What Do You Really Need To Know About The FTC's Recent Report On Privacy?

Monday, January 3, 2011 - 00:00

On December 1, 2010, the FTC issued its long-awaited report titled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (the "Report"). The Report was developed after a series of roundtable discussions among stakeholders designed to explore privacy issues in the 21st century. Those discussions focused on the challenges associated with advancing technology and business practices that allow for the collection and sharing of consumer data that often go unstated as well as unnoticed by consumers, and the resulting threats perceived by some to consumer privacy.

The Report is meant to build upon the notice-and-choice and harm-based models, the limitations of which have been recognized by the FTC. The Report provides a framework, applicable to all "commercial entities that collect data that can be reasonably linked to a specific consumer, computer, or other device," that attempts to balance the privacy interests of consumers against the interests of businesses to utilize consumer information to sell products and services.

There are three main tenets of the framework:


"Privacy By Design" - Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services


Consumer Choice - Companies should simplify consumer choice


Transparency - Companies should increase the transparency of their data practices

If the FTC's recommendations become requirements, how would they change what the typical company is doing today?


They apply both online and offline. Many companies have privacy policies that apply to the information they collect online, but make no promises to consumers about the information they collect offline, for example, in stores, at events, on the phone, via loyalty programs, through registration cards and the like. The FTC's report recommends that companies have privacy policies that apply offline as well.


They apply to what many companies think of as non-personally identifiable information, such as static IP addresses and other information that identifies a particular computer or device, but not necessarily a particular individual. This means that many companies' privacy policies will need to be revised.


They propose that consumers be given a choice, at the time and place that they provide their information to a company, about the use of their data by the company in unexpected ways (i.e., ways other than "commonly accepted practices"). For example, if the company will share the consumer's data with a third party for the third party's marketing purposes, the consumer should be given a choice about this at the time that they provide the information to the company and on the Web page on which they provide the data to the company. (Yes, we mean no more burying consumer choice notices in a privacy policy.) Other examples of when consumer choice would be required are when data will be sold to a data broker or other third party that is unknown to the customer or shared with others for behavioral marketing purposes.


Consumer choices could no longer be obtained using the good old pre-checked consent box.


When data collected in a brick-and-mortar store will be used by the company in one of these "non-accepted" ways, the FTC proposes that the sales associate communicate the consumer's choices to the consumer orally.


When a consumer opts out of a certain use of his or her data, that preference would be durable, and not subject to repeated additional requests from the company. (The FTC did not say this, but we presume this would mean, for example, that the FTC prefers an opt-out method that is not dependent on cookies that could inadvertently be deleted by the consumer, and that opt-out preferences not expire.)


FTC proposes that data sharing with an affiliate is to be treated like data sharing with an unaffiliated third party, unless, possibly, the affiliate relationship is clear to consumers through common branding or similar means.


The FTC proposes that companies provide consumers with reasonable access to the data that they have about consumers. (Until now, U.S. law has not required this.)


The FTC proposes that companies obtain affirmative express consent from consumers before collecting, using or sharing sensitive information about consumers (such as financial or medical information, or precise geolocation data), or information about "sensitive" consumers such as children and possibly teens.


The FTC's recommendations cover companies that do not have direct relationships with consumers, such as data aggregators, and propose that these companies allow consumers to access and correct the information they have about consumers.


The FTC proposes that companies take steps to ensure the accuracy of the data that they have about consumers, especially if the data is being used to make decisions about consumers. A good example of this is a company that provides identity or age verification services to other companies.


The FTC proposes that companies only collect the data they need for their specific business purposes, and that they dispose of it (securely) when it no longer serves that purpose. (In other words, don't collect it or retain it "just in case it comes in handy for something later.")


The FTC endorses a universal consumer "Do Not Track" option, whereby a consumer can set his or her web browser to instruct Web sites not to engage in behavioral marketing on that consumer. (More on this when/if the required technology becomes available.)


