The Federal Trade Commission (“FTC”) issued its final report titled “Protecting Consumer Privacy in an Era of Rapid Change, Recommendations for Businesses and Policymakers” (“FTC Privacy Report”) in March 2012. The FTC Privacy Report represents the culmination of a two-year process in which the FTC held round table discussions around the country to gather information from various stakeholders including businesses, privacy advocates, technologists and individual consumers about data privacy concerns.
The FTC Privacy Report does not alter existing privacy and data security laws. However, the report provides useful guidance for businesses regarding: (1) best privacy and data security practices that companies should implement; and (2) where the FTC will focus on enforcement.
Core Privacy Principles
The FTC Privacy Report lays out best practices for companies that own, collect, process or otherwise handle consumer information. The FTC focused on the following three principles:
Privacy by Design: Companies must build privacy protection (such as data security, reasonable collection limits, data retention and disposal practices and data accuracy) into their products and services at every stage of development.
Simplified Consumer Choice: Companies must permit consumers to make decisions about how their information is collected, used and disclosed by implementing clear, simple “Do Not Track” mechanisms that allow consumers to more easily control the tracking of their on-line activities especially for: (a) practices that are not consistent with the consumer’s interaction with the business; (b) using consumer data in a manner that differs from what was claimed at the time the data was collected; and (c) collecting sensitive data.
Greater Transparency: Companies must make their information collection, use and disclosure practices more transparent by doing the following: (a) simplifying their privacy notices; (b) providing reasonable access to consumer data proportionate to the sensitivity of the data; and (c) educating consumers about data privacy practices.
FTC’s Focus on Implementation
The FTC also stated that it will focus on implementation in the following five key areas:
1. Do Not Track: The FTC will work with companies to implement an easy to use, persistent and effective Do Not Track system.
2. Mobile: The FTC calls on companies providing mobile services to improve privacy protections by providing consumers with short, meaningful privacy disclosures, among other measures.
3. Data Brokers: The FTC calls upon data brokers to further increase transparency about their data collection, use and disclosure practices.
4. Large Platform Providers: The FTC states that large platforms such as Internet Service Providers (“ISPs”), operating systems, browsers and social media that track consumers’ on-line activities raise heightened privacy concerns.
5. Promoting Enforceable Self-Regulatory Codes: The FTC will work with the Department of Commerce to develop sector-specific codes of conduct. The FTC will look favorably upon companies that choose to adhere to applicable codes of conduct, and it will enforce the FTC Act and take action against companies that engage in unfair or deceptive practices including not abiding by self-regulatory programs they join.
It is clear from the FTC Privacy Report that we can expect to see increased regulation in the area of privacy law. But, the FTC Privacy Report contains useful guidance that companies can use and implement now to potentially limit liability and avoid the financial and reputational costs of litigation. Seeking legal counsel at the beginning stages of product and service development and appropriately implementing the FTC’s suggestions will decrease the risk of litigation and other negative consequences down the road.