FTC Privacy Framework Report – Key Takeaways and Significant Implications for Business From FTC's "Protecting Consumer Privacy in an Era of Rapid Change"

by Foley & Lardner LLP

[authors: Chanley T. Howell, Peter F. McLaughlin, Nancy L. Stagg]

On March 26th, the Federal Trade Commission (FTC) released a much-anticipated report reflecting the Commission’s views on what constitutes “best practice” for privacy protection and additional recommendations for future legislative action. While the report reflects much of the content of the preliminary report (December 2010), the FTC considered over 450 public comments before arriving upon final recommendations. While the report does not constitute a direct law or regulatory obligation for business, it reflects the Commission’s view on what is good or best practice and all businesses would be wise to take these points into serious consideration for current and future handling of personal information.

The privacy framework is divided into three main sections:

     •     Privacy by Design: Build in privacy at every stage of product development;

     •     Simplified Choice for Businesses and Consumers: Give consumers the ability to make decisions about their data at a relevant time and context, including through a Do Not Track mechanism, while reducing the burden on business of providing ‘unnecessary’ choices; and

     •     Greater Transparency: Make information collection and use practices transparent.

While providing this framework, the FTC continues its call for baseline privacy legislation at the federal level as well as data security legislation. The FTC renews its urging to businesses to “accelerate the pace of self-regulation” in five particular contexts or platforms:

     •     Do Not Track: While browser developers have tools to help consumers reduce or eliminate tracking, the FTC considers this and other efforts to be a good first step but requiring more. Commissioner Julie Brill has also stated publicly that she believes Do Not Track really means Do Not Collect. This remains a significant open item.

     •     Mobile: Effective notice and choice is even more difficult on a device with significantly smaller screens, and the FTC has initiated a project to develop further guidance about online disclosures.

     •     Data Brokers: While receiving significant attention elsewhere in the report, the FTC has recommended industry-specific legislation so that consumers would gain access to information that a data broker holds about them.

     •     Large Platform Providers: Those developing platforms such as web browsers, social networks, and Internet Service Providers are perceived as trying to collect as much information as possible online about individuals. Often referred to as Online Behavioral Advertising and other practices, the FTC anticipates future workshops to address what it perceives to be “comprehensive tracking.”

     •     Promoting Enforceable Self-Regulatory Codes: The FTC anticipates cooperating with the Commerce Department’s effort to develop industry-specific codes of conduct, which if adopted would be subject to the FTC’s continuing enforcement authority under Section 5 of the FTC Act against unfair and deceptive acts or practices.

 With that introduction, we will provide a series of bullet points reflecting the 100+ pages of materials issued by the FTC so that readers will have more accessible summaries of key points.


     •     The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless:

            o          The entity collects only non-sensitive data

            o          From fewer than 5,000 consumers per year

            o          And does not share that data with third parties

     •     Concept of Proportionality. This reflects the FTC’s opinion that first party collection and use of non-sensitive data (data that is not a SSN or about financial, health, children’s or geolocation information) is less of a risk to consumers. This also reflects the FTC’s implicit adoption of the proportionality principle, proposed originally by our colleague Andrew Serwin in several papers.

     •     Exclusions for Existing Regulatory Frameworks. Businesses currently directly regulated by HIPAA, GLBA and similar regimes would not be subject to duplicative rules. However, to the extent that the FTC framework is a) not inconsistent with and b) more protective than the sectoral rules, the FTC encourages financial services, health providers, and others to adopt the framework guidance.

     •     Online and offline. The framework applies to personal information in any medium, specifically offline as well as online data.

     •     Personal Information that is Reasonably Linkable. The concept of personal information is expanded to include that which is reasonably linkable to a specific consumer, computer or device. The FTC notes that individual devices often can be associated with a specific consumer, even though that linkage may not be known to the collector of information from the device. The Commission also refers to a 2006 incident when AOL released what was intended to be anonymized search data, but was later determined to be detailed enough so that individual searchers could be identified. However, the FTC limits this to what is “reasonably linkable.”

     •     Data is not reasonably linkable to the extent:

            o          A given data set that is not reasonably identifiable;

            o          The company publicly commits not to re-identify it; and

            o          The company requires any third parties using the data not to re-identify it.


     •     The baseline principle is that companies should develop new and revise existing products and services such that consumer privacy is rigorously incorporated through the product lifecycle and the organization

            o          This would include default settings that are private, closed, or off instead of public, open, or on.

            o          The intention is to shift the burden of applying privacy controls away from consumers.

     •     These should be reflected in effective practices regarding data security, reasonable collection limits, suitable retention and disposal practices, and steps to ensure data accuracy.

            o          Referencing Section 5 of the FTC Act, the expectation is that companies must provide reasonable security for consumer data.

            o          The concept of data minimization or minimum collection is a relatively new one for mostUScompanies. If you don’t need it, then don’t collect it. Don’t collect it simply because you think you might need or want it in the future.

