FTC Adopts Final Privacy Report, Renews Push For Do Not Track and Regulation of Data Brokers

by Davis Wright Tremaine LLP
Contact

[authors: Robert G. Scott, Jr. and Paul Glist]

On March 26, 2012, the Federal Trade Commission released its final report on “Protecting Consumer Privacy in an Era of Rapid Change” (“Final Report”), effectively adopting the Commission’s preliminary staff report announced in December 2010 (“Staff Report”) with important changes.

Overview

The Final Report adopts the general framework for privacy prothttp://www.dwt.com/LearningCenter/Advisories?find=465808ection from the Staff Report, recast as privacy by design, simplified consumer choice, and transparency. The framework covers the use of personal and profiling information across all industries, on and offline. While the Final Report recognizes the growing success of voluntary Do Not Track tools, the Commission urges industry to increase their effectiveness or legislation will be needed. 

Much of the change from the Staff Report to the Final Report reflects the FTC aligning with the Administration's  approach to privacy. For example, the Commission discarded the Staff Report’s list of permissible “commonly accepted” business uses in favor of contextual justification. It accepts that relationships between companies and their customers vary widely, so privacy protections require flexibility that is best worked out in stakeholder discussions and self-regulatory codes (with the FTC enforcing any promises made). It restates and renames Fair Information Practice Principles consistent with the White House/Commerce department February 2012 White Paper.

The Final Report affirms the Commission’s earlier view that privacy related harm can be presumed from consumer fear of disclosure of private information without any actual economic or physical harm. It also justifies the costs of compliance with new privacy protections on grounds that businesses benefit in building consumer trust and increased customer engagement.

The Commission does not recommend that any existing sector-specific privacy laws sunset even if a new baseline for all other industries is established, leaving those industries to figure out how to comply with multiple sets of obligations.

The Final Report backs off of the Staff Report position that all data which can be “reasonably linked” to a specific person or device is personally identifiable information subject to protection.  Although the Commission adopts parameters for use of de-identified data with less stringent privacy rules, it seems to continue to treat linkage to a device as equivalent to linkage to a person.

Finally, the Commission adopts sweeping principles for consumer access to data held by any company.  For data brokers, the Final Report recommends a new opportunity for consumers to access a list of all categories of data held by any broker. For companies that purchase consumer data, the Commission establishes a sliding scale of access that depends on the use and sensitivity of the data, and recommends that these entities disclose the sources of information they collect on consumers. And the Final Report warns entities that do not consider themselves subject to the access and correction provisions of the Fair Credit Reporting Act that the law might extend to more types of transactions than commonly understood.

Detailed Analysis

Scope of Rules. Like the Staff Report, the Final Report proposes privacy regulation that extends to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.” This includes all businesses that handle consumer data—online, offline, bricks and mortar.

Small Business Exception. The Final Report, however, provides an exception for businesses that “collect or use non-sensitive data from fewer than 5,000 individuals a year” when the use is for limited purposes “such as internal operations and first party marketing,” and the data is not shared with third parties.

No Sunset of Existing Privacy Regimes. Sectors of industry already governed by existing laws -- health, finance, cable television and telecommunications -- are not exempt. Rather, the Commission believes its framework augments existing privacy requirements, and directs “entities covered by those other statutes [to] view the framework as best practices.”

Use of De-Identified Data. The Staff Report deemed anonymous or de-identified data to be personally identifiable information subject to consumer choice if it could "reasonably” become linked to any specific person or device. The Final Report, however, attempts to allow the use of de-identified information where: (1) the company takes reasonable measures to ensure the data is de-identified (with reasonable measures defined by the context of the collection and use); (2) the company publicly commits to maintain and use the data in a de-identified fashion (with FTC enforcement); and (3) if the company makes anonymized data available to other companies, it contractually prohibits the third party from re-identifying the data and takes appropriate steps to address contract violations. It is not entirely clear what the Commission intends this standard to allow, because it appears to continue in its view that the potential linkage of data to a device is equivalent to linkage to a person.

