Overview of the FTC’s Report on Consumer Privacy
On December 1, 2010, the Federal Trade Commission (“FTC” or “Commission”) released a preliminary staff report (the “Report”) setting forth a framework for how commercial entities should protect consumer information.
Through this Report, the Commission seeks to inform policymakers, including Congress, in their development of solutions, policies, and potential laws governing privacy. The Report is also intended to guide and motivate the industry as it develops best practices and self-regulatory guidelines. Notably, the FTC observed that industry efforts to develop meaningful protections for consumer information have fallen short in recent years, which suggests that legislation in this area is likely warranted.
The Report lays out a proposed framework based on three substantive elements, each discussed in detail below:
Privacy by Design: Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.
Increased and Simplified Consumer Choice: Companies should simplify consumer choice to limit the uses and sharing of consumer information that are not reasonably expected.
Increased Transparency of Data Practices: Companies should increase the transparency of their data practices, including clear and easy-to-understand privacy policies, reasonable access to the data they maintain, and obtaining consumer consent before using data in a materially different way than claimed at the time of collection.
This proposed framework, which draws on information gathered by the Commission during various workshops and public roundtable meetings, emphasizes the importance of presenting consumers with clear and easily digestible information regarding their privacy choices, as well as ensuring that companies obtain informed consent for certain collection and use of consumer data. Additionally, the Report calls for a mandatory Do Not Track choice mechanism, which would allow consumers to restrict the collection and use of their online browsing data.
Privacy by Design
The FTC calls for companies to promote consumer privacy throughout their organizations and at every stage of business development by implementing the following policies:
Integrating Privacy Into Daily Business Practices. Companies should integrate the protection of consumer privacy into their everyday business practices. The Report highlights four substantive protections that are of critical importance to consumers:
1. Companies that maintain information about consumers should employ reasonable safeguards to protect that information;
2. Companies should collect only the information needed to fulfill a specific legitimate business need, rather than simply collecting information with the hope of developing new ways in which to profit from it;
3. Companies should implement reasonable and appropriate data retention periods, retaining consumer data for only as long as it fulfills a specific and legitimate business need; and
4. Companies should take reasonable steps to ensure the accuracy of the data they collect.
Data Management Procedures. Companies should integrate the importance of privacy and data protection into their business models. The Report recommends that companies maintain comprehensive data management procedures throughout the life cycle of their products and services. It stresses the importance of developing and implementing comprehensive privacy programs and designating specific personnel with the responsibility for training employees on privacy, as well as promoting accountability for privacy policies throughout the organization. The Commission also urges companies to conduct periodic reviews of internal policies to address changes in data risks or other circumstances.
Increased and Simplified Consumer Choice
Consent Not Required for Commonly Accepted Practices: In an effort to reduce the amount of nonessential information contained in what the FTC claims to be confusing and lengthy privacy policies, the Commission’s proposed framework first identifies a limited set of “commonly accepted practices” for which companies should not be required to seek consent once the consumer elects to use or purchase a product or service for which he or she will provide his or her personal information:
1. Product and service fulfillment: Web sites collect contact information for shipping requested products or credit card information for payment.
2. Internal operations: Hotels and restaurants collect customer satisfaction surveys to improve their customer service. Web sites collect information about visits and click-through rates to improve site navigation.
3. Fraud prevention: Offline retailers check driver’s licenses when consumers pay by check to monitor against fraud. Online businesses also employ fraud-detection services to prevent fraudulent transactions.
4. Legal compliance and public purpose: Search engines, mobile applications, and pawn shops share their customer data with law enforcement agencies in response to subpoenas. A business reports a consumer’s delinquent account to a credit bureau.
5. First-party marketing: Online retailers recommend products and services based upon consumers’ prior purchases on the Web site. Offline retailers do the same and may, for example, offer frequent purchasers of diapers a coupon for baby formula at the cash register.
Consumer Choice for Other Uses. Outside of this limited set of circumstances, the framework aims to present consumers with the ability to make informed and meaningful choices. The Commission recommends that the choice mechanism should be offered at the point when the consumer is providing data or otherwise engaging with the company – referred to as “just in time.” The Report advocates this practice whether the behavior is online, such as on the page where an online consumer provides personal information, or offline, such as requiring the cashier to ask the customer whether he or she would like to receive marketing offers from other companies. Interestingly, in response to roundtable participants who urged the Commission to acknowledge the superiority of either opt-in or opt-out consent as the more appropriate method of obtaining consent, the Commission noted that ultimately the issue of ensuring that consumers understand and exercise their options may be more relevant to the issue than the manner in which it is accomplished – emphasizing the Commission’s commitment to ensuring meaningful choices for consumers, rather than a one-size-fits-all solution.
Do Not Track. Possibly the most important and critical element of the FTC’s proposed framework is its call for a special choice mechanism for online behavioral advertising. Although the Commission has called upon the industry to create better tools to allow consumers to control the collection and use of their online browsing data, it maintains that several critical issues remain unaddressed in this area, such as the lack of an effective, universally established mechanism implemented on an industrywide basis, and the lack of consumer awareness about the existence of those mechanisms that have been implemented. In the Report, the Commission advocates for a uniform and comprehensive consumer choice mechanism, called “Do Not Track,” to be enforced through legislation or robust self-regulation. The framework states that the most practical method to apply this function “would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements,” ensuring that consumers would not have to exercise choices on a company-by-company or industry-by-industry basis, and that such choices would be persistent. The Commission emphasized that “to be effective, there must be an enforceable requirement that sites honor those choices.”
Increased Transparency of Data Practices
The FTC expressed concern that many consumers are unaware of how, and for what purposes, companies collect, use, and share data about them. To address this concern, the proposed framework recommends certain measures that companies should take to make their data practices more transparent to consumers. In addition to simplifying consumer choice and providing choice mechanisms that are prominent, relevant, and easily accessible, companies are advised to:
1. Improve consumers’ ability to compare data practices across companies,
2. Make prominent disclosures that clearly describe material changes to their data policies and obtain consumers’ affirmative consent before making such changes, and
3. Intensify efforts to educate consumers about commercial data practices and the choices available to them.
Scope of Framework
In addition to the three substantive elements discussed above, the proposed framework contains an additional key component: an increased scope. The practices espoused in the Report would apply broadly to commercial entities that collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer, or other device. Significantly, they would apply to all commercial entities that collect consumer data in both online and offline contexts, regardless of whether such entities interact directly with consumers. Additionally, the proposed framework would not be limited to those who collect personally identifiable information.
Request for Comments
The FTC seeks comments from the public on the proposed framework and related questions as set forth in the Report. Comments are due by January 31, 2011. Manatt can assist clients in preparing comments to the Report. For any questions, contact Linda Goldstein at (212) 790-4544 (lgoldstein@manatt.com), or Marc Roth at (212) 790-4542 (mroth@manatt.com).