The FTC proposes that companies assign personnel to oversee privacy issues.


The FTC proposes that companies have comprehensive privacy programs, and review them periodically to address changes in data risks and other circumstances. (Did you just finish your comprehensive written data security program? Time to start on your comprehensive written privacy program.)


The FTC proposes "privacy by design." In other words, companies should consider privacy issues relating to new products, services and business models in the early stages of their development. (As an example, no more sending new products to legal review the last minute before launch.)


The FTC proposes shorter and more comprehensible privacy policies. The FTC might provide a model form privacy notice for this purpose. If you still want to include all the details in a shorter policy, the FTC suggests the "layered" policy approach, in which each policy layer links to more detail in the next layer.


You should have been honoring this for years, but, once again, companies cannot make material adverse retroactive changes to their privacy policies without robust notice to, and consent from, consumers. So when you are shortening your privacy policy, beware of inadvertent substantive changes that provide for lesser privacy protections than before. The following is a more thorough discussion of the most important proposals of the FTC's report.

Privacy By Design

With respect to privacy by design, the Report proposes that companies address privacy issues from the start of their development of new products, services and business models, and build privacy protections into a company's everyday business practices. This should include issues relating to data security, reasonable collection limits, sound retention practices, and data accuracy. According to the FTC, baking privacy into an organization's everyday reality involves careful consideration and accountability. For this reason, the Commission recommends (a) assigning personnel to oversee privacy issues from the earliest stages of research and development, (b) training employees on privacy issues and (c) conducting privacy reviews of new products and services to determine the privacy implications of such innovations. In the FTC's own words, "such concepts are not new, but the time has come for industry to implement them systematically."

Consumer Choice

As to consumer choice, the Report suggests that companies provide simple, stream-lined choices to consumers about their data practices. For "commonly accepted" data practices - such as collecting a consumer's name and address to deliver a product - consumer choice would not be necessary. But for data practices that are not "commonly accepted," consumers would be provided meaningful choices about how their data will be used. The Report also suggests the establishment of a uniform "Do not track" option, by which consumers would be able to opt-out of having their online activities tracked for advertising purposes. The feasibility and merit of a "Do Not Track" system is a hotly debated issue. While some stakeholders argue that allowing consumers to affirmatively choose not to allow companies to learn about them by monitoring their online behaviors is an important part of respecting consumer privacy, others fear that "Do Not Track" mechanisms may have serious unintended consequences for consumers because Internet businesses use the money they make targeting ads to subsidize the cost of free content and services on the Internet.

Transparency

With respect to transparency, the Report proposes that companies make their data practices more transparent. This part of the Report focuses on providing consumers with clear, concise, easy-to-read policies, access to the data that companies maintain about them, as well as notice and consent for significant retroactive changes to data policies. As the myriad of ways in which businesses collect, use, store and disclose information has continued to grow, so too has the length of online privacy policies. Moreover, as mobile technologies increase in popularity and their screen size continues to shrink, it is more important to provide clear and concise descriptions of privacy practices. In that regard, the Report points to the recently introduced model financial privacy notices under the Gramm-Leach-Bliley Act as an example of the direction in which online privacy policies should head. The FTC hopes that such standardization will "allow consumers to make choices based on privacy and will potentially drive competition on privacy issues."

The Commission is soliciting comments from interested parties concerning the proposals discussed in the Report. Comments are due by January 31, 2011. Based upon the comments, the Commission intends to issue a final report sometime in 2011.

Kristen J. Mathews and Margaret Dale are Partners at Proskauer in New York. Ms. Mathews heads the firm's international Privacy and Data Security Practice. She is the editor of the treatise Proskauer on Privacy and is certified as an information privacy professional (CIPP) by the International Association of Privacy Professionals. Ms. Dale is a member of the Litigation & Dispute Resolution Department. For more information, visit http://privacylaw.proskauer. com.

Please email the author at kmathews@proskauer.com or mdale@proskauer.com with questions about this article.