Today the Federal Trade Commission (FTC) issued its long-awaited final privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” which is intended to articulate “best practices” for companies that collect and use consumer data, and to assist Congress as it considers new privacy legislation.
The Report calls for companies to implement (1) privacy by design, (2) simplified consumer choice, and (3) greater transparency; and (4) it recommends that Congress pass baseline privacy legislation. The Report also encourages companies to incorporate substantive privacy protections (e.g., data security, collection limits, retention and disposal practices, data accuracy) and maintain comprehensive data management procedures throughout product and service life-cycles. In addition, companies should give consumers a choice about their data at a time and in a context in which the consumer is making the decision, and obtain affirmative express consent before collecting sensitive data or making material retroactive changes to privacy representations. Access to data should be proportionate to the sensitivity of the data and the nature of its use, and privacy notices should be clearer, shorter, and more standardized.
FTC Chairman Jon Leibowitz commented on the Report that "[i]f companies adopt our final recommendations for best practices – and many of them already have – they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy."
Although much of the Report retains the FTC’s earlier privacy framework proposals, it includes revised recommendations in several key areas:
- Small Business Carve-Out: To address concerns raised by small businesses, the final privacy framework does not apply to companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided that they do not share the data with third parties.
- Approach to Determining Whether Data is “Reasonably Linkable” and Thus Covered by Privacy Protections: The Report clarifies that data is not “reasonably linkable” to the extent that a company: (1) takes reasonable steps to ensure that the data is de-identified; (2) commits publicly not to re-identifying the data; and (3) contractually prohibits downstream recipients from attempting to re-identify the data.
- Choice: The Report modifies the FTC’s proposed approach to how companies should provide privacy choices to consumers. Under the revised approach, companies can collect and use consumer data without providing a choice for “practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.” Although first-party marketing generally does not require choice, certain practices such as tracking consumers across websites (e.g., deep packet inspection, social website plug-ins, “retargeting”), collecting sensitive data, and sharing with separately-branded affiliates likely require choice. The Report notes that a “take-it-or-leave-it” choice approach for important products and services raises concerns in situations where consumers have limited alternatives (e.g., patented medical devices, broadband Internet access).
- Data Broker Legislation: The FTC recommends new targeted legislation to address the practices of information brokers, and recognizes that the more sensitive the data, the greater the protections needed.
The new framework applies to both online and offline contexts and to data that is “reasonably linkable” to specific consumers, computers, or devices.
The Report also highlights five “action items” that the FTC will focus on over the next year to promote the new privacy framework:
1. Do Not Track: The FTC will work with industry to implement an “easy-to-use, persistent, and effective Do Not Track system.”
2. Mobile: The FTC recommends that companies providing mobile services improve their privacy practices, including through the use of shorter, more meaningful disclosures. The FTC is planning to update is online advertising guidelines and hold a workshop on mobile privacy disclosures.
3. Data Brokers: As mentioned above, the FTC is supporting targeted legislation to provide consumers with greater access to the personal information held by data brokers. It also recommends that data brokers develop a centralized website to identify themselves to consumers and describe their information practices, and to detail the access rights and other choices they provide with respect to consumer data.
4. Large Platform Providers: The FTC is planning to host a public workshop in the second half of 2012 to explore privacy issues associated with “comprehensive” online tracking that can be conducted by ISPs, operating systems, browsers, and other large platforms. This technology neutral approach focuses on function rather than labels.
5. Self-Regulatory Codes: The FTC will participate in the Department of Commerce’s upcoming multistakeholder process to develop voluntary, enforceable industry codes of conduct.