Amid increasing concerns about consumer privacy issues, on March 26, 2012 the Federal Trade Commission (FTC) issued its final report1 on guidelines for “Protecting Consumer Privacy in an Era of Rapid Change” (FTC Report). While not intended to act as a template either for law enforcement or for regulation by the FTC under existing laws, the FTC Report is instead intended to provide recommended best practices for industry as well as to assist Congress as it considers privacy legislation.
The FTC Report is the culmination of FTC efforts and public comment that began with the FTC’s preliminary report, released in December 2010. The purpose of the preliminary report was to advocate for the adoption of a privacy framework that would update—yet remain consistent with—the Fair Information Practice Principles, first articulated in 1974.2 Since the release of the FTC’s preliminary report, we have seen increasing public awareness of consumer privacy issues, along with several high-profile enforcement actions brought by the FTC under various privacy laws and regulations.3 In addition, complaints of identity theft and other privacy-related concerns have continued to draw attention from government organizations, companies, advocacy groups, and individual users.4 The FTC Report responds to these changes and concerns, and notes that “[a]lthough some companies have excellent privacy and data security practices, industry as a whole must do better.” Through a series of roundtables, the FTC identified certain key areas to target as part of their efforts to address the adequacy of existing consumer privacy protections in light of “21st century technologies.” The FTC organized these key areas into three components: Privacy by Design, Simplified Consumer Choice, and Greater Transparency.
The FTC identified these three key components in response to what were identified as shortcomings in existing privacy frameworks. The intent behind the FTC’s Privacy by Design component is to encourage companies to treat consumer privacy as their “default setting.” The FTC’s recommendation to companies is to address consumer privacy at every stage, thus shifting the burden away from consumers. The FTC Report suggests that companies should delete consumer data no longer needed and allow consumers to do the same, provide reasonable security for data, limit collection of data (consistent with the context of a particular transaction), and implement reasonable data retention and disposal policies.
The Simplified Consumer Choice component asks companies to develop mechanisms to enable consumers to better control tracking of their online activities, a concept referred to as “Do Not Track.” Under the proposed framework, this consumer control includes providing consumers with a choice whether to be tracked across other parties’ Web sites (including affiliates’ Web sites). Finally, the FTC Report calls on companies to improve consumer understanding of commercial data practices through increased transparency and visibility into these practices. The FTC’s recommendations in this component include offering clearer and shorter privacy notices, providing access to consumer data and educating consumers about a company’s data privacy practices.
Based on concerns about possible undue burdens the proposed framework would place on small businesses, the FTC made changes to the preliminary report’s scope. The FTC restated the scope to apply to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” It should be noted, however, that the FTC’s framework is intended to apply in all commercial contexts, which includes both online and offline data that can be “reasonably linked to a specific consumer, computer, or other device.”
The FTC Report urges Congress and industry to consider the proposed framework, and signals the intent of the FTC to focus its efforts on five specific areas, which include Do Not Track, Mobile, Data Brokers, Large Platform Providers, and Promoting Enforceable Self-Regulatory Codes. Notably, the FTC supports targeted legislation to provide consumers with access to information about them held by data brokers, and calls on data brokers to compile data for a centralized Web site designed to “identify [data brokers] to consumers” and “detail the access rights and other choices [the data brokers] provide with respect to the consumer data they maintain.” The FTC Report defines data brokers as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.”
The FTC’s Report, while comprehensive and based upon public comment gathered from a wide array of industry groups, corporations, and consumer advocacy organizations, is not intended to enable enforcement beyond existing legal requirements, but is instead presented as a set of guidelines the FTC is advocating both in industry and in government. Of course, the FTC has exercised in the past its broad powers under Section 5 of the FTC Act to prosecute companies for engaging in unfair trade practices to protect consumers’ privacy interests.5 While it is unlikely that, in an especially contentious election year, any legislative action will come of this report in the short term, the FTC Report provides companies with a roadmap of the FTC’s current thinking on consumer privacy. Due in part to the increasing amount of attention the topic of consumer privacy has garnered in recent years, as well as the FTC’s broad enforcement powers in this area, companies and organizations that fall within the scope of the FTC Report will do well to carefully consider the FTC’s proposed framework with an eye toward the future.
1 Available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf.
3 See, e.g., In the Matter of Facebook, Inc., a corporation, FTC File No. 092 3184; In the Matter of Google, Inc., a corporation, FTC File No. 102 3136; In the Matter of ScanScout, Inc., a corporation, FTC File No. 1023185; U.S. v. RockYou, Inc., FTC File No. 1023120; In the Matter of SettlementOne Credit Corporation, a corporation, and Sackett National Holdings, Inc., a corporation, FTC File No. 082 3208.
4 See, e.g., Federal Trade Commission, The FTC Releases Top Complaint Categories for 2011, February 28, 2012, http://ftc.gov/opa/2012/02/2011complaints.shtm; Pew Research Center, Privacy management on social media sites, February 24, 2012, http://www.pewinternet.org/Reports/2012/Privacy-management-on-social-media.aspx; Consumer’s Union, Consumer Comments to the NTIA on ‘Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct’, April 3, 2012, http://hearusnow.org/document/consumer-comments-to-the-national-telecommunications-and-information-administration-on-multistakeholder-process-to-develop-consumer-data-privacy-codes-of-conduct.
5 The FTC has brought more than 22 actions in the past 10 years under Section 5 of the FTC Act, 15 U.S.C. §45.
Sharon R. Klein and Jeffrey L. Vagle