Today the Federal Trade Commission released its much anticipated final Privacy Report, entitled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. The final report calls on companies to implement best practices to protect consumers’ private information (both on- and off-line), Congress to enact baseline privacy and data security legislation with civil penalties, and industry to accelerate the pace of self-regulation. The Report also supports legislation to provide consumers with access to information stored by data brokers and the opportunity to dispute the accuracy of such data.
The final Privacy Report applies to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” For companies that fall within such scope, the FTC recommends that companies implement the following best practices, and adds that, to the extent such recommended practices go beyond existing law, the privacy framework is not intended to be a template for law enforcement actions or regulations currently enforced by the FTC.
- Privacy By Design: Promote consumer privacy throughout the organization and at every stage of development of products and services, including through data security, reasonable data collection limits, sound retention and disposal practices, data accuracy, and accountability.
- Simplified Choice for Businesses and Consumers:
- Businesses do not need to provide choice to consumers before collecting and using their data for practices “consistent with the context of the transaction or the company’s relationship with the consumer, or where required or specifically authorized by law.”
- Businesses should provide consumers with choice for all other practices, and offer the choice at a time and in a context in which the consumer is making a decision about his or her data.
- Affirmative express consent should be obtained before using consumer data in a materially different manner than claimed when the data was collected, or collecting sensitive data for certain purposes.
- Greater Transparency: Privacy notices utilized by companies should be clearer, shorter, and more standardized to enable better comprehension by consumers and comparison of privacy practices.
The Privacy Report also explains that policymakers have a role in assisting with the implementation of self-regulatory principles in the following five key areas, which the FTC will focus on over the next year:
- Do Not Track: The FTC will be working with relevant stakeholders in completing implementation of an easy-to-use, persistent, and effective Do Not Track system.
- Mobile: The FTC calls on companies providing mobile services to work towards improved privacy protections, including the development of short, meaningful disclosures. As part of this effort, FTC staff will host a workshop on May 30, 2012 that will address, among other issues, mobile privacy disclosures, and how these disclosures can be short, effective, and accessible to consumers on small screens. The Commission hopes that the workshop will spur further industry self-regulation in this area.
- Large Platform Providers: To the extent that large platform providers, such as ISPs, operating systems, browsers, and social media, seek to comprehensively track consumers’ online activities, the FTC notes its privacy concerns. FTC staff will host a public workshop in the second half of 2012 to further explore privacy and other issues related to this type of comprehensive tracking.
- Promoting Self-Regulatory Codes: FTC Staff will work with the Department of Commerce in facilitating the development of industry-sector specific codes of conduct. To the extent that robust privacy codes of conduct are developed from such efforts, the Commission will view adherence to such codes favorably in connection with its law enforcement work, and will also enforce actions under Section 5 of the FTC Act where companies fail to abide by self-regulatory programs they join.
- Data Brokers: The Commission calls on data brokers that compile data for marketing purposes to explore creating a centralized website where data brokers could identify themselves to consumers and describe how they collect and use consumer data, and detail the access rights and other choices they provide with respect to the consumer data they maintain.
Kelley Drye will release a more detailed advisory with analysis of the privacy report in the coming days.