Published on:

FTC’s Consumer Privacy Protection Framework

Introduction

On December 1, 2010, the Federal Trade Commission (“FTC”) released its highly anticipated consumer privacy protection framework titled “Protecting Consumer Privacy in an Era of Rapid Change” (“Privacy Report”).  A copy of the Privacy Report may be obtained on the FTC website: http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.  The FTC seeks public comment on the proposed privacy framework by January 31, 2011.

The proposed privacy framework has three major components: (1) privacy by design; (2) expansion of consumer choices about how companies collect and use consumer information; and (3) increased transparency of data collection practices.  All three components have already ignited a lively debate among consumer advocates, businesses, advertisers and policy makers.  Although, stated as tasks that a company “should do,” there is worry the FTC could take steps to use its enforcement powers against a non-compliant company.

Scope

All three of the privacy framework components would apply broadly to “commercial entities that collect, maintain, share or otherwise use consumer data that can be reasonably linked to a specific consumer.” (Privacy Report, p. 42.) Notably, the FTC proposes to largely do away with the dichotomy between personally identifiable information and non-personally identifiable information, instead changing the focus to any consumer information that “can be reasonably linked to a specific consumer, computer, or other device.” (Privacy Report, p. 43.)

Privacy by Design

The first component of the proposal is a “privacy by design” process which suggests businesses should implement four broad substantive privacy protections. First, companies that keep consumer information should employ reasonable safeguards to prevent unauthorized disclosure. (See Privacy Report, p. 44-45.) Second, companies should collect only the consumer information needed to fulfill a specific, legitimate business need. (See Privacy Report, p. 46.) Third, companies should implement “reasonable data retention periods,” retaining consumer data for only as long as there is a specific and legitimate business need to do so. (See Privacy Report, p. 46.) Location-based data, a form of data that is increasingly common in the mobile device community, was used by the FTC as an exemplar of data for which long-term retention presents significant consumer privacy concerns. (See Privacy Report, p. 47.) Finally, companies should take reasonable steps to ensure the accuracy of collected data, particularly “data that can be used to deny consumers benefits or cause significant harm.” (Privacy Report, p. 48.)

Expansion of Consumer Choice About How Companies Collect and Use Certain Types of Consumer Information

The second component of the FTC’s privacy framework includes the highly publicized “Do-Not-Track” mechanism targeted at behavioral advertising (i.e., collection of a user’s online browsing data to serve targeted advertisements to the user). Companies would also have to provide consumers a conspicuous “choice mechanism” to opt-out of having certain types of his or her information collected, used or shared.

Citing the lack of consumer control and “invisibility” of the uses of consumer information, the FTC privacy framework creates two categories of data practices: “commonly accepted data practices” and everything else. A company’s use of “commonly accepted data practices” would not require consumer consent. Only five types of data practices qualify, however, as “commonly accepted data practices.” These include data collection for product fulfillment services, fraud prevention and first-party marketing. (Privacy Report, pp. 53-54). First-party marketing would “include only the collection of data from a consumer with whom the company interacts directly for purposes of marketing to that consumer.” (Privacy Report, p. 55.) For all other types of data practices, companies would have to give consumers the ability to make informed choices about the collection, use and sharing of consumer information. (See Privacy Report, pp. 53; 57-63.) The “Do Not Track” mechanism would be an additional layer of consumer protection specifically targeted at on-line behavioral advertising. Essentially, the mechanism would allow consumers to limit or block on-line tracking through their browsers, probably by way of a persistent cookie on a consumer’s browser that conveys a setting to sites the browser visits to signal whether or not the consumer wants to be tracked or receive targeted advertisements. (See Privacy Report, p. 66-67.)

Transparency of Data Practices

The third component of the privacy proposal targets the form and content of off- and on-line privacy notices and seeks to grant consumers greater access and control over information that can reasonably identify them. (See Privacy Report, pp. 69-78.)  The privacy framework states that: (1) privacy notices should be “clearer, shorter and more standardized” (Privacy Report, p. 70-72); (2) companies should provide “reasonable access” to the consumer data they maintain (Privacy Report, p. 72-76); and (3) companies should provide prominent disclosures and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected (Privacy Report, p. 76-77.)

Conclusion

The FTC is not the only government agency considering consumer privacy changes. The United States Commerce Department is widely expected to release its own privacy report in the coming weeks and the Obama administration’s Office of Science Technology Policy is developing broad-based online privacy principles.  In short, practitioners need to be aware that significant changes in consumer privacy protections are coming soon.