Last week the FTC issued its final report to address privacy issues associated with new and emerging technologies and business models (“Report”). This follows the FTC’s preliminary report issued in December 2010. Since the preliminary report, the FTC received and considered over 450 comments prior to making its final recommendations.
The Report articulates a privacy framework of best practices (“Framework”) for businesses to follow in developing and implementing privacy and security practices relating to the collection and use of consumer data. While not legally binding, the Framework is an indication of how the FTC will use its enforcement and regulatory authority, including its authority to challenge unfair or deceptive practices, under Section 5 of the FTC Act. As such, companies should pay close attention to the Framework in order to mitigate any FTC enforcement actions.
The Framework’s recommendations for businesses and policymakers include:
Small Business Exemption: While the Framework applies to both online and offline consumer data that is collected, the FTC has exempted companies that collect non-sensitive consumer data from fewer than 5,000 consumers a year, provided that such information is not shared with third parties.
Privacy by Design: Companies should incorporate privacy and security protections throughout the organization and at all steps in the design of their products and services.
Simplified Choice: Companies should offer a consumer a choice at a time and in a context in which the consumer is making a decision about his or her data.
Context Considerations for Not Providing Consumer Choice: The FTC has stated that a company is not required to provide a consumer a choice before collecting personal information if the company is using the data consistent with the context of the transaction, the company’s relationship with the consumer, or as required by applicable law. The FTC cites common examples where the context of a transaction may fit these criteria, including product fulfillment, internal operations, fraud prevention, legal compliance and first party marketing.
Greater Transparency: Privacy notices should be clearer, shorter and more standardized. Consumers should have reasonable access to their data.
Five-Stage Implementation of the Framework:
- Do Not Track: The FTC stated that industry has made significant progress in implementing “Do Not Track” features and will continue to work with the industry “to complete implementation of an easy-to-use, persistent and effective Do Not Track system” for consumers.
- Data Broker Legislation and Centralized Website: The FTC recommends that Congress enact “targeted legislation—similar to that contained in several of the data security bills introduced in the 112th Congress”— to grant consumer rights to access information about them that is held by a data broker. To further ensure greater transparency and control over the practices of data brokers that compile data “for marketing purposes”, the FTC calls on them to provide “a centralized website” to give consumers information about the marketing data that is possessed by them and the choices consumers have with respect to the collection and use of that data.
- Mobile Privacy: The FTC calls on companies providing mobile services to improve privacy protections with respect to mobile devices, in particular the development of “short, meaningful disclosures” for consumers using them. The FTC will be updating its business guidance about online advertising disclosures and will host a workshop on May 30, 2012 to address mobile privacy issues, including making privacy disclosures accessible to consumers on small screens.
- Large Platform Providers: The FTC will host a public workshop in the second half of 2012 to address heightened privacy concerns relating to the ability of large platforms, such as Internet service providers, operating systems, browsers, and social media, to “comprehensively track consumers’ online activities.”
- Promoting Self-Regulatory Codes of Conduct: The FTC supports the efforts of the Department of Commerce to facilitate the development of “sector-specific codes of conduct” on privacy issues and will “view adherence to such codes favorably “ in connection with its enforcement of Section 5 of the FTC Act.