Last week the Federal Trade Commission (FTC) released its anticipated 122-page staff report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (the "Report"), which we covered in brief here immediately following its release. In this part of our review, and in following parts, we dig into the specifics of the Report’s proposed framework, with a eye to examining rationales for the various proposals as well as analysis on the potential effects going forward on practices and data policies.
The Report’s “proposed new framework for consumer privacy” is designed to reflect and balance (i) the realities of new online practices and business models, (ii) while comporting with existing FTC and applicable federal and state law, (iii) encouraging new products and services to meet consumers’ needs and wants, and (iv) finally to provide “common assumptions and bedrock protections” that consumers and businesses alike can rely upon and plan around.
To these ends, the Report’s proposed framework contains three major elements:
- Integration of privacy by companies into “regular business operations and at every stage of product development” with a goal of reducing consumer burdens in choosing from among “privacy protective data practices;” and
- Streamlining privacy options for consumers, while “preserving beneficial uses of data” by agreeing upon “commonly accepted practices” and providing “clear and prominently disclosed choices for all other data practices;” and a
- Increased transparency of data practices by both consumer-facing and backend online businesses.
The Report makes clear that the framework is not cut from whole cloth, but built “upon the FTC’s notice-and-choice and harm-based privacy models while also addressing some of their limitations,” and calls upon, what the FTC dubs four “basic building blocks” of the framework, detailed in brief here and in further detail below, including:
- Universal scope, where the proposed framework would, in a departure from existing applicable state data privacy regimes, apply to any and all commercial entities that “collect or use consumer data that can be reasonably linked to a specified consumer, computer, or other device.”
- Privacy by Design, where, as noted above, the FTC recommends privacy be baked into the mix from the get go in any product or services development, along with maintenance of “comprehensive data management procedures throughout the life cycle” of the products and services.
- Simplifying consumer choice as to the collection and use of data by providing “commonly accepted practices” and appropriate choices at other applicable times and contexts designed to simplify consumer decision making.
- Greater transparency by companies of their existing data practices, with “clearer, shorter and more standardized” privacy notices, to achieve a goal of enhancing understanding and comparison between companies, along with concomitant “reasonable access” by consumers to the data companies hold about them.
Once the framework is finalized, the FTC has stated its staff may conduct surveys and conduct “other benchmarks” to evaluate industry implementation and use its existing authority under Section 5 of the FTC Act, 15 U.S.C. § 45, and other applicable statutes in investigative and enforcement actions.
"Building Blocks" in Detail
- Universal Scope
The Report notes that the newly proposed framework’s scope contains two main points, namely, that: (a) the framework “would apply to all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers” and (b) the proposed framework applies to data “that can be reasonably linked to a specific consumer, computer, or other device” and not just traditional personally identifiable information (“PII”).
The rationale underlying the FTC’s proposed universal scope is that consumers are significantly unaware of the breadth and depth of data and sharing thereafter, and that the traditional break between PII and non-PII info has lost significance because of technology advancements and the scope of data aggregation that could allow “to re-identify consumers from supposedly anonymous data.”
The Department of Health and Human Services (HHS) earlier this year proposed expanding the reach of the Health Insurance Portability and Accountability Act of 1996′s (HIPAA) Security, Privacy and Enforcement Rules, pursuant to the HITECH Act, to require “business associates” secure Protected Health Information (PHI) of covered entities (see InfolawGroup’s earlier posts detailing the proposed modifications to the various HIPAA Rules, Part One and Part Two), the FTC’s newly proposed framework approaches privacy from the angle of whether any “consumer data” can be tied back to a specified individual, computer or "other device," rather than adopting a straight definition of what qualifies as date that garners protection or on the form and format of the date.