Privacy By Design. The Final Report recommends baseline privacy principles, bringing the Staff Report into close alignment with the Administration’s White Paper. These include the overriding principle that companies should incorporate privacy protections into their routine practices, including data security; limit the collection of data to that which is consistent with the context of a particular transaction or consumer relationship, or as required by or specifically authorized by law; retain and destroy data with practices tailored to the purpose for which it was collected, taking into account the nature of the data; and reasonable steps to ensure data accuracy.

Mobile Devices and Geolocation Data. The Commission sees mobile devices as facilitating unprecedented levels of data which can be used to track and predict consumer behavior. The Commission calls on companies to limit collection to data they need for the requested service or transaction, and to have reasonable policies of purging data. The Commission urges entities in the mobile ecosystem to work together to establish standards of collection, transfer, use and disposal, particularly for location data. It also urges them to improve notice and choice about third party use of data.

Deep Packet Inspection (DPI).
The Commission’s view is that ISPs, operating systems, and browsers (“large platforms”) should  give consumers a choice whether the entity may use DPI for marketing purposes. The Commission finds that “take it or leave it” choice is inappropriate in the sale of broadband Internet service, where the Commission believes consumers have few options. As a consequence, it believes the provider should never require the consumer to agree to tracking of all online activity for marketing purposes as a condition of service. Network management, security, and other uses of DPI, however, would not trigger this requirement.

The Commission recognizes that Google and Facebook have nearly the same view into the habits of users as ISPs and operating systems, but excuses them from the choice requirement imposed on other large platforms. In an effort to improve adherence to a technology–neutral approach, the Commission plans to host a workshop in the second half of 2012 to explore the issues.

First Party Marketing Practices that Require Choice. Although under the Final Report most first-party marketing practices are deemed consistent with the customer’s relationship with the company, the FTC clarified that several common practices require greater disclosure or consumer choice:

  • A retailer must provide consumers a choice before “retargeting” ads to the consumer on a separate website (i.e. the ad follows the user from the advertiser’s retail website).

  • Cookies, web beacons, social plug-ins (such as Facebook’s “Like” button) and similar technology that allows a company with a first-party relationship with the consumer to track the consumer’s activities across other websites are not likely to be consistent with the consumer’s’ first-party relationship, and would require choices.

  • Affiliates are third parties unless the affiliate relationship is clear to the consumer. Common branding is one way of making the relationship clear; otherwise, sharing of data between affiliates requires consumer choice.

  • Cross channel marketing—including across platforms—is generally consistent with the context of the consumer’s interaction. In this practice, a consumer who makes an in-store purchase receives, for example, a coupon or ad through the mail or electronically. Regardless of the means of contact, receipt of a message from a company with which the consumer has done business is likely to be consistent with the consumers’ relationship, and would not require any choice.

  • The Commission believes companies should improve the transparency of data enhancement. First-party marketers need not give consumers a choice before the data is enhanced with third party data, but should improve their disclosure of data enhancement practices, including disclosure of third party suppliers of data.

Collection of “Sensitive Data.” Companies should generally give consumers a choice before collecting “sensitive data” for first-party marketing. Sensitive data is defined, at minimum, to include data about children, health and financial information, Social Security numbers, and certain geolocation data. Companies that target teens should consider additional protections even where it may not be necessary to provide opt-in. Where a company’s business by definition targets customers based on sensitive data (e.g., health or financial services) the company should seek affirmative express consent (“opt-in”) from the consumer. The incidental collection of sensitive data, as with product recommendations from Amazon.com, need not provide choice.

Do Not Track. The Final Report reflects the FTC’s enthusiasm for Do Not Track mechanisms to allow consumers to opt out of online tracking. The Commission recognizes rapid and recent progress made in the industry, as with the evolution of the Digital Advertising Alliance’s tools, the W3C Internet standards efforts to create global Do Not Track standards, and more technical improvements by Mozilla and Microsoft in their respective browsers.

