The Federal Trade Commission has just issued its long-awaited final report revealing its framework on privacy, “Protecting Consumer Privacy in an Era of Rapid Change – Recommendations for Businesses and Policymakers.” The report does not establish any new laws or regulations; rather, it summarizes current law, recommends legislation, and suggests best practices for well-intentioned companies to follow. Nevertheless, many observers believe that the report’s “recommendations” may become regulations if they prove ineffectual. Furthermore, the framework and related FTC “to-do” list are consistent with the Obama administration’s recently released Consumer Privacy Bill of Rights. (Click BABC Client Alert for more information.) Indeed, this past Thursday, the FTC testified regarding its report and the Administration's Consumer Privacy Bill of Rights before Congress. FTC Chairman Jon Leibowitz emphasized the FTC's support of legislation requiring reasonable security measures, consumer notice in the event of data breaches, and consumer access to data broker information.
Scope of Framework
The report is organized along three sections: privacy by design, simplified choice, and greater transparency. The report emphasizes that the framework applies in all commercial contexts, both online and offline, due to the landscape of virtually ubiquitous collection of consumer data. But, to avoid overburdening small businesses, the final framework is limited in two significant ways. First, it does not apply to companies that collect limited amounts of non-sensitive consumer data from under 5,000 consumers per year, as long as they do not share the data with third parties. Second, because the best practices are intended to protect a consumer’s personally identifiable information (PII), data that is not reasonably linkable to a particular consumer or device is outside the purview of the report. Towards that end, the report identifies three things a company can do to de-identify data:
- Achieve a level of justified confidence that the data cannot reasonably be used to infer information about a particular individual or device; achievement of such confidence will depend upon the particular circumstances.
- Publicly commit to maintain and use the data in a de-identified fashion, and do not attempt to re-identify the data.
- If the company makes de-identified data available to other companies, it should contractually prohibit the other entity from attempting to re-identify the data, while exercising reasonable oversight to monitor compliance with the contractual obligations.
It is important to note that a reasonably expansive view of the information covered—information that is reasonably linkable to a consumer or device—coupled with restrictions on how such information may be used, could substantially alter a company’s obligations.
Privacy by Design
Privacy by design, which means building privacy into your products and practices from the beginning, is the framework’s first principle. The FTC encourages companies to incorporate substantive privacy protections into their practices, as well as maintain comprehensive data management procedures throughout the life cycle of their products and services. The FTC further called on Congress to enact data security and breach notification legislation that authorize the FTC to seek civil penalties in order to deter violations, which is consistent with the administration’s efforts.
The best practices clarify companies’ obligations in terms of collecting PII—namely, companies “should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law.” The best practices further clarify that appropriate disclosures—outside of a privacy policy or other legal document—are required for collection of any data that is inconsistent with these contexts.
Simplified Choice
The framework recommends that companies provide easy-to-use choice mechanisms that allow consumers to control whether their data is collected and how it is used. The framework recognizes that for some, however, the need to provide a choice mechanism would be overkill. Accordingly, companies engaged in collection and use practices that are consistent with the context of their interaction with consumers need not provide choices for those practices. Take, for example, the purchase of a car at a dealership. The personal information that was collected about the consumer at that time does not require a choice mechanism, nor would offers of free oil changes or notification of tire sales in subsequent years, because they are all consistent with the context of the transaction and the consumer’s relationship with the car dealership. But, if the dealership wants to sell the consumer’s information to a third-party data broker, then the consumer must be given a choice to allow that or not. This limitation is consistent with the consumer’s expectations with regard to the use of his or her information.
The bottom line is that many first-party marketing practices are consistent with the consumer’s relationship with the business, which would not implicate the choice requirement. Nevertheless, there are a few important caveats. First, even where a company has a first-party relationship with a consumer, tracking that consumer’s activities across other parties’ websites is not consistent with the context of the consumer’s first-party relationship with the entity and thus requires consumer choice. That is true even if the tracking occurs only across an affiliate’s website, unless the affiliate relationship is clear to consumers, such as common branding.
Second, the framework provides that affirmative express consent is required when a company uses sensitive data for any marketing, whether first- or third-party. That is especially true where a company’s business model is designed to target consumers based on sensitive data—including data about children, financial and health information, Social Security numbers, and certain geolocation data. Much of these types of data are already subject to separate current legal requirements and in many circumstances may form an overlay against existing compliance efforts.
