Earlier today the Federal Trade Commission issued its long-awaited final report entitled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (the “Framework”). The Framework focuses on three primary principles: 1) Privacy by Design; 2) Simplified Choice for Businesses and Consumers; and 3) Greater Transparency. The vote approving the report was 3-1. Commissioner J. Thomas Rosch dissented from the issuance of the Final Privacy Report.
The FTC has a front and center role in data privacy and enforcement. We have written extensively about the FTC’s actions and recommendations, including numerous posts analyzing the original preliminary staff report version of the Framework, released in December 2010. We also reviewed each of the 450+ public comments submitted in response to the preliminary staff report.
How is the final Framework different from the draft Framework and what should your privacy professionals be taking away from the Framework?
First, the Framework takes a strong position on setting forth best practices to protect the privacy of American consumers and give them greater control over the collection and use of their personal data. Second, as part of this effort, the FTC recommends Congress consider enacting general privacy legislation, data security and breach notification legislation, as well as data broker legislation, which marks new but not unexpected territory for the Framework.
During the conference call this morning, the FTC stressed that the Framework seeks continuity rather than change. The final Framework moves away from the draft Framework in several significant ways. As the FTC stated:
“The final report changes the guidance’s scope. The preliminary report recommended that the proposed framework apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer, or other device. Recognizing the potential burden on small businesses, the report concludes that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year. The report also responds to comments filed by organizations and individuals that, with technological advances, more and more data could be ‘reasonably linked’ to consumers, computers, or devices. The final report concludes that data is not ‘reasonably linked’ if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.”
The FTC’s revised recommendations in the final Framework also recognize recent court cases arising from zip codes and other potentially identifying information that is nonetheless used as part of legitimate product fulfillment and fraud prevention. And finally, the report contains new and important recommendations concerning data brokers: stressing the Commission’s prior call and support of legislation to provide consumers with access to information stored by data brokers; and further calling upon data brokers to explore creation of a centralized website where consumers may get information about practices and options for controlling data use by data brokers that compile consumer data for marketing purposes.
Lastly, the accompanying press release to the final Framework noted that, over the next year, the FTC staff will work to encourage privacy protections through five main action items:
- Mobile Privacy;
- Data Broker Transparency;
- Large Platform Providers, including Internet Service Providers, operating systems, browsers and social media companies, seek to comprehensively track consumers’ online activities; and
- Promoting Enforceable Self-Regulatory Codes – in conjunction with the Department of Commerce and industry stakeholders
We’ll have extensive further review of the final Framework and its expected impact on information security and privacy practices over the coming week.