The Federal Trade Commission and the Commerce Department recently issued reports outlining their latest thoughts on consumer privacy, giving Corporate America a framework for acceptable practices around data collection and hints on where enforcement policy might go in the future.

The agencies are soliciting comment on separate reports detailing their respective views on steps businesses should take to protect the information they collect from customers, with an eye toward influencing future privacy legislation in Congress. One of the reports endorses a “Do Not Track” option for online users.

Comments are due by Jan. 28. The Commerce Department said it may consider more specific proposals in a future white paper.

The FTC report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” would apply broadly to online and offline commercial entities that “collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer, or device.” Privacy law experts say the report illuminates the FTC staff's thinking on privacy issues.

“This is their view of what works and what doesn't,” says Dana Rosenfeld, chair of the privacy and information security practice at law firm Kelley Drye, and a former assistant director at the FTC Bureau of Consumer Protection. The FTC report faults industry efforts to regulate itself, saying such an approach “has failed to provide adequate and meaningful protection.”

The report states that the existing notice-and-choice model—which requires business to alert customers of what information is being collected and to allow consumers to opt out—has led to long, incomprehensible privacy policies that consumers usually don't read or understand. Meanwhile, the “harm-based model”—which focuses on eliminating uses of information that could cause damages, such as identity theft—doesn't recognize broader privacy concerns like reputational harm or the fear of being monitored, the report says.

“The staff has taken the view that the current privacy regime makes it too hard for consumers to understand what data is being collected, where, when and how it's being used, and their options for limiting its collection and use,” says Bruce Colbath, a partner in the law firm Weil Gotshal & Manges. “The proposed framework would … shift more of the burden onto companies to make it more understandable to consumers.”

The FTC framework focuses on three major themes. The first is “Privacy by Design,” which calls for companies to build privacy protections into their daily business practices, including reasonable security for consumer data, limited data collection and retention, and procedures to promote data accuracy. The FTC also calls for companies to assign personnel to oversee privacy issues, train employees on consumer privacy issues, and conduct privacy reviews for new products and services.

The second theme calls for companies to provide a simplified choice for consumers about the collection and sharing of their data. Under this principle, companies would have to get consent for practices that aren't widespread, such as online behavioral advertising, but not for more common ones, such as product and service fulfillment and first-party marketing.

The report's most controversial item is the FTC's endorsement of a “Do Not Track” mechanism, such as a Web browser setting that would allow online consumers to opt out of the collection of information about their internet behavior for targeted ads.

“The proposed framework would move away from the current notice paradigm and shift more of the burden onto companies to make it more understandable to consumers.”

—Bruce Colbath,

Partner,

Weil Gotshal & Manges

The idea is not without controversy. In a concurring statement in the report, FTC Commissioner William Kovacic described the measure as “premature.” A House sub-committee held a hearing on the subject last month. Deborah Lodge, a partner with the law firm Patton Boggs, says Do Not Track “raises significant issues with respect to consumer expectations and understanding and technological feasibility.”

Finally, the FTC report calls for greater transparency, including clearer, shorter, more standardized privacy notices and some amount of consumer access to the data companies maintain about them. (Consumer access to data is already a part of Europe's privacy regime.) The FTC also recommends that companies get affirmative consent from consumers if they use their data for something other than the use for which it was originally collected.

Privacy lawyers say businesses ought to pay close heed to the recommendations.

“While it's unclear how much of what's in the FTC paper might become law, following many of the staff recommendations for privacy by design and simplified choice would go a long way toward steering clear of FTC enforcement and complying with whatever regulations we might eventually get,” says Boris Segalis, a partner with InfoLaw Group. Many of those recommendations reflect current FTC enforcement efforts. For instance, Segalis cites a November settlement where the FTC alleged that EchoMetrix, a maker of Web monitoring software, failed to disclose its privacy practices adequately.

FRAMEWORK QUESTIONS

What follows are questions out for comment in regard to the proposed FTC privacy framework:

Scope

Are there practical considerations that support excluding certain types of companies or

businesses from the framework – for example, businesses that collect, maintain, or use a

limited amount of non-sensitive consumer data?

Is it feasible for the framework to apply to data that can be “reasonably linked to a

specific consumer, computer, or other device”?

How should the framework apply to data that, while not currently considered “linkable,”

may become so in the future?

If it is not feasible for the framework to apply to data that can be “reasonably linked to a

specific consumer, computer, or other device,” what alternatives exist?

Are there reliable methods for determining whether a particular data set is “linkable” or

may become “linkable”?

What technical measures exist to “anonymize” data and are any industry norms emerging

in this area?

Companies should promote consumer privacy throughout their organizations and at every

stage of the development of their products and services

Incorporate substantive privacy protections

Are there substantive protections, in addition to those set forth in Section V(B)(1) of the

report, that companies should provide and how should the costs and benefits of such

protections be balanced?

Should the concept of “specific business purpose” or “need” be defined further and, if so,

how?

Is there a way to prescribe a reasonable retention period?

Should the retention period depend upon the type or the sensitivity of the data at issue?

For example, does the value of information used for behavioral advertising decrease so

quickly that retention periods for such data can be quite short?

How should the substantive principles set forth in Section V(B)(1) of the report apply to

companies with legacy data systems?

When it is not feasible to update legacy data systems, what administrative or technical

procedures should companies follow to mitigate the risks posed by such systems?

Can companies minimize or otherwise modify the data maintained in legacy data systems

to protect consumer privacy interests?

Maintain comprehensive data management procedures

How can the full range of stakeholders be given an incentive to develop and deploy

privacy-enhancing technologies?

What roles should different industry participants – e.g., browser vendors, website

operators, advertising companies – play in addressing privacy concerns with more

effective technologies for consumer control?

Source

FTC Proposed Privacy Framework (December 2010).

The FTC plans to issue a final report in 2011. In the meantime, the Commission warned that it “plans to continue its vigorous law enforcement in the privacy area.”

Meanwhile, the Commerce Department issued its own initial policy recommendations for online consumer privacy in a paper, titled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” which takes a different slant. While the FTC raises several worst-case scenarios of enforcement, Segalis says; the Commerce Department “is much more pro-business.”

The paper recommends the establishment of a “Privacy Bill of Rights” for consumers built on the existing Fair Information Practice Principles. The Privacy Bill of Rights details baseline requirements for how online companies collect and use personal information for commercial purposes.

It also calls for the establishment of a Privacy Policy Office in the Commerce Department to work with the FTC, the White House, and other federal entities to examine commercial uses of personal information, evaluate whether gaps in privacy protections exist, and to help develop enforceable privacy codes of conduct for specific sectors.

The Commerce paper also recommends the adoption of a national security breach notification rule to provide one federal regulation for what companies must do in the event of a data breach. U.S. businesses have been clamoring for such a rule, Colbath says. “The patchwork of state breach regulations is a nightmare for companies,” he says.

The report also urges the U.S. government to encourage global interoperability by working with its trading partners and global privacy authorities to find ways to bridge differences in disparate privacy frameworks and reduce compliance costs for companies.

Finally, Commerce recommends that the Obama Administration review the Electronic Communications Privacy Act to see if it needs to be updated to address privacy protection in cloud computing and location-based services.

Websites

We are not responsible for the content of external sites