received over 450 comments from businesses, privacy advocates, and
consumers and claims that the final Report retains the basic
principles outlined previously, but claiming it makes several
important refinements. There's also a brief new video explaining the FTC's positions. Here
are the key take-aways from the final report:
Privacy by Design. Companies should build
privacy protections into their everyday business practices. That
includes limiting data collection and retention, securing the
information they hold on to, safely disposing of what they no
longer need, and implementing reasonable measures to ensure
information is accurate.
Simplified Choice. Companies should give
consumers a choice at a time and in a context that matters to
people. The preliminary report noted that choice shouldn't be
necessary for certain "commonly accepted practices." The
final Report concludes that choice needn't be provided for data
practices that people would expect, given the context of the
transaction, the company's relationship with the consumer, or
as required or specifically authorized by law.
Do Not Track. The Report also reaffirms the
Commission's strong support for Do Not Track.
Improved Transparency. Companies should
increase the transparency of their data practices by developing
clearer, more standardized privacy disclosures and could give
people reasonable access to their information.
Exemption of Small Businesses. To minimize the
effect on smaller companies, the final framework doesn't apply
to them if they collect only non-sensitive data from fewer than
5,000 consumers a year, provided they don't share the data with
"First, the Report is rooted in its insistence that the
"unfair" prong, rather than the "deceptive"
prong, of the Commission's Section 5 consumer protection
statute, should govern information gathering practices (including
"tracking"). "Unfairness" is an elastic and
elusive concept. What is "unfair" is in the eye of the
"Second, the current self-regulation and browser
mechanisms for implementing Do Not Track solutions may have
advanced since the issuance of the preliminary staff Report"
and the Report does not adequately take account of this
"I am concerned that "opt-in" will necessarily
be selected as the de facto method of consumer choice for a wide
swath of entities that have a first-party relationship with
consumers but who can potentially track consumers' activities
across unrelated websites, under circumstances where it is
unlikely, because of the "context" (which is undefined)
for such tracking to be "consistent" (which is undefined)
with that first-party relationship: 1) companies with multiple
lines of business that allow data collection in different contexts
(such as Google); 2) "social networks," (such as Facebook
and Twitter), which could potentially use "cookies,"
"plug-ins," applications, or other mechanisms to track a
consumer's activities across the Internet; and 3)
"retargeters," (such as Amazon or Pacers), which include
a retailer who delivers an ad on a third-party website based on the
consumer's previous activity on the retailer's
"I question the Report's apparent mandate that ISPs,
with respect to uses of deep packet inspection, be required to use
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS).
The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
The academic and legal communities have long struggled with the notion of what constitutes a privacy injury giving rise to some right to legal protection – whether via legislation or regulation, or through the courts.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).