Nonetheless, the Commission finds much lacking in current Do Not Track technology options, and lists five characteristics any Do Not Track system must have to be effective: universal implementation; it must be easy to find, understand and use; it must be persistent through technical changes such as browser updates and cookie deletion; and it must be “comprehensive, effective and enforceable.” To satisfy the Commission, any mechanism should insulate consumers out of behavioral tracking “through any means and not permit technical loopholes.” The Commission warns that legislation may be required to achieve what it views as adequate Do Not Track protection.

Elsewhere, however, the Final Report permits tracking for purposes such as internal operations, fraud prevention, legal compliance and first-party marketing. (The Chairman expressed his personal opinion that Do Not Track means “do not collect” and “do not advertise back,” a statement seemingly in conflict with the Final Report’s statement of permissible tracking without consent.)

Affirmative Consent. The Final Report requires affirmative express consent – opt-in by the consumer after disclosure of the practice –for material retroactive changes to privacy representations, such as those that led to FTC investigation and settlements with Facebook and Google. The only example provided is that a material change would mean sharing consumer information with third parties after committing at the time of collection not to share the data. “Material change” is otherwise undefined, left to case-by-case assessment and uncertainty.

Transparency. The Final Report amplifies the Staff Report’s recommendation that companies increase the transparency of data practices. The Department of Commerce will convene multi-stakeholder groups to work on privacy issues, and the Commission suggests that venue would be a useful forum for industry sectors to work together to develop more standardized, streamlined privacy policies and definitions.

As in the Staff Report, the Commission expressed particular concern with disclosures in the mobile industry, where small screens limit the consumer’s viewing experience. The Commission thus prioritizes a “Dot Com Disclosures” workshop for May 30, 2012 to address mobile privacy disclosure and how to make them short, effective, and accessible to consumers on a small screen.

Consumer Access to Data Including Data Brokers. Any company that maintains data profiles—including third party data brokers—is expected to provide consumers with access to retained data that is proportional to the sensitivity and the intended use of the data at issue. The Commission divides all entities into three categories: those that maintain data for marketing purposes; those that maintain data for non-marketing purposes that are not covered by the Fair Credit Reporting Act (FCRA); and those covered by the FCRA.

For companies that maintain data solely for marketing purposes – data brokers and marketing third parties -- the Commission requires individualized access and correction rights. These companies are expected to provide consumers with access to a list of the categories of data they hold, and allow them to suppress the use of such data for marketing. The Final Report also encourages these companies to find new ways to provide individualized access where feasible, as with Yahoo!’s Ad Interest Manager.

Companies not subject to the FCRA who use data for purposes in addition to marketing are covered by the Commission’s new “sliding scale” approach, where access to personal data is scaled to the use and sensitivity of the data. These companies should give consumers access to the types of information the companies maintain and disclose their sources of information, including data brokers. The Commission’s goal is to bring consumers closer to data brokers.

Companies that hold and use data for use by creditors, employers, and other benefits are often governed by the FCRA. But the Commission warned companies which may think they are not subject to FCRA -- like developers of mobile apps that compile public information on individuals -- could be bound to comply with FCRA.

The Commission recommends legislation to establish procedures for consumer access to data broker information, like the Data Accountability and Trust Act, H.R. 2221, passed by the House on Dec. 8, 2009. Separately, the Commission recommends that data brokers explore a potential centralized database for consumers, which would allow consumers to identify the brokers and learn how they collect and use information. The Commission plans to investigate this further with industry members. It also generally supports exploration of the concept of an “eraser” button through which people – especially teens who may disclose personal information more impulsively – can delete content that they post online.

Next Steps

The Commission flags five action items for the coming year: work with industry to further implement Do Not Track mechanisms and standards; push mobile service providers to improve privacy protection; support legislation governing data brokers; explore privacy “and other issues” related to tracking of online consumer activity by providers of large Internet platforms, like ISPs, operating systems, browsers, and social media; and promote sector-specific codes of conduct.

Disclaimer

This advisory is a publication of Davis Wright Tremaine LLP. Our purpose in publishing this advisory is to inform our clients and friends of recent legal developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.