Last week, the Federal Trade Commission ("FTC") released a final report setting forth best practices for consumer privacy protection. The report, entitled "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers," expands on the FTC staff's draft privacy proposal, which was released in December 2010,1 following a series of public roundtables that analyzed current privacy approaches and challenges involved in protecting consumer privacy.2 The final report reflects the FTC Commissioners'3 and staff's current views on privacy protection and incorporates input from over 450 comments that the FTC received regarding the staff's preliminary recommendations.
Principles of the Final Report
While the FTC has emphasized that the final privacy framework "is intended to articulate best practices for companies that collect and use consumer data," some of the recommendations (e.g., reasonable security and disposal) are already interpreted as requirements under Section 5 of the FTC Act. The report emphasizes flexibility and reasonableness—recommending that privacy practices should be driven by the context of a transaction, the sensitivity of data, and its intended use.
The final report, similar to the staff's preliminary proposal, recommends that companies adopt three primary principles to guide implementation and maintenance of privacy and data security practices—(1) privacy by design, (2) simplified consumer choice, and (3) transparency.
The final framework applies to all commercial entities--including entities already regulated by privacy and data security laws--that collect or use consumer data (both on- and offline) that can be reasonably linked to a specific consumer, computer, or other device, unless an entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.
A company's data would not be considered to be "reasonably linked to a specific consumer, computer, or other device" if (1) the company has taken reasonable measures to ensure that the data is de-identified; (2) the company has publicly committed to use data in a de-identified fashion and does not attempt to re-identify the data; and (3) the company contractually prohibits other entities, such as service providers or other third parties, with whom it shares de-identified data from re-identifying that data. The public commitment under the second prong is designed to provide the FTC with enforcement authority under the FTC Act if a company re-identifies the data because the company will have misrepresented its data practices.
Privacy by Design
This principle encourages entities to build in and promote privacy throughout their organization and at every stage of product development. The final report enumerates a number of steps that should be taken to implement this recommendation.
- Substantive Privacy by Design Principles: Data Security, Reasonable Collection Limits, Sound Retention Practices, and Data Accuracy—Some of these principles are already required under FTC Act standards, such as requirements that companies must provide reasonable security and disposal practices for consumer data. The new framework combines these requirements with recommendations regarding how entities should limit data collection and retention, and promote data accuracy. The recommended data collection and retention standards are flexible, with standards based on the type of relationship, and use and sensitivity of the data (e.g., data collection that is inconsistent with the context of a particular transaction should be accompanied by appropriate disclosures; data should be properly disposed "once the data has outlived the legitimate purpose for which it was collected"). Similarly, an entity should take reasonable steps to ensure that data is accurate, with the reasonableness of an entity's efforts determined by the use and sensitivity of the information (e.g., an entity would not need to take special measures to ensure the accuracy of data used for marketing purposes, but accuracy efforts should be more robust for data used to determine a consumer's eligibility for benefits).
- Procedural Protections Used to Implement the Substantive Principles—The Commission recommends that the substantive principles should be carried out through comprehensive data management procedures that are maintained throughout the life cycle of a product or service. The report notes that its recent Consent Orders for Google and Facebook4 illustrate the elements that a comprehensive privacy program should include.
Simplified Consumer Choice
The final report refines the FTC's recommendations regarding when and how entities should provide choices about data collection and use by recommending a framework that focuses on the context of a consumer's interaction with a company, as opposed to the more rigid categories of "commonly accepted" and "not commonly accepted" practices that were proposed in the staff's draft report. The Commission's new recommendations allow an entity to collect and use data for practices that are consistent with the context of the transaction, the company's relationship with the consumer, or those transactions authorized by law without obtaining the consumer's consent.
- Practices Generally Not Requiring Choice—While the "commonly accepted" distinctions were replaced by a more flexible standard, the Commission has maintained that certain specified practices would not typically require consumer choice. These practices include fulfillment, fraud prevention (e.g., practices designed to prevent security attacks or phishing), internal operations (e.g., frequency capping or product improvement), legal compliance and public purpose (e.g., intellectual property protection or using location data for emergency services), and most first-party marketing practices. But, if a company combines these practices with other practices that are not consistent with the interaction, consumer choice should be provided. For example, if data that was being used to improve existing products or services (i.e., for internal operations) was shared with third parties, it would no longer be an "internal operation" consistent with the context of the consumer's interaction with the company; thus, consumers should be given an opportunity to consent. Similarly, the Commission noted that first-party marketing generally does not require choice, but certain marketing practices, such as tracking across third-party websites, data enhancement practices involving the transfer of consumer data to another business, or using sensitive data for marketing purposes, should trigger choice mechanisms.
