On December 7, 2009, the Federal Trade Commission ("Commission" or "FTC") hosted a privacy forum, "Exploring Privacy: A Roundtable Series," addressing consumer privacy protection challenges, existing fair information practices, and the creation of a new privacy regulatory framework. December's roundtable, held in Washington, D.C., was the first of three roundtables organized by the FTC focusing on consumer privacy protection.
Panelists in the first roundtable discussed a broad range of privacy-related issues, including emerging technologies' impact on consumer privacy, consumer expectations and knowledge of privacy protection, online behavioral advertising, regulation of information brokers, existing privacy regulatory frameworks, and privacy protection measures moving forward.
Opening the discussion, Chairman Jon Leibowitz noted that legislators, the Commission, and other stakeholders are facing a watershed moment in privacy and "that the time is ripe for the Commission . . . to take a broader look at privacy writ large." Chairman Leibowitz also acknowledged that traditional notions of privacy protection, such as notice and choice privacy protection models, and current definitions of personally identifiable information need to be examined and updated to fit current and anticipated data collection and use practices.
Other FTC leaders, including Commissioner Pamela Jones Harbour and the Director of the Bureau of Consumer Protection, David Vladeck, offered important insights into the future of privacy protection. Commissioner Harbour advocated for the creation of comprehensive privacy legislation to address both online and offline data collection, as well as extending privacy protection concepts to competition regulation. Mr. Vladeck, summarizing the day's discussions, noted that the widely differing views on privacy regulation have "exemplified just how difficult the questions we have to confront are."
In a speech presented the day after the FTC's December roundtable to the International Association of Privacy Professionals, Mr. Vladeck offered further insight addressing future privacy protection measures. He reiterated the need to examine the effectiveness of existing privacy regulatory frameworks, particularly notice and choice models and harm-based regulations. Further, he acknowledged the critical role that "practitioners, academics, consumer advocates, industry representatives, international experts, technologists, and others" will play alongside the FTC in shaping consumer privacy protection "in a complex and changing environment."
The Commission began examining and regulating online consumer privacy in the mid-1990s to address consumer concerns about emerging online technology, such as how consumer information was being collected and used in the online environment, and whether information was secure. Enforcement actions targeting deceptive and unfair privacy practices was, and continues to be, a cornerstone of the FTC's privacy protection measures.
The existing FTC privacy regulatory framework focuses on a set of fair information principles-notably notice, choice, access, and security. These principles were developed on the basis that consumer information collection and use practices should be transparent, organizations should be accountable for consumer information, and companies must respect consumer autonomy and honor individual preferences. Since 2001, the Commission has focused its privacy protection agenda on a number of issues, such as combating identity theft, data security, children's privacy, and preventing unwarranted intrusions into consumers daily lives by regulating spam, spyware, and telemarketing.
The FTC is now in the process of reexamining its privacy protection framework by exploring the impact of new technology on consumer privacy, examining the effectiveness of notice and choice and other current privacy protection models, and identifying new privacy concerns-such as the protection of health information and regulating international privacy practices. Transparency and consumer control continue to be key concepts in building a comprehensive privacy protection framework that will provide consumers with the tools necessary to make meaningful, informed choices.
The FTC's December 2009 Privacy Roundtable identified a diverse array of issues and viewpoints that will affect the scope of privacy protection moving forward.
- The panelists discussed the impact of emerging technology on privacy protection, noting that new technology brings valuable benefits to consumers, but as technology continues to evolve, privacy protection principles are constantly challenged. Benefits of new technology and consumer information practices include free content, more relevant advertising, and technology better tailored to fit individual needs, but expansive use of personal information increases the risk that sensitive personal information will be disclosed to third parties and creates a chilling effect for online transactions where some consumers alter online behavior to prevent disclosure of personal information.
- In addition to consumer misconceptions regarding privacy protection, panelists noted that current notice and choice privacy models are proving to be ineffective as a privacy regulation tool. Through the roundtable discussions, the FTC is seeking to develop creative and innovative consumer privacy protection models that are usable and more meaningful for consumers.
- Panelists also examined definitions of personal information, posing many questions regarding the types of data that comprise personal information. Many panelists believed that traditional notions of personal information are outdated, such as distinctions between personally identifiable information and anonymous information, and how sensitive personal information should be defined.
- Business representatives also revealed new self-regulatory industry initiatives designed to improve consumer privacy protections. These initiatives include programs launched by Google, Yahoo!, and BlueKai that allow consumers to view and edit categories of personal information collected, used, and maintained by these organizations. Speakers expressed concern, however, that while self-regulation is an important aspect of privacy protection, tools that rely on consumer input will not be effective without proper consumer education. Further, panelists noted that industry self-regulation is not effective against companies that continue to frustrate privacy protection measures by circumventing consumer preferences with new technologies that stealthily collect data-such as flash cookies.
- Other issues addressed by the roundtable include increased regulation of data brokers; timing issues-such as when an organization's privacy standards and practices should be revealed to consumers (e.g., during data collection, when consumer data is used, or a combination of both these practices); the effectiveness of harm-based enforcement actions, specifically because deceptive and unfair privacy practices often produce intangible and immeasurable harm; and the development of international privacy standards that adequately protect cross-border transactions without restraining commerce.
Moving forward, the FTC will consider the best method for incorporating these issues into comprehensive privacy protection measures-whether by new legislation, new regulations, FTC enforcement initiatives, or industry self-regulation. Privacy protection measures will likely rely on a combination of these methods, as regulation must address a large number of issues while remaining flexible enough to adapt to new technology and encourage innovation.
The second FTC roundtable will take place on January 28, 2010, in Berkeley, California, where the discussion will focus on the impact of technology on privacy-both as a way of promoting privacy protection, as well as a tool that can undermine consumer privacy in some instances.
Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this Client Advisory, please contact:
Dana B. Rosenfeld