012, the FTC released its final Staff Report titled, “Protecting Consumer Privacy in an Era of Rapid Change.” The report proposes a three-part privacy framework that would apply to online and offline commercial entities that collect and use certain types of consumer data.
- Privacy by Design: Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.
- Simplified Choice for Businesses and Consumers: Consumers should be able to make decisions about the collection/use of their data at the time the data is collected, and the burden on businesses of providing “unnecessary choices” should be reduced; and
- Greater Transparency: Information collection and use practices should be more transparent.
In the report, the FTC stated that it plans to focus its policy making efforts over the next year on the following five action items:
- Do Not Track – implementation of “an easy-to use, persistent, and effective Do Not Track system.”
- In the report, the FTC stated that an effective Do Not Track system should:
- Cover all parties that would track consumers;
- Be easy to find, understand, and use;
- Be persistent (e.g., choices should not be overwritten if consumers clear their cookies or update browsers);
- Be “comprehensive, effective, and enforceable,” opt consumers out of “behavioral tracking through any means,” and not “permit technical loopholes;” and
- Opt consumers out of behavioral data collection for all purposes other than those “consistent with the context of the interaction.” (i.e., do-not collect information vs. do not use information for ad targeting).
- Mobile – project to update FTC guidance about online advertising disclosures, including mobile privacy disclosures, in the hopes that its efforts “will spur further industry self-regulation in this area.”
- Data Brokers – supports “targeted legislation” to provide consumers with access to information about them held by data brokers;
- Large Platform Providers – the FTC plans to host a public workshop in the second half of 2012 to “explore privacy and other issues” related to comprehensive tracking by large platforms, including ISPs, operating systems, browsers, and social media operators.
- Enforceable Self-Regulatory Codes for Industry – the FTC plans to participate in the Dept. of Commerce project to facilitate the development of sector-specific codes of conduct.
The FTC made a few changes to the recommendations it included in its preliminary report in December 2010, including:
- Reduced scope of applicability – the final framework does not apply to companies that: (i) only collect non-sensitive data; (ii) collect data from fewer than 5,000 consumers per year; and (iii) do not share the data with third parties.
- Clarification that the FTC would not consider data “reasonably linkable” to a consumer, computer, or device, to the extent that the company: (i) takes “reasonable measures” to de-identify the data; (ii) publicly states they will not try to re-identify the data; and (iii) contractually prohibits third parties that receive the data from attempting to re-identify the data.
- Revision of its approach to how businesses should provide consumers with privacy choices; and
- Addition of a recommendation for Congress to consider enacting legislation to provide transparency over data broker practices.
A more detailed analysis of the report will be provided in a forthcoming client alert.
