Fifteen months after releasing its preliminary report, the Federal Trade Commission released its final Report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.” The much anticipated final report went further than the preliminary report by now calling for Congress to enact general privacy, data security and breach notification, and data broker legislation in addition to advocating that companies self-regulate by adopting the best practices set forth in the FTC’s privacy framework. The mix of baseline privacy legislation and industry self-regulation tracks the Obama administration’s white paper recommendations for a “privacy bill of rights” and industry codes of conduct enforced by the FTC.
The three prongs of the FTC’s recommended “best practices” to protect consumers’ private information are:
1) Privacy by Design—building in privacy at every stage of product development;
2) Simplified Choice—simplifying consumers’ and businesses’ ability to make choices about their information, such as through a “Do Not Track” mechanism; and
3) Greater Transparency—improving transparency in and consumer access to data collection and use policies.
In response to over 450 public comments to its preliminary report, which are heavily cited throughout the final report, the FTC altered some of its previous recommendations. First, the FTC recognized the burden faced by small businesses in meeting the FTC’s recommendations. Thus, the final framework does not apply to companies that collect non-sensitive data from fewer than 5,000 customers per year. Additionally, in response to concern that data can be “reasonably linked” to consumers, and computers or devices, the Commission clarified that data is not “reasonably linked” where a company takes reasonable measures to ensure data is de-identified, publicly commits to not trying to identify data, and contractually prohibits downstream recipients from trying to re-identify the data.
Secondly, while the FTC previously proposed a list of five “commonly accepted” information collection and use practices, many commentators were concerned these practices could stifle innovation. In response, the new guidelines state companies do not need to provide choice before collecting and using consumer data for practices consistent with the transaction, the company’s relationship with the consumer, or as required by law. Thirdly, the Commission now recommends that any legislation addressing the practices of information brokers include procedures for consumers to access and dispute personal data held by information brokers.
The final report summarized the enforcement actions brought by the FTC since it issued the preliminary report, highlighting enforcement priorities that involve website privacy policies and practices, online behavioral advertising, COPPA, FCRA, and data security. The FTC also identified five key areas it plans to focus its policymaking efforts on in the next year to promote the implementation of its privacy framework:
- Do Not Track—implementing an easy-to-use, persistent, and effective Do Not Track system;
- Mobile—improving privacy protections through short, meaningful disclosures;
- Data Brokers—supporting targeted legislation that would require data brokers to create a centralized website that would identify brokers to consumers and detail access rights and choices consumers have;
- Large Platform Providers—exploring issues related to comprehensive tracking of online activities by ISPs, operating systems, browsers, and social media; and
- Promoting Enforceable Self-Regulatory Codes—working with the Department of Commerce and industry stakeholders to develop sector-specific codes of conduct, with the carrot that compliance with such codes will be viewed favorably by the FTC when it comes to enforcement.
The FTC cautioned that, to the extent the framework exceeds existing legal requirements, it is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC. However, expect to see the principles of the privacy framework continue to appear as requirements of consent orders the FTC enters into to resolve the enforcement actions it brings. Indeed, the FTC did just that the day after releasing its final report when it announced that it had entered into a proposed settlement agreement with social game site operator RockYou (prior coverage here) to resolve the FTC’s claims that RockYou failed to protect the privacy of its users when hackers gained access to the user names and passwords of 32 million users and violated COPPA by collecting information from 179,000 children.