This post was written by the Kelley Drye & Warren Privacy and Information Security Practice Group.
Today, the FTC issued its highly-anticipated preliminary staff report on privacy, “Protecting Consumer Privacy in an Era of Rapid Change.” The report proposes a new privacy framework for businesses and policymakers and addresses the Commission’s view that self-regulation has, up to now, failed to provide adequate consumer protection. The framework would be applicable to the online and offline data handling practices of consumer data that can be reasonably linked to a specific consumer, computer, or device. The report is largely based on a series of three public roundtables held over the past year that explored current privacy approaches.
The proposed framework set forth in the report includes three primary recommendations: (1) Privacy by design; (2) Simplified choice for consumers on how their data is handled; and (3) Greater transparency for consumers on privacy practices:
1) Privacy By Design – Incorporate consumer privacy protections into everyday business and each stage of product or service development. Specifically, the report recommends that this process should:
a) Provide for reasonable security for consumer data;
b) Limit personal data collection to only data needed for a specific business purpose;
c) Limit personal data retention to only the period of time needed to fulfill the specific business purpose;
d) Securely dispose of personal data no longer being used; and
e) Implement reasonable procedures to promote personal data accuracy.
Additionally, the report recommends that a business’s internal privacy practices should include:
a) Dedicated personnel to oversee privacy issues;
b) Employee training on privacy issues; and
c) Privacy reviews for new products or services.
2) Simplified Choice – Provide consumers with simpler, more streamlined choices about privacy practices. The report recommends that businesses should:
a) Identify “commonly accepted” data practices for which consumer choice is not necessary, e.g., product fulfillment, improvement of internal business operations, fraud prevention, legal compliance, and first-party marketing; and
b) Identify data practices that are not “commonly accepted,” and provide consumers with clear descriptions of these practices in context with the request (e.g., at the time when the consumer provides his or her information or through a universal mechanism);
c) Offer consumers greater choice, particularly with data practices not “commonly accepted,” such as behavioral advertising. To this end, the Commission staff supports a “Do Not Track” tool that allows the consumer to decide whether to receive targeted ads.
3) Greater Transparency – The report recommends the following measures for companies to take to make their data practices more transparent to consumers:
a) Make privacy policies easy to understand and useful as a consumer tool to compare businesses’ practices;
b) Provide consumers with access to data that companies maintain about them;
c) Obtain affirmative consent for material, retroactive changes to data policies; and
d) Educate consumers about commercial data privacy practices.
The proposals within the preliminary report are not directly enforceable regulations, but they are instructive and provide insight on what businesses can expect in privacy enforcement trends in the future. The report invites public comment with a filing deadline of January 31, 2011.
Kelley Drye will be circulating a client advisory with a more detailed discussion of the FTC’s proposed privacy framework shortly.