Mar 29, 2012
On March 26, 2012, the Federal Trade Commission (FTC) issued its long-awaited final report on privacy, titled "Protecting Consumer Privacy in an Era of Rapid Change" (Report). This Report follows a preliminary staff report issued by the FTC in December 2010 (Preliminary Report). Since the Preliminary Report, the Commission notes that the industry has made significant progress in certain areas, most notably in responding to the Report’s call for Do Not Track, but that progress in other areas has been slower. Also, since the Preliminary Report, the FTC has initiated a number of enforcement actions against companies and industries involving unfair or deceptive practices with regard to consumer data, which help define and frame the issues of greatest concern to the FTC, as detailed in the Report. These cases involved the data practices of Google and Facebook, online advertising networks, mobile applications, list brokers involving the Fair Credit Reporting Act, and companies that failed to maintain reasonable data security.
The Report sets forth the FTC’s final privacy framework (described in detail below) and a number of proposals that will significantly impact entities that collect, use, and share consumer data obtained online, offline, and through apps and wireless devices. In particular, companies that collect data would be permitted to use consumer information only for purposes related to the particular purpose for which such information was collected or that may be reasonably expected by the consumer given the context of the situation. Any other uses would require notice to, and the consent of, the affected consumers. However, the FTC appears to retreat from its recommendation in the Preliminary Report for Do Not Track legislation, noting the industry’s efforts to improve consumer control over how their information is collected and used online for behavioral tracking and ad serving, and it encourages continued improvements and full implementation of those mechanisms.
Although the FTC does not specifically call for Do Not Track legislation at this time, it does encourage Congress to consider enacting basic privacy and data security and data broker legislation, consistent with the framework. At the same time, the Commission urges companies in the data industry to accelerate the pace of self-regulation to implement the Commission’s overall privacy framework. Should the industry not heed the FTC’s call, the agency suggests that legislation be enacted to advance these principles in order to protect consumers’ privacy in today’s digital age.
The following is a summary of the FTC’s findings and proposals:
Data Brokers: The Commission supports targeted legislation that would provide consumers access to their information held by a data broker and calls on data brokers that compile data for marketing purposes to explore creating a centralized Web site where brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.
The Privacy FrameworkThe Report retains the general concepts of Privacy by Design, Simplified Choice, and Greater Transparency, as initially suggested in the Preliminary Report, with some changes as noted below.
Scope: The privacy framework would apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only nonsensitive data from fewer than 5,000 consumers a year and does not share the data with third parties. This approach reflects a change from the scope of the Preliminary Report in terms of the entities and the type of data to which it applies. The Preliminary Report proposed that the privacy framework apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device. Thus the framework grants an exemption for smaller businesses that collect nonsensitive data. Second, the Report also clarifies the reasonable linkability standard by explaining that data is not “reasonably linkable” to the extent that a company (i) takes reasonable measures to ensure the data is de-identified, (ii) publicly commits to not trying to re-identify the data, and (iii) contractually prohibits downstream recipients from trying to re-identify the data. Thus the Report suggests that to the extent a company maintains and uses data that is identifiable and data that it has taken steps to de-identify, the company should silo that data separately. The privacy framework applies in all commercial contexts, i.e., to both offline and online data.
Privacy by Design: The framework follows the “privacy by design” concept set forth in the Preliminary Report, which recommends that companies incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy. The framework also recommends that companies adopt procedural protections to implement the substantive principles, i.e., companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.
Simplified Consumer Choice: The framework also adopts the Preliminary Report’s principle that companies should simplify consumer choice. However, the framework modifies the approach as to how companies should provide consumers with choices.
Transparency: The Report also adopts many of the recommendations for transparency found in the Preliminary Report, including:
Why it matters: The Report demonstrates the FTC’s ongoing interest in consumer privacy issues and calls upon the industry to continue its notable efforts to date and for Congress to consider enacting certain baseline legislation. We expect the FTC to continue its active enforcement role in privacy matters, particularly in the five areas described above. Some of this activity will likely reflect the continuation of the FTC’s enforcement trends over the past few years, such as data security, honoring privacy policies, data retention and disposal practices, and data accuracy. However, the Report also provides new insight into how the FTC intends to evaluate the methods by which companies provide consumers with data collection choices and the ability to access the data they maintain.
back to top
Linda A. GoldsteinPartnerEmail212.790.4544
Jeffrey S. EdelsteinPartnerEmail212.790.4533
May 26, 2015Privacy & Data Security Webinar:Topic/Speaker: “Credit Card Breaches and PCI” Donna Wilson
Los Angeles, CA
For more information
May 28, 2015 Cyber Security Panel Discussion with US BankTopic/Speaker: “The Business of Security” Donna Wilson
Los Angeles, CA
For more information
Named 2015 “Law Firm of the Year” for Advertising Law
Recognized for Excellence in the areas of Advertising, Marketing and Media
Named a Top Practice Nationally for Marketing and Advertising
© 2015 Manatt, Phelps & Phillips, LLP. All rights reserved.