FTC Staff Report Signals Shifting Privacy Compliance and Enforcement Risks

Late last week, the Federal Trade Commission (“FTC”) issued a highly-anticipated staff report on privacy entitled Protecting Consumer Privacy in an Era of Rapid Change.” The report – which is preliminary in nature and does not reflect the views of the FTC (though it was approved and issued by the FTC) – proposes a new privacy framework for businesses and policymakers which is intended to be adopted next year by the FTC after public comment (due January 31, 2011) and further modification (which may or may not be significant). In other words, the proposals in the report provide insight as to what business can expect with respect to privacy compliance requirements and enforcement in the future and are not directly enforceable regulations right now. Readers should keep in mind, however, that there is much that is mentioned in the report that is enforceable right now and distinguishing the enforceable from the aspirational isn’t always easy.

Figuring out what data needs to be protected won’t be easy either. The proposed framework would appear to apply to any data reasonably traced to a consumer, computer or device. The concept of sensitive data appears to be giving way to a desire to protect consumer privacy more broadly. And on that score, the report conveys the FTC staff’s view that self-regulation” has, up to now, failed to provide adequate consumer protection and concludes that a new framework is needed to better protect consumers.

The proposed framework includes three primary recommendations: (1) privacy by design must be adopted by industry; (2) simplified choice must be provided to consumers for how their data is handled; and (3) greater transparency must be provided with respect to privacy and data handling practices. Included in this bundle is a recommendation that web browsers incorporate a do not track” option for consumers. Surprising nobody familiar with the ways of Washington, today’s online Wall Street Journal reported on announcement from Microsoft regarding its plans to add that capability to its Explorer web browser. Deep packet inspection used for the creating of web profiles and online behavioral advertising also were in the cross hairs of the staff’s report. For a more detailed look at the components of the three primary recommendations, please see Kelley Drye’s Client Advisory.