The Federal Trade Commission on March 26 released its long-anticipated privacy report, giving Corporate America a framework of acceptable practices around the collection of consumer data.

“The final FTC Privacy Report is a must-read for virtually every company that collects or uses identifiable consumer data—online or otherwise,” stated a Patton Boggs client alert. The report follows just one month after the White House on Feb. 23 released its “Consumer Privacy Bill of Rights,” setting forth its own blueprint for how companies should strengthen consumers' online privacy protections.

The FTC privacy report, titled "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers," advocates three main principles for protecting consumer privacy. The first principle calls on companies to adopt a “privacy by design” approach, which would entail building in privacy protections at every stage in developing systems and products. This includes providing reasonable security for consumer data, limiting collection and retention of consumer data, and adopting reasonable procedures to promote data accuracy.

The second principle reemphasized the FTC's support of a “Do Not Track” mechanism for online users, calling on companies to give consumers the option to choose what information may be shared and with whom.

“I'm very hopeful that do-not-track can be done without legislation,” FTC Chairman Jon Leibowitz said during a March 26 press conference. "But if it can't be, I suspect it will be done with legislation. And I think in many ways companies would be—they recognize they'd be wise to avoid that particularly when they're supportive of it."

The FTC said privacy notices should be clearer and more standardized to enable consumers to more easily understand and compare privacy notices and practices. The FTC also calls on both companies and data brokers to make their data practices more transparent by disclosing more details about their collection and consumer information usage, and provide consumers access to the data collected about them. The FTC further urges companies that offer mobile services to work toward improved privacy protections, including disclosures.

The FTC will work with the Department of Commerce and industry stakeholders to develop industry-specific codes of conduct relating to consumer privacy. If companies do not follow the codes they purport to embrace, those companies may face FTC enforcement actions, the report warned. The FTC also calls on Congress to enact general privacy legislation, data security and breach notification legislation, and data broker legislation.

The final report differs in many ways from the interim privacy report issued in December 2010, which prompted more than 450 comments. To alleviate compliance burdens on small businesses, in particular, the privacy principles do not apply to companies that collect but do not transfer non-sensitive data from fewer than 5,000 consumers a year.

Additionally, data will not be deemed as “reasonably linked” to an individual if a company takes reasonable steps to deidentify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it. “Such ‘exemptions' will lighten the burdens of companies that anonymize data before transferring to third parties, or use limited personal data for only their own internal purposes,” the Patton Boggs client alert stated.

In a dissent, FTC Commissioner Rosch criticized the privacy framework as focusing too much on what consumers may deem “unfair” as opposed to actual deceptive acts perpetrated by companies. "Unfairness is an elastic and elusive concept,” he said. “What is 'unfair' is in the eye of the beholder.”

Furthermore, even though the report is merely recommendations for best practices, Rosch said, “I am concerned that the language of the report indicates otherwise, and broadly hints at the prospect of enforcement.”