• SPECIAL FOCUS: FTC Releases Highly Anticipated Final Report on Consumer Privacy

    On March 26, 2012, the Federal Trade Commission (FTC) issued its long-awaited final report on privacy, titled "Protecting Consumer Privacy in an Era of Rapid Change" (Report).  This Report follows a preliminary staff report issued by the FTC in December 2010 (Preliminary Report).  Since the Preliminary Report, the Commission notes that the industry has made significant progress in certain areas, most notably in responding to the Report’s call for Do Not Track, but that progress in other areas has been slower.  Also, since the Preliminary Report, the FTC has initiated a number of enforcement actions against companies and industries involving unfair or deceptive practices with regard to consumer data, which help define and frame the issues of greatest concern to the FTC, as detailed in the Report.  These cases involved the data practices of Google and Facebook, online advertising networks, mobile applications, list brokers involving the Fair Credit Reporting Act, and companies that failed to maintain reasonable data security.

    The Report sets forth the FTC’s final privacy framework (described in detail below) and a number of proposals that will significantly impact entities that collect, use, and share consumer data obtained online, offline, and through apps and wireless devices.  In particular, companies that collect data would be permitted to use consumer information only for purposes related to the particular purpose for which such information was collected or that may be reasonably expected by the consumer given the context of the situation.  Any other uses would require notice to, and the consent of, the affected consumers.  However, the FTC appears to retreat from its recommendation in the Preliminary Report for Do Not Track legislation, noting the industry’s efforts to improve consumer control over how their information is collected and used online for behavioral tracking and ad serving, and it encourages continued improvements and full implementation of those mechanisms. 

    Although the FTC does not specifically call for Do Not Track legislation at this time, it does encourage Congress to consider enacting basic privacy and data security and data broker legislation, consistent with the framework.  At the same time, the Commission urges companies in the data industry to accelerate the pace of self-regulation to implement the Commission’s overall privacy framework.  Should the industry not heed the FTC’s call, the agency suggests that legislation be enacted to advance these principles in order to protect consumers’ privacy in today’s digital age.

    The following is a summary of the FTC’s findings and proposals:

    • Do Not Track: The Commission believes the industry has made significant progress in implementing Do Not Track, and it intends to work with industry groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system.
    • Mobile: The Commission calls on companies providing mobile services to work toward improved privacy protections, including the development of short, meaningful disclosures.  The FTC staff will host a workshop on May 30, 2012, and will address, among other issues, mobile privacy disclosures and how these disclosures can be short, effective, and accessible to consumers on small screens.
    • Data Brokers: The Commission supports targeted legislation that would provide consumers access to their information held by a data broker and calls on data brokers that compile data for marketing purposes to explore creating a centralized Web site where brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.

    • Large-Platform Providers: The FTC intends to host a public workshop in the second half of 2012 to explore privacy and other issues related to comprehensive tracking by large-platform providers.

     

    • Promoting Self-Regulatory Codes: The FTC will view adherence to sector-specific codes of conduct favorably in connection with its enforcement work.

    The Privacy Framework
    The Report retains the general concepts of Privacy by Design, Simplified Choice, and Greater Transparency, as initially suggested in the Preliminary Report, with some changes as noted below. 

    Scope: The privacy framework would apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only nonsensitive data from fewer than 5,000 consumers a year and does not share the data with third parties.  This approach reflects a change from the scope of the Preliminary Report in terms of the entities and the type of data to which it applies.  The Preliminary Report proposed that the privacy framework apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.  Thus the framework grants an exemption for smaller businesses that collect nonsensitive data.  Second, the Report also clarifies the reasonable linkability standard by explaining that data is not “reasonably linkable” to the extent that a company (i) takes reasonable measures to ensure the data is de-identified, (ii) publicly commits to not trying to re-identify the data, and (iii) contractually prohibits downstream recipients from trying to re-identify the data.  Thus the Report suggests that to the extent a company maintains and uses data that is identifiable and data that it has taken steps to de-identify, the company should silo that data separately.  The privacy framework applies in all commercial contexts, i.e., to both offline and online data.

    Privacy by Design: The framework follows the “privacy by design” concept set forth in the Preliminary Report, which recommends that companies incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.  The framework also recommends that companies adopt procedural protections to implement the substantive principles, i.e., companies should maintain comprehensive data management procedures throughout the life cycle of their products and services. 

    Simplified Consumer Choice: The framework also adopts the Preliminary Report’s principle that companies should simplify consumer choice.  However, the framework modifies the approach as to how companies should provide consumers with choices.

     

    • Practices That Do Not Require Choice: The Preliminary Report set forth five categories of “commonly accepted” information collection and use practices for which companies could collect data without providing consumers with choice:  product fulfillment, internal operations, fraud prevention, legal compliance and public purpose, and first-party marketing.  The Report eliminates the five categories and instead focuses on the context of the interaction between the business and consumer.  Under this “context of the interaction” standard, companies need not provide choice before collecting and using consumers’ data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.  The Report includes several factual examples to illustrate how the FTC would view this standard.   
    • Companies Should Require Consumer Choice for Other Practices (Opt-In): For data collection that is inconsistent with the context of the interaction standard, the Commission recommends that companies offer the choice at a time and in a context in which the consumer is making a decision about his or her data.  Specifically, companies should make appropriate disclosures to consumers when data is requested, also referred to as “just in time,” or when the company intends to use the data in a manner that is different from the purpose for which it was collected, rather than in a privacy policy or other legal document.
    • Do Not Track: With respect to opt-ins, the Commission commends the industry’s efforts to improve consumer control over online behavioral tracking by developing a Do Not Track mechanism and encourages continued improvements and full implementation of those mechanisms.

    Transparency: The Report also adopts many of the recommendations for transparency found in the Preliminary Report, including:

     

    • Clarity and Education: Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices.  All stakeholders should expand their efforts to educate consumers about commercial data privacy practices.
    • Access to Data: Companies should provide reasonable access to the data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of use.  The Report also expands the Commission’s recommendations for providing access to data, most notably with respect to special access mechanisms for data brokers and the teenage demographic.
    • Information Brokers: The Commission recommends that Congress consider enacting legislation to provide greater transparency for, and control over, the practices of information brokers, defining such brokers as companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.  This recommendation reflects the Commission’s belief that consumers should have more control over the practices of information brokers and that appropriate legislation could help address this goal.  Specifically, the Commission recommended (i) that such legislation include procedures for consumers to access and dispute personal data held by information brokers and (ii) that the data broker industry explore the idea of creating a centralized Web site where data brokers that compile and sell data for marketing could identify themselves to consumers and detail the access rights and other choices they provide with respect to the consumer data they maintain.
    • Teen Data: The Commission generally supports the exploration of an “eraser button” for teens through which they could delete content they post online.  However, such a feature would have to be carefully crafted to avoid implicating First Amendment concerns.

    Why it matters: The Report demonstrates the FTC’s ongoing interest in consumer privacy issues and calls upon the industry to continue its notable efforts to date and for Congress to consider enacting certain baseline legislation.  We expect the FTC to continue its active enforcement role in privacy matters, particularly in the five areas described above.  Some of this activity will likely reflect the continuation of the FTC’s enforcement trends over the past few years, such as data security, honoring privacy policies, data retention and disposal practices, and data accuracy.  However, the Report also provides new insight into how the FTC intends to evaluate the methods by which companies provide consumers with data collection choices and the ability to access the data they maintain.

    back to top