Privacy Alert: FTC Releases Final Privacy Report
On March 26, 2012, the Federal Trade Commission ("FTC") released its much anticipated privacy report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers ("Report"). The Report builds on a preliminary FTC staff report released in December, 2010, and comes on the heels of the White House report outlining the Administration's vision of a national privacy framework, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. The FTC and U.S. Department of Commerce will collaborate to implement the complementary initiatives outlined in the two reports, including the concept of multi-stakeholder enforceable codes of conduct. Indeed, the National Telecommunications and Information Administration has already issued a notice soliciting comments on the process and priorities for multi-stakeholder codes of conduct.
Importantly, while urging businesses to implement best practices in managing data, the FTC calls for enactment of federal "baseline" privacy legislation, data security and data breach legislation, and legislation governing data brokers, particularly the right to access and dispute data held by data brokers. A March 29 hearing before the House Energy and Commerce Subcommittee on Manufacturing and Trade on the earlier White House report was scheduled prior to the release of the FTC report; debates about privacy and data security legislation will likely increase in the run-up to the fall elections.
Overview
The Report reaffirms the three core concepts in the preliminary framework outlined by the FTC in the 2010 report:
- "Privacy by design,"
- Simplified consumer choice about data practices (i.e., "Do Not Track"), and
- Improved transparency in privacy notices.
These themes appeared in the FTC's proposed changes to the Children's Online Privacy Protection Act ("COPPA"), as well as the FTC's recent report on mobile apps. However, the FTC makes new recommendations in the following areas:
- The framework applies to commercial entities that collect or use consumer data- whether online or offline- that can be "reasonably linked" to a specific consumer, computer or device, except companies that collect non-sensitive information from less than 5,000 consumers per year and do not share the information with third parties.
- Data is not "reasonably linked" to a consumer, computer or device if the company: (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits to not re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data.
- The FTC's view is that choice is not required to collect and use data for practices consistent with the context of the transaction or the company's relationship with the consumer, or as required or authorized by law.
FTC's Recommended Privacy Framework: The Three Core Principles
The Report discusses the three core principles in more detail.
Privacy by Design: Companies should promote privacy through the organization, at every stage of product and services development. Specific privacy protections that should be implemented include data security, reasonable collection limits, sound retention and disposal practices, data accuracy, designating responsible personnel, overseeing service providers, and educating consumers. Data should only be collected consistent with the context of a particular transaction or consumers' relationship with the company, or as required or authorized by law. Beyond that, companies should make appropriate disclosures to consumers at "a relevant time and in a prominent manner – outside of a privacy policy or other legal document."
Simplified Consumer Choice: Companies should offer choice at the time when the consumer is making a decision about the collection or use of his or her data. This "just in time" notice concept is one that has been discussed in connection with COPPA and mobile apps. However, businesses have been reluctant to adopt short notices in light of threats of litigation given the nuances of data collection and use.
Companies should provide a "Do Not Track" mechanism for behavioral advertising that:
1. Is implemented universally to cover all parties that would track consumers;
2. Is easy to find, understand, and use;
3. Offers persistent choices that are not be overridden (e.g., if consumers clear cookies or update their browsers);
4. Is comprehensive, effective and enforceable; and
5. Goes beyond simply opting consumers out of receiving targeted advertisements.
Express affirmative (opt-in) consent should be obtained before making material retroactive changes, or collecting sensitive data (information about children, financial, and health information, Social Security numbers, and precise, individualized geolocation data) for certain purposes.
Transparency: Companies should implement privacy policies that are clear, concise, and more standardized. Stakeholders should to come together to develop standard formats and terminology for privacy statements applicable to their industry. Reasonable access to consumer data should be provided, proportionate to the sensitivity of the data and the nature of its use. The FTC also noted its support for an "eraser button" whereby consumers can delete content that they post online, especially for teens.
Implementation of the Framework
In addition to "vigorously enforcing" existing laws, working with industry on self-regulation, and educating consumers, the FTC intends to implement the framework by focusing on the following five key areas:
1. Implementing a uniform Do Not Track mechanism;
2. Improving privacy disclosures for mobile services;
3. Increasing the transparency of data collection practices of data brokers;
4. Exploring privacy issues related to large platform providers, such as Internet Service Providers, operating systems, browsers, and social media; and
5. Participating in the multi-stakeholder process to promote enforceable codes of conduct, as called for by the White House framework.
With regard to mobile services and mobile apps, the framework advocates short, meaningful disclosures, reasonable data retention and disposal policies, and limits on data collection as needed to fulfill a requested service or transaction. The FTC calls on companies in the mobile ecosystem to work together to establish standards that address data collection, transfer, use, and disposal, particularly when collecting geolocation data. The FTC also plans to hold a workshop later in the year to explore privacy and other issues related to large platforms.
* * *
Some of the recommendations in the Report reflect the FTC's departure from the traditional view of personally identifiable information ("PII"), reflecting a position advanced in the FTC's revisions to the COPPA Rule. Non-PII that can be reasonably linked to a consumer, computer or device would be covered. For comparison purposes, the proposed revisions to the COPPA Rule define "personal information" to include information outside the scope of traditional PII, such as screen or user names, persistent identifiers, geolocation information, photographs, video, and audio files, as well as any information combined with an item of personal information. An expansive definition of personal information, coupled with a narrow definition of how such information can be used to manage advertising, conduct research, and improve products and offerings will dramatically change obligations for businesses.
Also noteworthy is Commissioner Rosch's thoughtful dissenting statement. He criticizes the Report for its reliance on the Commission's "unfairness" rather than its "deception" authority, and raises questions about competition considerations associated with standard-setting, as well as implications of a move to an opt-in default standard. Importantly, he described the concept of enforceable codes of conduct as a "tautology," saying "either these practices are to be adopted voluntarily by the firm involved or else there is a federal requirement that they be adopted, in which case there can be no pretense that they are ‘voluntary'." These significant legal concerns merit close consideration by affected stakeholders.
For more information on privacy and data security issues, please contact Sheila Millar (+1 202.434.4143, millar@khlaw.com),
Tracy Marshall (+1 202.434.4234, marshall@khlaw.com)