Third, providing a “take-it-or-leave-it” choice mechanism is not appropriate in markets for important services where consumers have few options. In such cases, the consumer would not have been offered a meaningful choice. With respect to less important products and services in markets with sufficient alternatives, take-it-or-leave-it choice can be acceptable, provided that the terms of the exchange are transparent and fairly disclosed.
Fourth, the framework calls on businesses to provide a do-not-track (DNT) mechanism to give consumers control over the collection of their web-surfing data. Indeed, the report advocates the continued implementation of a universal, one-stop choice mechanism for online behavioral tracking. The report also calls for the choice mechanism to be easy to find and use, not to be overridden by clearing a cache or updating a browser, to be comprehensive and enforceable, and to allow opt-out for all uses that are not consistent with the context of the interaction (as opposed to simply opt-out of targeted ads). The report explicitly commended the development efforts undertaken to date, but noted that more work is required. Of particular concern are large platform providers that can comprehensively collect data across the internet. The FTC thus announced in the report that it will host a workshop in the second half of 2012 to explore the privacy and competition issues raised by the collection and use of consumer information by a broad range of large platform providers such as ISPs, operating systems, browsers, search engines, and social media platforms.
Finally, the framework calls on companies to obtain affirmative express consent before engaging in certain practices. These practices include making material retroactive changes to a company’s privacy policy and collection of sensitive data.
Greater Transparency
The framework asks companies to increase the transparency of their practices. Accordingly, privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices. To that end, the FTC suggested that industry sectors come together to develop standard formats and terminology applicable to their particular industries. Moreover, given the complexities of the mobile environment, the FTC noted that it is updating its existing business guidance about online advertising disclosures and that it will host a workshop later this year that will address mobile privacy disclosures.
The FTC also believes that consumers should have access to their own data, though it acknowledges the burden to business from this requirement. Thus, the final report recommends that companies provide reasonable access to the consumer data they maintain, but the extent of that access should be proportionate to the sensitivity of the data and the nature of its use. The FTC also expressed its support for an “eraser button” where consumers would be able to delete content they post online, especially for teenagers.
The report acknowledges that data brokers require special attention, especially with respect to providing consumers access to their PII held by data brokers. The report thus calls for legislation to give access rights to consumers for information held by data brokers. Furthermore, the report recommends that the data broker industry explore the idea of creating a centralized website where data brokers that compile and sell data for marketing could identify themselves to consumers, describe how they collect consumer data, and disclose the types of companies to which they sell the information. This paradigm is comparable to the current consumer reporting agency model.
Conclusion
The framework provided by the privacy report is just that: a framework. Nevertheless, it would be a mistake not to heed the best practices articulated in the report. The FTC reiterated its view that data breaches and violations of privacy may be actionable under Section 5 of the FTC Act. The FTC’s approach is consistent with the objectives articulated by the administration just last month—both of which signal the advent of enforceable codes of conduct and legislation. Furthermore, many states have also enacted, or are in the process of considering enactment of, comparable consumer privacy and data security requirements.
The FTC also provided its own “to-do” list for the coming months:
- Do-Not-Track: The FTC will continue to work with the technology industry, including the DAA and the W3C, to complete implementation of an easy-to-use, persistent, and effective DNT system.
- Mobile: The FTC is updating its business guidance about online advertising disclosures and calls on companies providing mobile services to work toward improved privacy protections, including the development of short, meaningful disclosures.
- Data Brokers: The FTC calls on Congress to enact targeted legislation that would provide consumers with access to information about them held by a data broker.
- Large Platform Providers: To further explore privacy and other issues related to comprehensively tracking consumers’ online activities, the FTC intends to host a public workshop in the second half of 2012.
- Promoting Enforceable Self-Regulatory Codes: The FTC will participate in the Department of Commerce’s project to facilitate the development of sector-specific codes of conduct.
If you have any questions regarding the FTC’s report, the Consumer Privacy Bill of Rights, or related developing standards and legal requirements, please contact Jay Levine or Paige Boshell.
Current online FTC resources for businesses regarding privacy and security are available at http://business.ftc.gov/privacy-and-security.