DECEMBER 2010
FTC Seeks Input on Sweeping Changes to Consumer Privacy Protections: Recommendations Include Do-Not-Track and Much More
In a preliminary report to Congress, released by the FTC last week, the agency proposed sweeping changes to how it believes companies should approach consumer privacy. This report marks a major change in the way the FTC approachs privacy, essentially creating an EU-like approach for all entities that collect and maintain personal information. The FTC has sought industry input by January 31, 2011. Although the FTC’s comments about online behavioral advertising and a “do not track” functionality (under which a consumer could set his or her browser to stop any online behavioral advertising) have received a great deal of publicity, the report includes many other proposals that would have significant impact.
In particular, the FTC contemplates a three-pronged approach to privacy. First, it recommends that companies incorporate privacy protections at every stage of their business, treating privacy as a “basic consideration – similar to keeping track of costs and revenues.” Under this prong companies would need reasonable security to protect personally identifiable information, reasonable limits on collection, sound retention practices, safe disposal of data that is no longer needed, and efforts around data accuracy. These types of procedural recommendations about business operations have arisen not only abroad, but also in state laws and laws specific to certain types of information (health, financial). This is the first time, however, that the FTC has issues such sweeping recommendations about procedural steps companies should put in place for general personally identifiable information.
The second prong is to provide consumers with streamlined choice about how their information is used, whether in the offline context, or online for traditional computer or mobile devices. The FTC is considering — and is seeking comment from the industry – about choice that would involve “durable” affirmative consent from consumers for all except “commonly accepted” practices. Commonly accepted practices are currently viewed by the FTC as including advertising a company’s own products and services, and internal operations like customer satisfaction surveys. Falling outside of common practices would be, inter alia, online behavioral advertising, use of data for purposes outside of the scope of the initial collection, and sharing data with a third party for that third party’s advertising purposes. The FTC has sought input from the industry on how affirmative consent should best be obtained, when a “take it or leave it” approach to consent would be appropriate (“either accept our practices or don’t use our website”), and the scope of “common practices” in different online situations (such as when a data broker is involved). The FTC has also called on the industry to ensure that choice is meaningful on a mobile device (pointing out that in some circumstances, consumers are forced to click-through 100 screens to read a privacy policy).
Finally, the third prong would require companies to give better transparency about their data practices. These include improving privacy policies to make them easier to understand and compare, giving consumers reasonable access to information maintained by the company about them, obtaining consent prior to changing practices, and increasing consumer education. Many of the specific steps in these three prongs have already been enforced by the FTC under its authority through the FTC Act, although some are new, or some have not been fully fleshed-out under current FTC case law.
TIP: Companies should consider getting involved in the comment process. The suggestions from the FTC could have far-reaching implications on how companies operate their businesses, and portions could be enforced – without new legislation – under existing authority from the FTC Act. For other areas, at least three legislators appear to be looking into proposing new broad privacy laws in 2011. Companies that maintain personal information should begin to think about what parts of the proposed approach they already follow, and what parts might require changes to their internal procedures, and how such changes could be effectuated.