On March 26th, the Federal Trade Commission (FTC) released a much-anticipated report reflecting the Commission’s views on what constitutes “best practice” for privacy protection and additional recommendations for future legislative action. While the report reflects much of the content of the preliminary report (December 2010), the FTC considered over 450 public comments before arriving upon final recommendations. While the report does not constitute a direct law or regulatory obligation for business, it reflects the Commission’s view on what is good or best practice and all businesses would be wise to take these points into serious consideration for current and future handling of personal information.
The privacy framework is divided into three main sections:
• Privacy by Design: Build in privacy at every stage of product development;
• Simplified Choice for Businesses and Consumers: Give consumers the ability to make decisions about their data at a relevant time and context, including through a Do Not Track mechanism, while reducing the burden on business of providing ‘unnecessary’ choices; and
• Greater Transparency: Make information collection and use practices transparent.
While providing this framework, the FTC continues its call for baseline privacy legislation at the federal level as well as data security legislation. The FTC renews its urging to businesses to “accelerate the pace of self-regulation” in five particular contexts or platforms:
• Do Not Track: While browser developers have tools to help consumers reduce or eliminate tracking, the FTC considers this and other efforts to be a good first step but requiring more. Commissioner Julie Brill has also stated publicly that she believes Do Not Track really means Do Not Collect. This remains a significant open item.
• Mobile: Effective notice and choice is even more difficult on a device with significantly smaller screens, and the FTC has initiated a project to develop further guidance about online disclosures.
• Data Brokers: While receiving significant attention elsewhere in the report, the FTC has recommended industry-specific legislation so that consumers would gain access to information that a data broker holds about them.
• Large Platform Providers: Those developing platforms such as web browsers, social networks, and Internet Service Providers are perceived as trying to collect as much information as possible online about individuals. Often referred to as Online Behavioral Advertising and other practices, the FTC anticipates future workshops to address what it perceives to be “comprehensive tracking.”
• Promoting Enforceable Self-Regulatory Codes: The FTC anticipates cooperating with the Commerce Department’s effort to develop industry-specific codes of conduct, which if adopted would be subject to the FTC’s continuing enforcement authority under Section 5 of the FTC Act against unfair and deceptive acts or practices.
With that introduction, we will provide a series of bullet points reflecting the 100+ pages of materials issued by the FTC so that readers will have more accessible summaries of key points.
• The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless:
o The entity collects only non-sensitive data
o From fewer than 5,000 consumers per year
o And does not share that data with third parties
• Concept of Proportionality. This reflects the FTC’s opinion that first party collection and use of non-sensitive data (data that is not a SSN or about financial, health, children’s or geolocation information) is less of a risk to consumers. This also reflects the FTC’s implicit adoption of the proportionality principle, proposed originally by our colleague Andrew Serwin in several papers.
• Exclusions for Existing Regulatory Frameworks. Businesses currently directly regulated by HIPAA, GLBA and similar regimes would not be subject to duplicative rules. However, to the extent that the FTC framework is a) not inconsistent with and b) more protective than the sectoral rules, the FTC encourages financial services, health providers, and others to adopt the framework guidance.
• Online and offline. The framework applies to personal information in any medium, specifically offline as well as online data.
• Personal Information that is Reasonably Linkable. The concept of personal information is expanded to include that which is reasonably linkable to a specific consumer, computer or device. The FTC notes that individual devices often can be associated with a specific consumer, even though that linkage may not be known to the collector of information from the device. The Commission also refers to a 2006 incident when AOL released what was intended to be anonymized search data, but was later determined to be detailed enough so that individual searchers could be identified. However, the FTC limits this to what is “reasonably linkable.”
• Data is not reasonably linkable to the extent:
o A given data set that is not reasonably identifiable;
o The company publicly commits not to re-identify it; and
o The company requires any third parties using the data not to re-identify it.
PRIVACY BY DESIGN
• The baseline principle is that companies should develop new and revise existing products and services such that consumer privacy is rigorously incorporated through the product lifecycle and the organization
o This would include default settings that are private, closed, or off instead of public, open, or on.
o The intention is to shift the burden of applying privacy controls away from consumers.
• These should be reflected in effective practices regarding data security, reasonable collection limits, suitable retention and disposal practices, and steps to ensure data accuracy.
o Referencing Section 5 of the FTC Act, the expectation is that companies must provide reasonable security for consumer data.
o The concept of data minimization or minimum collection is a relatively new one for mostUScompanies. If you don’t need it, then don’t collect it. Don’t collect it simply because you think you might need or want it in the future.
