In December 2010, the Federal Trade Commission ("FTC") issued a preliminary staff report that proposed a framework for protecting consumer privacy and urged companies to adopt a set of best practices to protect consumer privacy. Since that time, the FTC has received more than 450 public comments in response to its preliminary staff report from various stakeholders, including businesses, privacy advocates, technologists and individual consumers. According to the FTC, a wide range of stakeholders, including industry, supported the principles underlying the privacy framework, and many companies said they were already practicing such principles. At the same time, many commentators criticized the slow pace of self-regulation and argued that it is time for Congress to enact baseline privacy legislation.
After consideration of the comments and analysis of ever changing technology, the FTC issued its report on March 26, 2012, titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” The report contains an updated framework, which the FTC states is intended to articulate best practices for companies that collect and use consumer data. Further, the FTC states that with this report, it is calling on companies to act now to implement these best practices to protect consumers’ private information.
The report is not law. Indeed, Commissioner J. Thomas Rosch filed a dissenting statement to the final report which, although generally agreeing with the concepts therein, objected that the final report’s recommendations may be incorrectly construed as federal requirements. With that said, the FTC noted that “[o]verall, consumers do not yet enjoy the privacy protections proposed in the preliminary staff report,” and, indeed, the final report recommends that Congress enact baseline privacy legislation. Thus, although the recommended “best practices” are not enforceable on a standalone basis, such best practices may become law in the future and may also form the basis for claims under other statutes for alleged privacy violations.
The FTC intends that the privacy framework apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer or other device unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties. This includes both online and offline consumer data. For example, where a consumer interacts directly with a business, such as through the use of a loyalty retail card, and thus the consumer data is obtained "offline," the business is nonetheless expected to implement these best practices.
While there continues to be ongoing debate about what constitutes “sensitive” data, the FTC notes that the general consensus at this time is that a Social Security number as well as financial, health, geolocation and children’s information constitutes sensitive data. Thus, according to the report, in order to fall within the exception and thus, outside the scope of the privacy framework, the information collected and/or used should not be of this nature.
Privacy by Design
This basic principle provides that companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.
This includes incorporating both procedural and substantive privacy protections into their practices, such as data security; reasonable collection limits, particularly in the case of children and teens; sound retention policies, including deleting information they no longer need; and data accuracy. The FTC calls on companies to create a comprehensive privacy program, designate employees responsible for implementing the program, train its employees to ensure compliance with the program and to educate its consumers as well.
Simplified Consumer Choice
Under this principle, the FTC calls on companies that collect and use consumer data to provide easy-to-use choice mechanisms that allow consumers to control whether their data is collected and how it used. To ensure that choice is most effective, the report states that a company should provide the choice mechanism at a time and in a context that is relevant to consumers — generally at the point the company collects the consumer’s information. One of the primary examples of such a choice mechanism is a “Do Not Track” icon that is easy to see and use, although the reports cites several different examples of appropriate choice mechanisms.
The report recognizes, however, that there are certain commonly accepted practices that should not require a consumer choice mechanism. For example, where the information is used to market directly back to the consumer, i.e., first party marketing, and the information is not shared with third parties, the FTC suggests a consumer choice mechanism may not be required in this context.
However, in the case of sensitive data, irrespective of whether it is used for first party or third party marketing, the FTC states that affirmative express consent before collection is appropriate. Further, to the extent a company decides to use data in a materially different manner than was disclosed at the time it collected the data, the company should also obtain the consumer’s express consent before implementing that changed use.
Under this principle, the FTC calls on industry to make privacy statements clearer, shorter and more standardized. Further, it calls on companies to give consumers reasonable access to their data and, if necessary, the ability to correct it and to undertake consumer education efforts to improve consumers’ understanding of how companies collect, use and share data.
The FTC concludes its report by recommending that Congress consider baseline privacy legislation while industry implements the privacy framework, described generally above, through strong and enforceable self-regulatory initiatives. Throughout the report, the FTC repeatedly refers to numerous enforcement actions against companies who, according to the FTC, have failed to comply with these best practices. The FTC also points to several orders under which companies paid substantial penalties and fines as a result of claims that the companies misused consumer data and which are now subject to enforceable protocols pursuant to which they must follow and comply with these best practices at the risk of further penalties and fines for failure to do so.
Consequently, companies who collect or use consumer data should review their current privacy policies and programs to consider whether they should adopt changes to align with the best practices articulated in the FTC’s report.