pdf

Privacy Policies

May 21, 2012

The Federal Trade Commission’s March 2012 report on the protection of consumer information provides a clarified framework and best practices that entities should consider in maintaining or creating their own privacy policies and anticipating future developments and challenges for business practices that depend on collection and use of consumer information.

The Issue: Now more than ever before, technology allows entities to collect vast, detailed and personal information from us via our electronic devices, and that trend will only accelerate in the future. Privacy law will continue to evolve to regulate such collection and use. In March of 2012 the Federal Trade Commission (FTC) issued a final report providing its assessment of the changing landscape, which simultaneously calls for federal baseline privacy legislation and other specific laws and urges acceleration of industry self regulation through implementation of best practices to protect consumer privacy interests while allowing appropriate innovation through use of consumer information. The report also highlighted the FTC’s increasing activities to enforce existing laws to protect consumer privacy. The report will undoubtedly be highly influential in establishing a legal framework to evaluate whether entities are being sufficiently protective of consumer data and, as such, is something entities should consider carefully when reviewing their existing and planned data collection and use practices.

The FTC’s approach to privacy continues to be based on its longstanding Fair Information Practice Principles of privacy by design, simplified consumer choice, and transparency. The framework described in its new report articulate the following core points:

  • Privacy by design: Companies should establish substantive privacy protection practices, including data security, reasonable collection limits, sound retention and disposal practices, and data accuracy, and they should maintain comprehensive data management procedures.
  • Consumer choice: Entities should offer simplified choices, allowing consumers to share information they choose to share based on choices at or before the time of collection and use. For example, Web browsers should have a persistent “anti-tracking” button. If turned on, entities would be prohibited from collecting certain information from the user. Such an option is especially important when sensitive information is being collected. Importantly, the FTC recognized that choices need not be provided in certain circumstances, if collection and use is consistent with the context of the transaction or customer relationship or if required or specifically authorized by law. Likewise, small businesses that do not collect sensitive data or do not share such collected information with third parties may be exempt.
  • Transparency: Entities should increase data transparency, including providing clear, succinct and standardized disclosures that users can compare across websites and systems.

The FTC also identified certain issues as a focus in the upcoming year, including:

  • Do not track: The FTC praised industry progress on internet browsers for Do Not Track, but stated that it will continue to focus on a more complete industry-wide implementation of persistent, easy-to-use, and effective do-not-track systems.
  • Mobile phones: Among other relevant initiatives, the FTC is developing short, meaningful disclosures for this industry.
  • Information brokers: The FTC has indicated that entities that collect electronic data, sometimes merge it with offline data, organize it and then sell the result to third parties should be required to disclose their activities on a central website, where a consumer can access and dispute whatever data the broker has on her.
  • Large platform providers: Particular regulatory attention will be paid to entities such as Facebook or Windows that have access to a high volume of data.
  • Promoting enforceable self regulatory codes: The FTC will work with the Department of Commerce to facilitate sector-specific self-regulatory codes of conduct, as well as to vigorously enforce compliance (through deceptive practices statutes) with the self-regulated promises and codes adopted by entities.

The FTC is concerned about the collection and use not only of personally identifiable information, but also of information that could be “reasonably linked” to a person. For example, a user’s web browsing history can be used to learn the user’s characteristics, which could be used to offer them discriminatory product pricing. The FTC provided rules for the collection of such information.

Implication: Although there are currently data privacy regulations covering certain industries or data, including the CFPB’s Regulation P governing certain financial data and related consumer disclosure, the FTC’s guidance on generalized privacy protection goes beyond these specific requirements. While the framework is non-binding, the FTC is an influential regulator that will shape the law in this burgeoning area through influencing legislation, establishing rules and regulations to implement existing laws, encouraging industry action, and instituting enforcement actions where entities violate laws or their own privacy promises. Because the FTC guidance is non-binding, the private sector has the opportunity to self-regulate. Forward thinking organizations would be well advised to seek guidance on the regulatory expectations and design their data privacy systems and policies accordingly. Interested parties would be well-advised to develop and manage their company’s privacy practices in line with the recommendations and implications in the report, and to consider broader engagement with other industry members to develop industry standards.

Click here for a printable version of the entire newsletter.