• Comprehensive data management procedures would apply for the lifecycle of products and services.
o As has been seen in recent FTC consent orders, the Commission increasingly expects companies to develop and maintain a comprehensive information management (meaning privacy and security) program to help ensure appropriate protections for personal information.
o Firms should prioritize legacy data systems for remediation or Privacy by (Re)Design based on the sensitivity of the information held.
SIMPLIFIED CONSUMER CHOICE
• Practices that do not require choice. Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.
• For example, reasonable disclosures to delivery agents after purchasing a product or perhaps disclosures to reduce the risk of fraud.
• Context of the transaction / relationship between the consumer and the company. A key element of situations where consumer choice is not required involves focusing on the “context of the transaction.” That is, based on the context of the interaction between the business and consumer, is it reasonable to expect the consumer would understand the particular data practice to be part of and consistent with the overall relationship?
• Example. The Report gave the example of the purchase of an automobile. Using the consumer’s address to send a coupon for a free oil change, or notice of an upcoming sale on the type of tires that came with the car, or information about new models of the car, would all be consistent with the context of the transaction and the consumer’s relationship with the dealer. On the other hand, the dealership selling personal information to a data broker for selling to marketers would not be consistent with the transaction or the customer’s relationship with the dealership.
• Practices highlighted in the preliminary report are illustrative. In its preliminary report, the FTC provided five situations where consumer choice may not be required – fulfillment, fraud prevention, internal operations, legal compliance and public purpose, and most first-party marketing. The final Report uses the “context of the transaction” as the primary principle for determining whether choice is required. The FTC notes the examples from the preliminary Report may not be sufficient in every situation, but provide illustrative guidance where consumer choice would typically not be required. It is important to note that this moves in the opposite direction of European notice rules, which remain oriented toward greater detail.
• For example, the FTC noted that while improving existing products or services is typically an “internal operation” that would not require choice, repurposing and sharing data with third parties may very well remove the practice from being an “internal operation” consistent with the context of the consumer’s interaction with the company.
• First-party marketing generally does not require choice, but certain practices raise special concerns, such as tracking across third-party websites, sharing with unknown affiliates, data enhancement and sensitive data for first party marketing.
• Tracking / Behavioral Advertising / Retargeting. The framework requires companies to provide consumers with a choice whether to be tracked across other parties’ websites. The FTC noted that tracking a consumer after the consumer leaves the company’s website is typically not consistent with the context of the consumer’s interaction with the company. Accordingly, where a company has a first-party relationship with a consumer on its own website, and it engages in third-party tracking of the consumer across other websites, the company should provide meaningful choice to the consumer. How this meaningful choice is to be implemented remains to be seen.
• Affiliates are third parties unless the affiliate relationship is clear to consumers. If the relationship is made clear to consumers, such as through common branding, the affiliate will not be considered a third-party. On the other hand, if the relationship is not visible to the consumer – for example an online publisher that also maintains an ad network that invisibly tracks consumers’ activities on the site – the affiliated ad network would be considered a third-party for purposes of choice.
• Cross-channel marketing is generally consistent with the context of a consumer’s interaction with the company. The Report finds that marketing to consumers through multiple channels (e.g. Internet, e-mail, mobile apps, text messaging or offline context) is generally consistent with the consumer’s relationship with the company. Tracking a consumer on third-party websites, however, would not be consistent, and choice should be required.
• Companies should implement measures to improve the transparency of data enhancement. The Report provides guidelines for adding data obtained from third-party sources to data collected by the company directly from the consumer. The FTC declined to require choice with respect to such enhancement, however, noted that effective implementation of the framework’s other components should address privacy concerns (e.g. privacy by design, limiting data collection, limiting the length of time for retention of data, adopting reasonable security measures, providing choice when a company shares consumer data with a third-party, etc.).
• Companies should generally give consumers a choice before collecting sensitive data for first-party marketing. The FTC defines sensitive data, at a minimum, as data about children, financial and health information, Social Security numbers, and certain geo-location data.
• Choice – For practices requiring choice, companies should provide choices at a time and in a context in which the consumer is making a decision about his or her data. While this concept is flexible, the FTC states that in most cases, providing choice before or at the time of collection will be necessary to gain consumers’ attention and ensure that the choice presented is meaningful and relevant. For example, if data is being submitted online, the consumer choice should be offered directly adjacent to where the consumer is entering his or her data.
