ARTICLE
9 December 2010

The New FTC Privacy Report: There's More To It Than "Do Not Track"

D
Dentons

Contributor

Dentons logo
Explore
In a Preliminary Staff Report released on December 1, 2010 entitled "Protecting Consumer Privacy in an Era of Rapid Change" (the "Report"), the FTC has proposed a new draft "framework for businesses and policymakers."
United States Intellectual Property
Person photo placeholder
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In a Preliminary Staff Report released on December 1, 2010 entitled "Protecting Consumer Privacy in an Era of Rapid Change"1 (the "Report"), the FTC has proposed a new draft "framework for businesses and policymakers." Citing what the FTC views as shortcomings by itself and industry, the Report lays out a broad framework centered on three principles - privacy by design, simplified choice, and greater transparency.

The FTC, in its statement that accompanied the report, said that the burden of protecting consumer privacy should be on the companies marketing to those consumers, not on the consumers. One criticism that has been voiced about this approach is that it runs opposite of how marketing has always been done. After all, the phrase "caveat emptor" became popular for a reason. The changing technological landscape and current uses of personal information, however, have brought a changed attitude toward privacy protections.

The FTC noted in the Report that it has historically used two distinct approaches in the area of privacy, but that those approaches were no longer necessarily effective in an era of rapidly changing technology. The first approach, captured in the FTC's Fair Information Practice Principles,2 focused on notice to consumers so that they could exercise choice. The second harm-based approach focused instead on specific consumer harms related to such things as physical security, economic injury and loss, and intrusions into everyday life.

Report Underpinnings

The FTC based its report, in part, on a number of roundtables held in late 2009 and continuing into 2010. It pointed to several particular issues that came from those roundtables about why the two approaches described above have not been working. In particular, the roundtables resulted in the following broad conclusions:

  1. Collection and use of consumer data continues to increase. Citing ubiquitous collection of consumer data at every point during a day in the life of a consumer, the Report pointed to two reasons that such collection is on the rise: the availability of cheap electronic storage and economic incentives to the companies that collect such information.In an effort to addressprivacy concerns arising out of this growth, some participants in the roundtables suggested that companies build privacy into their everyday business practices.
  2. Consumers lack understanding about privacy, which undermines informed consent. With barely a nod to the companies that fund various parts of the ecosystem, the FTC focused instead on the inability for consumers to understand the information provided to them. Whether via invisible practices of various collectors of consumer data or a dense privacy policy, the FTC portrays consumers as virtually incapable of understanding the information provided to them. They conflate this, however, with perhaps a more revealingreason: "[i]t is unlikely that busy consumers, intent on buying a product or service, will consider how the data they provide to complete the transaction will be shared and used...."
  3. Consumers care about privacy. After looking into various examples purporting to show that consumers are concerned about the privacy of their data, the Report generalized that "when given the opportunity, [consumers] will take active steps to protect it."3 Those steps, however, depend on how well the privacy practices of data collectors are understood by consumers.
  4. Increasing data collection and use benefits consumers. Despite the numerous concerns raised in the roundtables and in other fora, certain broad examples were provided demonstratingwhere collection and use of information helps consumers. From business models associated with cloud computing, to social networking, to mobile device capabilities,to efficiencies created by shared health information, the Report stated that "commenters and participants urged regulators to be circumspect and cautious about restricting the exchange and use of consumer data."4
  5. Decreasing importance of the distinction between PII and non-PII. The FTC received input on numerous cases where seemingly anonymous pieces of information were able to be combined with other publicly available information to reveal a person's identity. Because of the increasingly easy ability to combine and identify even disparate bits of information about consumers, the FTC heard from various parties that any data about a person involves privacy and should, as a result, be protected.

Based on these themes, the FTC proposed the following three principles: (1) privacy by design, meaning that companies should build privacy into their offerings from the beginning, (2) simplified choice, including via commonly accepted privacy practices, and (3) greater transparency, which can also include non-consumer facing businesses.

