Posted on December 1, 2010 by Boris Segalis

FTC's Report on Privacy Sets Forth Framework for Consumers, Businesses and Policymakers

On December 1, 2010, the Federal Trade Commission issued a preliminary report entitled “Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers”. The report proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services.

 

The FTC developed the proposed framework in recognition of increasing advances in technology that allow for rapid data collection and sharing that is often invisible to consumers. The framework is designed to reduce the burdens of protecting online privacy on consumers and businesses. The report is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.

Building on the FTC’s guidance on behavioral advertising, the proposed framework seeks to further expand the scope of protected data beyond the traditional notions of “personally identifiable information.” Specifically, the proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share or otherwise use consumer data that can reasonably be linked to a specific consumer, computer or device.

In developing the proposed privacy framework, the FTC observed that:

  •  there is ubiquitous collection and use of consumer data online;
  • the distinction between personally identifiable information and anonymous or de-identified information is blurring;
  • the increased flow of information, including consumer data, creates significant economic benefits;
  • the FTC’s existing “notice-and-choice” model of privacy protection has led to companies publishing privacy policies and notices that are long, legalistic disclosures that consumers usually do not read and do not understand;
  • current privacy policies force consumers to bear too much burden in protecting their privacy;
  • the FTC’s existing “harm-based model” of privacy protection, while focusing on protecting consumers from specific harm (e.g., physical or economic) has failed to recognize less tangible privacy concerns such as reputational harm or the fear of being monitored;
  • both of the FTC’s privacy protection models (“notice-and-choice” and “harm-based”) have failed to keep up with data collection technology, including data collection that is invisible to consumers and website owners;
  • industry efforts to address privacy through self-regulation have been “too slow” and have failed to provide adequate and meaningful protection to consumers;
  • some companies manage consumer information in an irresponsible and even reckless manner, and many companies do not adequately address consumers’ privacy interests;
  • many consumers are not informed about or cognizant of the risks associated with the collection, sharing and other use of their personal information; they lack understanding and ability to make informed choices about the collection and use of their data.

To reduce the burden on consumers and ensure basic privacy protections, the report makes a number of recommendations, which are summarized below.

1.       Privacy by Design

The report recommends that companies adopt a “privacy by design” approach by building privacy protections into their everyday business practices. Such protections include reasonable security for consumer data, limited collection and retention of such data, secure disposal of the data and reasonable procedures to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services. The report calls for companies to implement these concepts in a systematic manner, scaled to each company’s business operations, including the amounts and types of data the organization processes. 

2.      Notice

The report calls on companies to improve their privacy policies and notices so that interested parties can compare data practices and choices across companies. For example, to facilitate meaningful choice, the FTC is recommending just-in-time concise notice and choice at the data collection point or before a consumer accepts a product or service. The FTC believes that privacy policies will continue to play an important role in promotion transparency, accountability and competition among companies on privacy issues – but only if the policies are clear, concise and easy to read. The report also recommends consideration of standardized privacy notices that allow consumers to compare information practices of competing companies. Finally, the FTC has reminded organizations that they must provide robust notice regarding material, retroactive changes to data practices and obtain affirmative consent to such changes.

3.      Choice, Including a Do-Not-Track Mechanism

The report calls for companies to provide choices to consumers about companies’ data practices in a simpler, more streamlined manner than has been used in the past. Consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. The report suggests that, to simplify choice for both consumers and businesses, companies should not have to seek consent for certain commonly accepted practices associated with processing consumers’ transactions, internal business operations (such as improving services), fraud prevention, legal compliance and first-party marketing. Some of these data uses are apparent in the context of the transaction, while others are accepted or necessary for public policy reasons. For data practices that are not commonly accepted or necessary, consumers should be able to make an informed and meaningful choice. The FTC used the report to remind organizations that they must obtain affirmative consent for material, retroactive changes to their data practices.

One method of simplified choice the FTC has recommended is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The FTC has recommended a simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads. The FTC believes that a practical solution is technologically feasible and suggests that the most practical method could involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted advertising.

4.      Access

The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Because of significant costs associated with access, the report suggests that access should be proportional to both the sensitivity of the data and its intended use.

We note that the data access principle, although novel in the U.S., is a well-established requirement in the European Union and some other jurisdictions that have adopted omnibus data protection regimes. In addition, providing reasonable access to personal data is one of the seven privacy principles mandated by the EU-U.S. and Switzerland-U.S. Safe Harbor programs. Accordingly, many U.S. entities that have certified compliance with the Safe Harbor are already complying with the data access requirement with respect to personal data they receive from Europe.

5.      Privacy Awareness

The FTC has proposed that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. The FTC believes that increasing consumers’ understanding of commercial data collection practices will facilitate competition on privacy among companies.

6.      Enforcement

The FTC reiterated its resolve to take action against companies that “cross the line” with consumer data and violate consumers’ privacy – especially when children and teens are involved. The Commission also made clear that consumers’ choices should be respected. The FTC will not tolerate use of technology to circumvent consumer choice.