- How to Provide Choice—Where choice is needed, the Commission recommends that entities provide choices at a time and in a context in which the consumer is making a decision about his or data. This principle focuses on providing consumers with clear and conspicuous choice mechanisms that are meaningful and relevant, such as offering choice "directly adjacent to where the consumer is entering his or her data" for online transactions or prominently at the point-of-purchase for offline transactions. While the mechanisms through which an entity should provide consumer choice are only recommendations, if choice is provided, requirements that the choice be clear and conspicuous, meaningful, and relevant to consumers are likely enforceable under the FTC Act.
- Affirmative Express Consent—The Commission also recommends that companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than represented when the data was collected; and (2) collecting children's information, financial and health information, Social Security numbers, precise geolocation data, and other sensitive information. Through past actions, the Commission has indicated that the first principle—requiring prominent disclosures and express affirmative consent for material retroactive privacy changes—is a requirement under the FTC Act.5
The Commission report also recommends that companies increase the transparency of data practices to increase consumers' awareness regarding how and for what purposes companies collect, use, and share data.
- Reducing Length and Complexity of Privacy Notices—In general, the Commission recommends that privacy notices should be clearer, shorter, and more standardized to enable better comprehension, allow consumers to easily compare different entity's notices, and encourage companies to use privacy as a competitive tool. To help entities develop shorter, more standardized policies the Commission intends to hold a number of workshops later this year that will focus on topics such as online advertising disclosures and privacy disclosures in the mobile environment.
- Providing Access to Consumer Data—As discussed above, the Commission recommends that reasonable access to consumer data should be provided in proportion to the sensitivity of the data and the nature of its use. At a minimum, the Commission supports access policies that allow consumers to access a list categorizing the data an entity holds and to suppress the use of that data for marketing purposes.
To bolster its ability to protect consumer privacy, enhance data security practices, and "provide clear standards and appropriate incentives to ensure basic privacy protections across all industry sectors," the Commission's report also calls on Congress to enact baseline privacy legislation, comprehensive federal data security legislation, and legislation providing consumers access and the opportunity to dispute the accuracy of information held by data brokers.
Further, while the Commission's report praised industry for its "significant progress in implementing a Do Not Track mechanism," FTC Chairman Jon Leibowitz has indicated that if effective Do Not Track mechanisms are not available by the end of the year, the FTC will support legislation mandating such programs. The Commission's report provides five key principles that a Do Not Track mechanism should include and encourages data brokers to create a centralized website where these companies could identify themselves to consumers, describe how they collect consumer data, and disclose the types of companies to which they sell this data.
In support of its legislative proposals, Chairman Leibowitz testified before the House Subcommittee on Commerce, Manufacturing and Trade a few days after the Commission's privacy report was released.6 The hearing focused on the White House's privacy framework--"Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy"7--as well as the FTC's recently released report.
The FTC's final privacy framework, which combine best practices with principles that are already interpreted as requirements under the FTC Act, represents the Commission's current stance on the protection of consumer privacy rights. Entities should be prepared for this framework to guide the FTC's actions regarding its policy-making initiatives, legislative support, and enforcement actions to the extent that it has authority under existing statutes, including the FTC Act. Entities that implement the FTC's recommendations will be in a better position to defend privacy and data security practices in the event of an enforcement action, as well as quickly adapt to privacy legislation if and when it is enacted.
Kelley Drye & Warren LLP
Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.
For more information about this advisory, contact:
Dana B. Rosenfeld
Alysa Zeltzer Hutnik
1 Information about the FTC's draft privacy proposal—"Protecting Consumer Privacy in an Era of Rapid Change"—can be found in Kelley Drye & Warren's December 8, 2010 client advisory.
2 Information about the FTC's privacy roundtables can be found in Kelley Drye & Warren's March 29, 2010, February 3, 2010, and December 15, 2009 client advisories
3 The Commissioners voted 3 to 1 to approve the final report with Commissioner J. Thomas Rosch dissenting.
4 In the Matter of Google, Inc., FTC Docket No. C-4336 (Oct. 13, 2011) (consent order), available at, http://www.ftc.gov/os/caselist/index.shtm; In the Matter of Facebook, Inc., FTC Docket No. 092 3184 (Nov. 29, 2011) (consent order), available at, http://ftc.gov/os/caselist/0923184/index.shtm.
5 See Id.
6 Subcommittee on Commerce, Manufacturing and Trade, "Balancing Privacy and Innovation: Does the President's Proposal Tip the Scale?" (Mar. 27, 2012).
7 Information about the White House privacy framework can be found in Kelley Drye & Warren's February 24, 2012 client advisory.