The FTC today released a long-awaited Staff Report (though in preliminary form) that examines the status of privacy law and enforcement by the agency and proposes a framework for greater consumer privacy protections in the products and services developed by businesses. The Report, which follows a series of public roundtable discussions on privacy held by the FTC over the past year, is comprehensive in identifying many pressing privacy issues.
The Report starts by providing a background on the FTC’s notice-and-choice and harms-based approach to privacy, and its recent privacy enforcement actions. It discusses the limitations of the current model (for example, the burden on consumers in reading and understanding privacy policies). It summarizes the results of the roundtables, and then details a framework to guide commercial entities that collect or use consumer data.
The framework contains three top-level maxims:
- Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services. This includes incorporating substantive privacy protections — such as data security and retention practices — into business processes (such as is touted in the Privacy by Design model developed by the Privacy Commissioner of Ontario, Dr. Ann Cavoukian), and maintaining comprehensive data management procedures throughout the lifecycle of products and services.
- Companies should increase the transparency of their data practices, such as by clarifying, shortening, and standardizing privacy notices; providing reasonable access to the consumer data they maintain; providing prominent disclosures and obtaining affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected; and working to educate consumers about commercial data privacy practices.
One specific proposal contained within the Report is a "Do Not Track" mechanism that the FTC contemplates could be advanced either by legislation or enforceable industry self-regulation. Do Not Track would require businesses to comply with a consumer’s centralized opt-out of online behavioral tracking. Notably, no specifics are provided on what such legislation or self-regulation might look like. The Future of Privacy Forum, a think tank founded and co-chaired by Hogan Lovells privacy lead Chris Wolf presented a program shortly after the FTC Report was released on how technology and existing law could empower consumers who wish not to be tracked. For a detailed description from the FPF about how Do Not Track would work, check out their summary here.
Though concurring with the report, Commisioner William Kovacic submitted a separate opinion opining that the call for new controls on online tracking was premature. Commissioner Thomas Rosch also concurred, stating that while he thought the Report served a purpose as a "hortatory exercise" suggesting desirable best practices, he disagreed with its suggestion that the FTC’s current notice-and-choice model is inherently flawed and needs to be discarded in favor of a theoretical, untested new framework.
The Report also contains an appendix posing dozens of questions for interested parties to address with respect to the proposals set forth. In that way, the Report actually may be seen as continuing the process of examining privacy that started with the roundtables rather than finishing the examination process with decrees, as some may have expected.
The staff seeks comments by January 31, 2011 on each component of the proposed framework and "how it might apply in the real world." Based on the comments received, the FTC will issue a final report in 2011.