Privacy By Design

For privacy by design, the FTC suggests that companies that collect consumer data "that can be reasonably linked to a specific consumer, computer, or other device"5 incorporate mechanisms to protect privacy into their everyday business practices. Amongst other things, the FTC cited data security, reasonable collection limits, appropriate retention practices, and accuracy of the stored data.It reiterated the need for companies to utilize "reasonable safeguards"6 (including physical, technical, and administrative protections) to protect consumer data. Such protections, however, depend on the sensitivity of the data and the risks faced by the company. In the event that such protections fail, however, the FTC pointed to its record of 29 cases brought against companies with similar failures as a reminder of what it would do in such cases. In addition, the FTC specifically called out one particular type of data that should not be retained by companies. Location-based data, because of the ability to build consumer profiles from it, should not be maintained longer than reasonably necessary to complete a particular interaction or transaction.7

Simplified Choice

For simplified choice, the FTCincluded guidance that eases the burden on companies. In particular, the Report states that companies do not need to implement a choice mechanism prior to collecting consumer information "for commonly accepted practices, such as product fulfillment."8 It also includes situations involving internal operations, fraud prevention, legal compliance and public purpose, and first-party marketing.9 For those practices that do require a choice mechanism, the Report goes on to note that the company should provide that choice contemporaneously with that particular practice, e.g., the collection of the consumer's information.

The FTC broaches the subject of Do Not Track in the discussion of simplified choice. The Report observes, apparently based on remarks by a Google representative, that many consumers are unaware of the choice mechanisms that do exist in current browsers and of their ability to control those mechanisms.10 In addition, the Report alleges that existing mechanisms "may not make clear the scope of the choices being offered."11 The view of the FTC clearly points to Do Not Track as a way of simplifying such choice.

One significant concern about the Do Not Track proposal involves its implementation. The FTC states that "[s]uch a universal mechanism could be accomplished by legislation or potentially through robust, enforceable self-regulation."12 The way that the Report presents legislation as the primary mechanism from directing the conduct of companies, combined with earlier comments that self-regulation has not been effective, raises concerns that new legislation may be on the way.

Greater Transparency

In addition to providing more clear choice as described above, the Report states that consumers should be more easily able to compare privacy practices across sites, companies should provide advance notice of material changes to privacy policies, and greater consumer education in this area is needed. Specific features described in the Report to achieve these goals include clearer, shorter, more standardized privacy policies;13 reasonable access by consumers to the data maintained by companies;14 and prominent disclosure by companies and receipt of affirmative consent from consumers before using consumer data.15

Next Steps

The "Do Not Track" concept has proven to be the most talked about feature of the Report. Unfortunately, the FTC seems to have fallen somewhat short in this area. In its discussion, the Report describes only a binary mechanism, stating that "[t]he most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer's browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements."16 Although the Report mentioned the possibility of something other than a binary "Track/Do Not Track" decision mechanism17 and asked for input on this issue, it did not provide much detail or guidance on how such a system could be developed or deployed. Many had hoped thatthe FTC's research would have resulted in more robust discussion of this concept.

The Do Not Track proposal has overshadowed several other areas of the Report that contained important proposed changes to the current approach to privacy. For example, the proposed easing of providing notice in certain situations will alleviate some burdens that companies face. Also, the push to standardize and simplify privacy notices will be helpful to companies. On the other hand, the FTC's position against retention of location-based data could dramatically change the business models of several companies and could create problems where such information might be necessary to provide services. Similarly, the continuing breakdown of thedistinction between PII and non-PII could mean that companies will be responsible for safeguarding much larger volumes of data.

In light of the proposals by the FTC in the Report, there will likely be a number of comments and other proposals by both the consumer and business communities. Comments are due to the FTC by January 31, 2011 and can be submitted at https://ftcpublic.commentworks.com/ftc/consumerprivacyreport.

Footnotes

1. Federal Trade Commission, "Protecting Consumer Privacy in an Era of Rapid Change," available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf (December 1, 2010) (hereinafter the "Report").

2. See http://www.ftc.gov/reports/privacy3/fairinfo.shtm.

3. Report,supra note 1,at 29.

4. Id. at 35.

5. Id. at 41.

6. Id. at 44.

7. Id. at 47.

8. Id. at 53.

9. Id. at 54.

10. Id. at 65.

11. Id.

12. Id. at 66.

13. Id. at 70.

14. Id. at 72.

15. Id. at 78.

16. Id. at 66.

17. Id. at 68, stating that the "Commission staff seeks comment on whether a universal choice mechanism should include an option that enables consumers to control the types of advertising they want to receive and the types of data they are willing to have collected about them, in addition to providing the option to opt out completely."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Randy Sabett
Person photo placeholder
Shane McGee
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More