In issuing the report, the commission posed a series of questions to privacy stakeholders. The deadline for submitting comments to the FTC is January 31, 2011. The questions concern the scope of the companies and data to which the framework should apply; the substantive privacy protections the framework offers; data management procedures; practices that should require meaningful choice; the “do-not-track” proposal; transparency of privacy practices and improvement of privacy notices; data access; and consumer education.

Please check back with us as we address the report in more detail in the coming days.

 
Tags: , , , , , , , , , , , , , , , , , ,
Posted on December 1, 2010 by Boris Segalis

David Vladeck Previews FTC's Report on Online Privacy

Speaking this morning, David Vladeck, Director of the FTC’s Bureau of Consumer Protection, discussed some of the major points of the Commission's upcoming report on online privacy. Mr. Vladeck said that the FTC's report will set out strategies for reducing the daunting burden consumers currently are facing in safeguarding their online privacy. 

Here are some of the major points the report is expected to raise:

  • Implementation of privacy by design; building privacy choices and technology into products and services as they are developed
  • Transparency of privacy practices and consumer privacy notices; providing short, precise notices at the data collection point
  • Simplification of consumer choices; making the choices meaningful

  • Simplification of consumer choices through a one stop shop for opting out of marketing or tracking (the FTC distinguishes between tracking and targeting); Mr. Vladeck believes there are technological means to implement this option, but the FTC does not have the authority to mandate such a system without Congressional action

  • Respect for consumers' choices; the FTC will not tolerate use of technological means to circumvent consumer choice

  • Encouraging competition on privacy by enabling consumers to compare privacy practices of competing websites
  • Strong protection for sensitive data, such as children's information, geo-location data and other information
  • Giving consumers access to their data; access is an important ingredient in privacy accountability
  • Focus on consumer and business education about privacy

Mr. Vladeck encouraged privacy stakeholders to answer questions that the FTC’s report will pose and provide other comments. The deadline for comments will be January 31, 2011.

Check back with us later today for a detailed analysis of the FTC’s report.

 
Tags: , , , , , , , ,
Posted on January 11, 2010 by Tanya Forsheit

Are We Living in a Post-Disclosure, Opt-In World?

Today's New York Times Media Decoder Blog features an "on-the-record" discussion with Federal Trade Commission chairman Jon Leibowitz and Bureau of Consumer Protection chief David Vladeck.  The question presented:  "Has Internet Gone Beyond Privacy Policies?"  The FTC (and Congress, for that matter) continue to signal that change may be imminent in the world of online privacy policies and traditional notions of opt-out consent. 

The dilemma remains - if consumers don't want to read privacy policies, what would constitute true notice and consent?  And, in the Web 2.0 world with consumers' insatiable appetite for on-demand, customized and interactive content, how can that process be handled in a manner that is both meaningful and consumer-friendly?  What do consumers really want?  And are their expectations regarding privacy simply inconsistent with the modern realities of social networking?  Just yesterday, the blogosphere was abuzz with news of the Facebook CEO's comments at the Crunchies Awards that "[p]eople have really gotten comfortable sharing more information and different kinds but more openly and with more people." 

At the end of the day, the real question (and answer) may have more to do with what constitutes "personal information," what consumers "reasonably" expect in today's world, and whether the sharing and use of certain kinds of information should be regulated.

In our current legal structure, even though such information flows around the world at breakneck speed, the definition of personal information ultimately depends on where you reside - and that, in turn, has grown out of social and cultural expectations. In the United States this has traditionally meant information that can be used to identify and victimize you (i.e., identity theft) - Social Security number, financial account number, and now, to a growing extent, medical information - although, in some new state statutes, the definition is much more broad.  In Europe, the answer, for cultural and historical reasons, continues to be much more expansive, encompassing just about anything that can identify an individual.

So when an individual shares information on Facebook about his or her favorite music, or holiday plans, or the color of a piece of clothing, does that constitute "personal information"? What are consumers' reasonable expectations about how that information, if disclosed publicly -- or not so publicly (e.g., to one's "friends") -- should be used? And should the government regulate the sharing and use of such information by data brokers, social networks, cloud computing vendors, and advertisers?

Last year, the FTC introduced self-regulatory principles for behavioral advertising, but issued a warning that advertisers had one last chance before the FTC would take further steps to regulate. Has that time come? Mr. Vladeck told the New York Times today that the FTC will issue a report in June or July.  Chairman Leibowitz said:

I have a sense, and it’s still amorphous, that we might head toward opt-in.

What would such opt-in look like and how would it operate?  Is any opt-in solution manageable in the online world? Can any proposed model keep up with rapid changes in technology and consumer expectations?  And will this focus on online privacy issues affect and/or eclipse the progress of the many pending federal data security and breach notification bills?

We shall see.
Tags: , , , , , , , , , ,