• Take-it-or-leave-it choice for important products or services raises concerns when consumers have few alternatives. The FTC did not provide substantial detail of what is an important product or service with few alternatives, however, the FTC provided a patented medical device and broadband Internet access as two examples. The implications for ISPs are obvious; less obvious might be access to other Internet-based services perceived as ubiquitous.
• Businesses should provide a do not track mechanism to give consumers control over the collection of their web surfing data. The FTC noted the progress made to date regarding do not track, including browser-based solutions, self-regulatory efforts led by the Digital Advertising Alliance (DAA), and the World Wide Web Consortium (W3C). Accordingly, the FTC expects to see continued progress in this area as the DAA members and other key stakeholders continue discussions within the W3C process to work to reach consensus on an effective Do Not Track system in the coming months.
• Large platform providers that can comprehensively collect data across the Internet present special concerns. The FTC singles out for special attention ISPs, operating systems and browsers as these technologies are essentially able to track most if not all of a user’s online activities. The Report notes that while Google and Facebook are rapidly expanding their reach, they currently are not so widespread that they can track a consumer’s every movement across the Internet. Accordingly, the FTC is hosting a workshop in the second half of 2012 to explore privacy issues raised by all of these large platform providers.
• Companies should obtain affirmative express consent before making material retroactive changes to privacy representations. The FTC reaffirmed its commitment to this requirement noting the recent Google and Facebook settlements. A material change includes sharing consumer information with third parties after committing at the time of collection not to share the data or expanding the scope of these disclosures. Other situations require a case-by-case analysis based on the context of the consumer’s interaction with the business.
• Companies should obtain consumers’ affirmative express consent before collecting sensitive data. As noted above, sensitive information includes information about children, financial and health information, Social Security numbers and precise, individualized, geo-location data.
• Baseline principle: Companies should increase the transparency of their data practices.
• Prominence. The Report stressed that choices should be presented to consumers in a prominent, relevant and easily accessible place at a time and in a context when it matters to them.
• Clarity. The Commission calls on industry to make privacy statements shorter, clearer and more standardized; to give consumers reasonable access to the data and to undertake to educate consumers as to how they collect use and share their data.
• Major Principles:
o Simplification. Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy policies.
o Access. Companies should provide reasonable access to the consumer data they maintain; the extent of the access should be proportionate to the sensitivity of the data and the nature of its use.
o Data Brokers. The FTC particularly focuses on data brokers, urging Congress to legislate with respect to establishing a procedure for consumers to access information held by data brokers. Additionally, the Commission recommended that data brokers explore the idea of creating a centralized website where they could identify themselves to consumers and describe how they collect consumer data and disclose the types of companies to which they sell the information.
o Teen Data. The FTC supports an “eraser button,” particularly for teens who can be more impulsive than adults, implementing the principle of the “right to be forgotten.”
o Consumer Education. All stakeholders should expand their efforts to educate consumers about commercial data privacy practices.
The Report concludes by recommending that Congress consider baseline privacy legislation while industry implements the final privacy framework through individual company initiatives and through strong and enforceable self-regulatory initiatives. The FTC notes there are a number of specific areas where policy makers have a role in assisting with the implementation of the self-regulatory principles that make up the privacy framework, and the Commission’s plans for the upcoming year reflect these.
• FTC Action Plan for the next year:
o Do Not Track. The Commission will work with privacy groups and industry to complete implementation of an easy-to use, persistent, and effective Do Not Track system.
o Mobile privacy disclosures. On May 30, 2012, the FTC will hold a workshop to provide business guidance about online advertising disclosures.
o Data Brokers. The Commission supports introduction of targeted legislation to provide consumers with access to the information about them held by data brokers.
o Large Platform Providers. The FTC will hold a workshop in the latter half of 2012 to explore privacy and other issues related to comprehensive tracking by large platform providers (ISPs, operating systems, browser vendors and social media providers).
o Promote enforceable self-regulatory codes. The FTC will assist the Commerce Department in undertaking a project to facilitate the development of sector specific codes of conduct.
o Significance of Self-Regulatory Codes. To the extent that strong privacy codes are created through self-regulation, the FTC will view adherence to the codes favorably in connection with its law enforcement activities. The FTC will continue to enforce the Act to take action against companies that engage in unfair or deceptive practices, including the failure to abide by the self-regulatory programs they join.
The Report is a wealth of information for businesses that collect personal information and must comply with data privacy laws. As the most comprehensive and concrete framework provided by the FTC to date, companies should use the Report as a roadmap for developing their privacy compliance programs and adapting existing privacy programs.