March 29, 2010

On March 17, 2010, the Federal Trade Commission (FTC) held its third and final discussion from its roundtable series-Exploring Privacy.  Panel topics focused on Internet Architecture and Privacy, Health Information, Addressing Sensitive Information, and Lessons Learned and Looking Forward.

The FTC intends to use the information gathered from these roundtables to restructure and guide its privacy agenda.  Next steps for the FTC may include extending the application of fair information practices, increasing enforcement of unfair and deceptive privacy practices, and developing privacy models and frameworks to address new technologies and business models.  FTC officials have stressed, however, that the Commission will review and analyze the information received through the roundtables and other channels before adopting any specific policies or initiatives.

Outgoing FTC Commissioner Pamela Jones Harbour: Critical of Online Privacy Practices[1]

Opening the roundtable discussion, outgoing Commissioner Harbour was critical of some technology companies' privacy practices and admonished industry leaders for publicly exposing consumer information during the introduction of new products and services.  According to Commissioner Harbour, these practices-where companies launch new products first, then address privacy concerns after data are exposed-are becoming more prevalent and creating "a dangerous game of ‘copycat' behavior in the industry."  While these companies have addressed privacy concerns subsequent to the product's launch, Commissioner Harbour warned that once personal data is shared, consumers' control over that data is lost forever.

Google and Facebook were among the companies criticized by the Commissioner for recent changes to their products and services that exposed consumers' personal information.  Addressing the launch of Google Buzz, Commissioner Harbour remarked that "the recent launch of [the service] was quite frankly irresponsible by a company like Google."  She also criticized Web browser companies, including those that offer cloud computing services, for their poor use of encryption technology because many companies only encrypt login information, and not other sensitive data that consumers send over such networks. 

Finally, Commissioner Harbour addressed recent remarks by industry leader, Google Chief Executive Eric Schmidt, stating that "if you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."  Strongly disagreeing with Mr. Schmidt's comments, Commissioner Harbour expressed her belief that "the Commission will continue to evaluate consumers' preferences and armed with these insights, I hope and expect that the Commission will continue to shape the conversation about the intrinsic value of privacy."  "But make no mistake," she warned, "the Commission will unfailingly step in to protect consumers where we believe the law has been violated, and that includes violations relating to privacy promises." 

Bureau of Consumer Protection Director David Vladeck Sets the Stage for FTC Action

Mr. Vladeck's introductory remarks summarized the FTC's past roundtables[2] and provided insight into the FTC's next steps for creating a new privacy framework.  Mr. Vladeck noted that the Commission would likely develop a set of proposed recommendations that would be presented for further public comment.  According to Mr. Vladeck, the Commission intends to continue to make this process public.

Gleaned from past roundtables, Mr. Vladeck discussed a number of issues-from the challenges posed by emerging technologies, to problems with privacy policy models.  For example, emerging business models and technologies have "blurred and indeed threaten[] to obliterate the distinction between [personally identifiable information] and non-personal information."  Further, Mr. Vladeck noted that there appears to be widespread agreement from academics, industry leaders, and consumer advocates that current privacy polices are not an effective means of protecting individuals' personal privacy. 

While many of the topics of the present and past roundtables have focused on inadequate privacy protection, Mr. Vladeck praised organizations using technology in innovative ways.  Examples of new tools include an icon created by the Future of Privacy Forum designed to alert consumers that advertisements may be behavioral-based and engage consumers to learn more about advertisements targeted at them.  The Future of Privacy unveiled this icon at the FTC's December roundtable.

Panelists Discussed Privacy Concerns and Provided Advice for the Future of Privacy Regulation

The panelists discussed a broad range of topics, such as how to use the Internet's architecture to protect privacy, protect health information, and define sensitive information.

  • The first panel of the day, Internet Architecture and Privacy, explored challenges presented by the existing Internet structure. Panelists expressed concern that the basic structure of the Internet creates privacy protection issues because many components, such as cookies, java script, and IP addresses, make it hard to anonymize data. To help ensure that the online environment better protects users' identities, panelists suggested developing new tools to create anonymous identifiers, prevent networks from opening individuals' e-mails, and provide consumers with means to verify how a website will use their information.

  • Panelists involved in the Health Information Panel discussed many facets of medical privacy, such as protection standards, how to define medical information, and the harms associated with sharing medical information. Some panelists suggested that standards for businesses that hold sensitive medical information should be stronger than for businesses that hold other types of information. On the other hand, panelists expressed concern that if protection measures are too strong, these practices could limit doctors' and organizations' ability to share medical data for research and other medical purposes.

  • Panelists also addressed aspects of sensitive information protection, such as how to define sensitive information. For example, panelists felt that achieving consensus over how to define such information presents challenges because consumers have very divergent views about the types of personal information they consider to be sensitive. Other difficult issues relate to how sharing different types of personal information can produce different harms, such as financial harm and social harm. Through these and other roundtable discussions, many academics, industry leaders, and consumer protection advocates agree that a one-size-fits-all approach will not adequately protect consumers' sensitive information. Instead many panelists advocated categorical approaches to protecting information, such as stronger protections for more sensitive information (e.g., medical or financial information) and more vulnerable people (e.g., children), but still building in place regulatory protection for other types of information that could cause social and other harms.

  • Finally, the FTC's series of roundtable discussion concluded with a panel analyzing the roundtable series and discussing the future of privacy regulation. Panelists noted that the roundtables had revealed problems with privacy policies and notice-and-choice privacy model protections, the difficulty of defining sensitive information, and identified tools to increase data protection, transparency, and educate consumers. Next steps proposed by the panelists included (1) creating fair information practices that are flexible and broad enough to address privacy in today's dynamic, changing technology environment; (2) balancing the burdens of privacy protection between businesses and consumers; (3) developing privacy best practices; and (4) working with other countries to understand global privacy practices.

Moving forward, the FTC has a number of privacy issues to examine, some of which were identified in closing remarks by Jessica Rich, the Deputy Director for the Bureau of Consumer Protection.  According to Ms. Rich, the FTC will have to grapple with many issues including how to give consumers greater privacy control, distinguish between helpful data practices and those that harm consumers, define privacy and sensitive information, create regulations that do not stifle innovation, and accommodate diverse business models. 

Similar to Director Valdeck's remarks, Ms. Rich indicated that the FTC will spend some time reviewing the comments from the roundtables and continue to elicit public comments about the process before determining how to proceed. 

Kelley Drye & Warren LLP

Kelley Drye & Warren's Privacy and Information Security practice is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.

For more information about this Client Advisory, please contact:

Dana B. Rosenfeld
(202) 342-8588
drosenfeld@kelleydrye.com

Alysa Z. Hutnik
(202) 342-8603
ahutnik@kelleydrye.com




[1]Commissioner Pamela Jones Harbour has announced her intention to resign from the Commission on April 6, 2010.  Before she spoke, she noted that the views expressed in her speech were her own and did not necessarily reflect the views of the FTC.  For more information on newly confirmed Commissioners Julie Brill and Edith Ramirez, please see our past client advisory, "President Obama Nominates New FTC Commissioners."

[2]For more information regarding the FTC's December 7, 2009, Roundtable and the January 28, 2010, Roundtable please see our past client advisories, "FTC Debates Online Privacy Protection: Agency Seeks to Incorporate Views of Regulators, Industry Leaders, and Academics into Comprehensive Privacy Protection Model" and "Federal Trade Commission Continues to Explore Consumer Privacy Protection Measures."