United States: US Federal Trade Commission Issues Report on Protecting Consumer Privacy

Originally published March 28, 2012

Keywords: Federal Trade Commission, FTC, consumer privacy, consumer data, data privacy

On March 26, 2012, the US Federal Trade Commission ("FTC" or "the Commission") released a report titled "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policy Makers" (the Report).¹ The report articulates best practices for companies that collect and use consumer data, makes recommendations for legislation, and specifies five key areas in which the FTC will focus its attention.²

The principles set forth in the Report are, like the White House's recently released framework on online data privacy, derived from Fair Information Practice Principles (FIPPs). A major theme of the Report is the collection, use, and distribution of consumer data in a manner consistent with the business relationship.

The FTC's Privacy Framework (Best Practices)

The Report sets forth the following consumer data privacy best practices: promoting consumer privacy protections by means of substantive and procedural principles; providing "simplified consumer choice" for the collection and use of consumer data that is consistent with the context of a company-consumer transaction/ relationship; and increasing transparency of the practices of data brokers.

SCOPE

The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data³ from fewer than 5,000 consumers per year and does not share the data with third parties. To ensure that a company's data is not reasonably linkable to a particular consumer, computer, or other device, the company must (i) take reasonable measures to ensure data is and remains de-identified, (ii) publically commit to maintain and use the data in a de-identified fashion,⁴ and (iii) contractually prohibit third-party recipients from attempting to re-identify data. In addition, in defining the scope, the Commission clarified that the framework applies to online and offline data, and noted the framework is not meant to conflict with, or supersede requirements of, certain existing laws and regulations.⁵

"PRIVACY BY DESIGN"

As a baseline principle, "companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services." This means implementing substantive privacy protections as well as procedural safeguards aimed at integrating the substantive principles into a company's day-to-day business operations. In particular, companies should incorporate substantive privacy protections into data security and accuracy practices, collection limits, and retention and disposal policies.

"SIMPLIFIED CONSUMER CHOICE"

The Report establishes consumer choice as a "baseline requirement" for companies that collect and use consumer data, but also identifies situations in which choice is unnecessary. For example, companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company's relationship with the consumer, or those that are required or specifically authorized by law. According to the Report, "most" first-party marketing will not require consumer choice as these practices are consistent with the consumer's relationship with the business.

For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data. Companies should obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected, or collecting sensitive data for certain purposes.

The Report applauds efforts to develop and implement a "Do Not Track" mechanism providing consumers control over collection of their web surfing data. However, the Report expresses concern about the evolving privacy issues related to large platform providers— entities such as ISPs, operating systems, and browsers, with broad access to users' online activities.

TRANSPARENCY

The report calls on companies to increase the transparency of their data practices by (i) making privacy notices clearer and more concise, (ii) granting consumers access to the information collected, proportionate with the sensitivity and use of the data, and (iii) educating consumers about their privacy practices. In particular, the FTC supports providing consumers with access to a list of categories of consumer data held and the ability to suppress the use of such data for marketing.

The Report makes two additional recommendations for data brokers.⁶ First, the Commission supports legislation giving access rights to consumers for information held by these entities. Second, the FTC recommends that the data broker industry explore the idea of creating a centralized website identifying brokers to consumers and describing the manner in which data brokers collect and disclose information.

Recommendations to Congress

The FTC agreed with certain privacy advocates that "self-regulation has not gone far enough," and raised two additional concerns: (i) well-meaning companies lack sufficiently clear standards to operate and innovate while respecting consumer privacy and (ii) companies that seek to cut corners on consumer privacy do not have adequate legal disincentives. In response, the Report calls on Congress to enact "baseline privacy legislation" that is technology-neutral, sufficiently flexible to allow companies to continue to innovate, and that incorporates the FIPPs. The Commission also reiterated its call for legislation requiring companies to implement reasonable data security measures and to notify consumers in the event of certain security breaches.

Agency Priorities

The Report announced five initiatives to enhance consumer privacy that the FTC will actively pursue over the next year. They are:

• Completing development of a national Do Not Track system. The Commission is encouraged by the progress of various private entities⁷ and commits to working with groups towards an "easy-to use, persistent, and effective" system.
• Improving privacy protections for mobile services, including the development of "short, meaningful disclosures."
• Providing consumers with access to information collected or used by data brokers (as referenced above).
• Exploring privacy issues related to "large platform providers." FTC staff will host a public workshop in the second half of 2012 to examine the privacy implications of comprehensive tracking possible through such platforms.
• Promoting enforceable, sector-specific, self-regulatory codes as proposed in the White House's privacy framework. The Commission confirms that adherence to such codes by private entities will be viewed favorably in connection with its enforcement work.

Footnotes

1 The Report and accompanying FTC press release are available online at http://ftc.gov/opa/2012/03/privacyframework.shtm.

2 According to the Report, it is not intended to serve as a template for enforcement or regulatory actions.

3 The Report defines "sensitive data" as information about Social Security numbers or financial, health, children's, or geological information."

4 Re-identification after such public commitment may subject an entity to enforcement action under Section 5 of the FTC Act.

5 Specifically cited in the report are Health Information Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, and the Gramm-Leach-Bliley Act.

6 "[C]ompanies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual's identity, differentiating records, marketing products, and preventing financial fraud."

7 The Report cites specifically to tools developed by browser vendors, the Digital Advertising Alliance's development of its own icon-based tool and commitment to honor browser vendor privacy-utilities, and the World Wide Web Consortium's progress in creating international Do Not Track standards.

Learn more about our Global Trade, Government Relations and Privacy & Security practices.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2012. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.