The Federal Trade Commission (FTC) issued its much anticipated final report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, on March 26. The report comes a month after the Obama Administration released a blueprint for strengthening online privacy, including a "Consumer Privacy Bill of Rights." The FTC report largely mirrors key points in the Administration's report.
The FTC announces in the report its adoption of a framework for protecting consumer privacy based on three best practices: (1) Privacy by Design whereby companies build privacy protections into every stage of the development cycle for both products and services; (2) Simplified Choice for Businesses and Consumers which gives consumers the ability to make reasonable decisions about their data, including a "Do-Not-Track" mechanism, while reducing the burden on businesses of providing unnecessary choices; and (3) Greater Transparency over information collection and use practices in order to better inform consumers and give them more access to their data. The framework applies to the handling by commercial entities of data (offline and online) that is reasonably linkable to a specific consumer, computer or device. The framework does not, however, apply to entities with fewer than 5,000 consumers per year that handle only non-sensitive data and do not share any data with third parties.
The FTC's final report adopts a "context of the interaction" standard instead of the "commonly accepted" data practices standard proposed in the prior draft report. Under this standard, companies are not required to provide consumers with a choice before collecting and using their data for practices that are: (1) consistent with the context of the transaction; (2) consistent with the company's relationship with the consumer; or (3) as required or specifically authorized by law. Complying with this standard will, of course, require important judgment calls by companies as to what is or is not reasonably within the "context" of an interaction or transaction with a consumer (e.g., behaviorally targeted advertising). The FTC states in the report that those practices previously identified in the draft report as not requiring consumer choice (i.e., fulfillment, fraud prevention, internal operations, legal compliance, public purpose and most first-party marketing) will not typically require consumer choice under the new "context of the interaction" standard.
The FTC confirms that affirmative consent should be obtained from consumers when companies make material retroactive changes to their privacy policies, and before collecting sensitive data, including information about children, financial and health information, social security number, and precise geo-location data (e.g., in the mobile app context). The FTC also states that companies targeting teens should consider additional protections such as shorter retention periods for collected data.
Testifying before a House Energy and Commerce Subcommittee on March 29, FTC Chairman Jon Leibowitz explained that the FTC report is "not a regulatory document or an enforcement document," but instead is designed to provide guidelines for the industry. According to Chairman Leibowitz, while companies that follow the "best practices" outlined in the report would not violate the FTC Act (which prohibits "unfair" or "deceptive" trade practices), a failure to follow the guidelines would not necessarily invite an enforcement action. Offering a slightly different take on the report's possible ramifications, FTC Commissioner J. Thomas Rosch, in his dissenting opinion to the report, suggested that some companies might feel "obliged to comply with the best practices or face the wrath" of the FTC. These statements have caused some confusion on the part of companies that are evaluating whether their internal privacy and data security practices should (or must) fit neatly within the report's proposed framework.
The FTC report also previews a plan for the agency, together with industry members, to develop and implement several core framework principles over the next year to accelerate the pace of self-regulation. Specifically, the FTC plans to focus on the following five action items:
Other than data breaches, perhaps no issue has received more media and regulatory attention over the past several months than mobile data privacy and security. Last month, the FTC staff released the results of a survey of mobile apps for children, which concluded that neither the app stores nor the app developers were providing sufficient disclosures or notifications to comply with the Children's Online Privacy Protection Act (COPPA). At around the same time, media outlets began reporting on how certain mobile apps were collecting address book information and photo images from consumers' mobile devices. In response to these reports, Representative Henry Waxman (D-CA), Ranking Member on the House Energy and Commerce Committee, and Representative G.K. Butterfield (D-NC), Ranking Member of the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, sent letters on March 22, 2012, to 34 companies inquiring about their information collection and use practices.
The FTC report likewise focuses on mobile issues, calling on companies to work toward more effective disclosures and to improve methods of delivering such disclosures on the smaller mobile device screens. The FTC report also notes that the collection and use of geo-location data is of particular concern because of its highly personal nature especially when children are involved. The FTC's workshop on May 30, 2012, should offer additional insight into the types of self-regulatory actions that mobile app developers can take to minimize the risk of an FTC investigation.