To date many states breach and privacy statutes have typically focused, as a threshold matter, on whether applicable data contains "personally indentifiable information" (PII), as defined under the applicable rubric. Similarly under HIPAA whether data qualifies as PHI requires consulting a list of eighteen identifiers. The framework’s contrasting universal scope is actually fairfly consistent with the FTC’s previous Health Breach Notification Rule, 16 C.F.R. § 318 (2009), (HBNR), issued pursuant to the American Recovery and Reinvestment Act of 2009, which requires “vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.” However, to avoid conflicts with HIPAA’s separate framework the FTC’s HBNR expressly provides, with caveats, that “the rule ‘does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.’’’
This universal scope has, as the FTC acknowledges, raised numerous material questions, which the FTC seeks comment on over the next nearly two months (e.g., what are the practical considerations that weigh in favor of excluding certain entities; is it feasible to cover all data that can be “reasonably linked to a specific consumer, computer, or other device,” and should the framework be applicable to data that, “while not currently considered ‘linkable,’ may become so in the future"? Etc.). The FTC also seeks feedback as to whether any existing technical means may “more effectively ‘anonymize’ data, and whether industry norms are emerging in this area” which dovetails with the point made during FTC’s presentation of the Report that any laws and rules enacted can only go so far in the privacy area without a steady applicable of technology.
- Privacy by Design
The new framework proposes that privacy be considered and incorporated throughout organizations at each stage of the design and development of products and services that may interact with consumer data, rather than as is more common, being bolted on as an afterthought. As part of the framework, the FTC proposes limited data collection, a baseline of “reasonable security for consumer data” (see InfoLaw Group partner, David Navetta’s article, The Legal Defensibility Era), and, as possible methods to ensuring privacy by design, additional employee training, regular privacy reviews, and assigning specific individual to oversee privacy issues (which is interestingly a requirement in many FTC breach related enforcement action settlements – e.g., Eli Lilly settlement with FTC regarding security breach, here).
The rationale for adoption of this building block is that it would place the onus of providing privacy and security on those companies working with the consumer data rather than forcing consumers to “read long notices to determine whether basic privacy protections are offered.”
In providing privacy by design into practices, the FTC framework highlights four critically important protections:
- Reasonable Safeguards – which are dependent on the sensitivity of the data at issue, the size and nature of the business operation and the type of risks faced, and should include physical, technical, and administrative efforts. The Report does note that various federal and state laws, including various existing FTC standards, already require such efforts (providing as example, the Disposal of Consumer Report Information and Records, 16 C.F.R. § 682 (2005); FTC Standards for Safeguarding Customer Information Rule, 16 C.F.R. § 314 (2002); HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. §§ 160, 162, 164 (2003); Mass. Gen. Laws ch. 93H, § 2(2007); and Cal. Civil Code § 1798.81.5 (2010)).
- Limited data collection – whereby a company should collect only the “the information needed to fulfill a specific, legitimate business need.” The reasoning in support of this protection is that doing so is “important in light of companies’ increased ability to collect, aggregate, and match consumer data and to develop new ways of profiting from it.”
- Reasonable data retention periods – the yin to the yang of limiting data collected is retaining such data “only as long as [entities]  have a specific and legitimate business need to do so.” The Report notes that the massive drop in data storage costs have enabled and indeed encouraged companies to retain all data in near perpetuity, leading to the companies seeking to mine such data by developing future secondary uses for it that neither the consumer nor the company envisioned at the time of collection. The FTC here further stresses that secure disposal is a must (e.g., FTC cases against DSW Shoe Warehouse, BJ’s Wholesale Club and Card Systems).
- Accurate data collection – the last point in the FTC’s four point schema is an insistence that companies take reasonable steps to ensure the accuracy of the data collected, “particularly if such data could be used to deny consumers benefits or cause significant harm.”
In connection with these four protections the FTC seeks comment and feedback on other substantive protections that should possibly be provided and "how to balance the costs and benefits of such protections." Other express areas the FTC seeks comment on is: "whether the concept of ‘specific business purpose’ or ‘need’ should be defined further, and if so, how?"; prescription of setting reasonable retention periods based upon "the type or the sensitivity of the data at issue"; and application of the protections to legacy systems.
In Part 2, I’ll look at the remaining two building blocks and the Report’s focus on potential Do Not Track solutions.