Last week, the FTC issued its final report on protecting consumer privacy.  The report, entitled "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers", builds on a December 2010 staff report that was the subject of an earlier post.  While the final report maintains the FTC's "bottom up" approach to privacy issues–including a final privacy "framework" to serve as a guiding policy for self-regulatory measures–rather than a "top down" approach of establishing federal privacy regulations, the FTC specifically recommended for the first time that Congress enact privacy legislation to augment self-regulatory efforts instituted by industry stakeholders.  The call for legislation was based on the Commission's acknowledgement that self-regulation has not gone far enough.  The Commission cited failures of mobile apps marketed to children to disclose collection and sharing practices and the inability of the data broker industry to establish self-regulatory rules as examples demonstrating the absence of basic privacy concepts such as transparency and meaningful consumer control in well-established markets.  Evidence of data breaches and unauthorized use and disclosure were also noted by the Commission.  In his prepared remarks released with the report, FTC chair Jon Leibowitz reiterated that consumers should have choice and control when it comes to revealing their personal information.  He noted that the report is grounded in three principles that companies should follow to ensure that consumers have that control.  First, through "privacy by design", that is the incorporation of privacy protections into products as they are developed.  Second, providing consumers choice about how their data is collected and used.  And third, providing more transparency to consumers through clear explanations of data handling practices. The legislative recommendation made by the Commission was somewhat general, calling on Congress to consider enacting "baseline privacy legislation that is technologically neutral and sufficiently flexible to allow companies to continue to innovate."  One area of the legislation that the Commission focused on was the data brokerage industry, with the Commission calling for targeted legislation that would provide consumers with access to information about them held by a data broker. The Commission specifically noted that the legislation should not impose an undue burden on businesses that already incorporate into their practices the Fair Information Practice Principles ("FIPPS"), which were set forth in the Obama Administration's data privacy "white paper" issued in February.  (The FIPPS articulated in the white paper are: (i) transparency, (ii) individual control, (iii) respect for context, (iv) security, (v) access, (vi) accuracy, (vii) focused collection and (viii) accountability.)  The Commission envisions legislation that provides businesses with certainty of their obligations, as well as a scheme of civil penalties and remedies to act as a disincentive to disregard those obligations. While the scope and detail of any privacy legislation will be left to Congress, the FTC will continue to press the industry on self-regulatory measures to implement its privacy framework.  That framework focuses on five main action items:

  • Implementation of an "easy-to-use, persistent and effective" Do Not Track system
  • Improved privacy protection in the Mobile space, including development of short, meaningful disclosures
  • Address the invisibility of collection practices of Data Brokers by calling for the creation of a centralized website where data brokers could (i) identify themselves and describe how they collect and use data and (ii) detail access rights and other choices provided to consumers
  • Continued review of the tracking activities of Large Platform Providers such as ISPs, social media services, operating systems and browsers
  • Promoting enforceable self-regulatory codes, including using the failure of companies to abide by self-regulatory programs they join as the basis for a suit for unfair or deceptive practices.

None of these broader principles are groundbreaking.  The news, to the extent there was any, came from the detailed discussions of some of the points.  Some examples:

  • In a nod to those concerned with the burden that compliance with the framework might place on smaller businesses, the Commission stated that privacy disclosures are not needed for entities that collect limited amounts of non-sensitive data from under 5,000 consumers for their own use (i.e., the data is not shared with third parties).
  • The Commission stated unequivocally that the framework applies in all commercial contexts, both online and offline.
  • In addressing data that is collected through a consumer device which may not necessarily be considered "personally identifiable information" (PII), the Commission determined that the framework would apply to data that can be "reasonably linked to a specific consumer, computer or other device."  In clarifying the standard, the Commission provided guidance to companies to minimize linkability, including taking reasonable measures to "de-identify" the data, publicly committing to maintain and use the data only in such "de-identified" fashion and not attempt to "re-identify" the data and contractually prohibiting third parties they share the data with from re-identifying it.

Overall, the report appears to be a reflection of the current, baseline state of affairs in the privacy and data collection ecosystem.  And by promoting best practices and self-regulation approach, the Commission's approach to privacy is to lead from behind, taking aggressive action primarily against "bad actors" and industry outliers. Those businesses that adhere to best practices likely need not be overly concerned by the report.  However, it is important for them to consider how the FTC might use the framework set forth in the report (which reflects current practices) to interpret future business initiatives not yet conceived or contemplated.  In that regard, Chairman Leibowitz' "resounding" statement that "consumers should have choice and control" should never be ignored.