     •     Comprehensive data management procedures would apply for the lifecycle of products and services.

            o          As has been seen in recent FTC consent orders, the Commission increasingly expects companies to develop and maintain a comprehensive information management (meaning privacy and security) program to help ensure appropriate protections for personal information.

            o          Firms should prioritize legacy data systems for remediation or Privacy by (Re)Design based on the sensitivity of the information held.


     •     Practices that do not require choice. Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.

     •     For example, reasonable disclosures to delivery agents after purchasing a product or perhaps disclosures to reduce the risk of fraud.

     •     Context of the transaction / relationship between the consumer and the company. A key element of situations where consumer choice is not required involves focusing on the “context of the transaction.” That is, based on the context of the interaction between the business and consumer, is it reasonable to expect the consumer would understand the particular data practice to be part of and consistent with the overall relationship?

     •     Example. The Report gave the example of the purchase of an automobile. Using the consumer’s address to send a coupon for a free oil change, or notice of an upcoming sale on the type of tires that came with the car, or information about new models of the car, would all be consistent with the context of the transaction and the consumer’s relationship with the dealer. On the other hand, the dealership selling personal information to a data broker for selling to marketers would not be consistent with the transaction or the customer’s relationship with the dealership.

     •     Practices highlighted in the preliminary report are illustrative. In its preliminary report, the FTC provided five situations where consumer choice may not be required – fulfillment, fraud prevention, internal operations, legal compliance and public purpose, and most first-party marketing. The final Report uses the “context of the transaction” as the primary principle for determining whether choice is required. The FTC notes the examples from the preliminary Report may not be sufficient in every situation, but provide illustrative guidance where consumer choice would typically not be required. It is important to note that this moves in the opposite direction of European notice rules, which remain oriented toward greater detail.

     •     For example, the FTC noted that while improving existing products or services is typically an “internal operation” that would not require choice, repurposing and sharing data with third parties may very well remove the practice from being an “internal operation” consistent with the context of the consumer’s interaction with the company.

     •     First-party marketing generally does not require choice, but certain practices raise special concerns, such as tracking across third-party websites, sharing with unknown affiliates, data enhancement and sensitive data for first party marketing.

     •     Tracking / Behavioral Advertising / Retargeting. The framework requires companies to provide consumers with a choice whether to be tracked across other parties’ websites. The FTC noted that tracking a consumer after the consumer leaves the company’s website is typically not consistent with the context of the consumer’s interaction with the company. Accordingly, where a company has a first-party relationship with a consumer on its own website, and it engages in third-party tracking of the consumer across other websites, the company should provide meaningful choice to the consumer. How this meaningful choice is to be implemented remains to be seen.

     •     Affiliates are third parties unless the affiliate relationship is clear to consumers. If the relationship is made clear to consumers, such as through common branding, the affiliate will not be considered a third-party. On the other hand, if the relationship is not visible to the consumer – for example an online publisher that also maintains an ad network that invisibly tracks consumers’ activities on the site – the affiliated ad network would be considered a third-party for purposes of choice.

     •     Cross-channel marketing is generally consistent with the context of a consumer’s interaction with the company. The Report finds that marketing to consumers through multiple channels (e.g. Internet, e-mail, mobile apps, text messaging or offline context) is generally consistent with the consumer’s relationship with the company. Tracking a consumer on third-party websites, however, would not be consistent, and choice should be required.

    •     Companies should implement measures to improve the transparency of data enhancement. The Report provides guidelines for adding data obtained from third-party sources to data collected by the company directly from the consumer. The FTC declined to require choice with respect to such enhancement, however, noted that effective implementation of the framework’s other components should address privacy concerns (e.g. privacy by design, limiting data collection, limiting the length of time for retention of data, adopting reasonable security measures, providing choice when a company shares consumer data with a third-party, etc.).

     •     Companies should generally give consumers a choice before collecting sensitive data for first-party marketing. The FTC defines sensitive data, at a minimum, as data about children, financial and health information, Social Security numbers, and certain geo-location data.

     •     Choice – For practices requiring choice, companies should provide choices at a time and in a context in which the consumer is making a decision about his or her data. While this concept is flexible, the FTC states that in most cases, providing choice before or at the time of collection will be necessary to gain consumers’ attention and ensure that the choice presented is meaningful and relevant. For example, if data is being submitted online, the consumer choice should be offered directly adjacent to where the consumer is entering his or her data.

     •     Take-it-or-leave-it choice for important products or services raises concerns when consumers have few alternatives. The FTC did not provide substantial detail of what is an important product or service with few alternatives, however, the FTC provided a patented medical device and broadband Internet access as two examples. The implications for ISPs are obvious; less obvious might be access to other Internet-based services perceived as ubiquitous.

     •     Businesses should provide a do not track mechanism to give consumers control over the collection of their web surfing data. The FTC noted the progress made to date regarding do not track, including browser-based solutions, self-regulatory efforts led by the Digital Advertising Alliance (DAA), and the World Wide Web Consortium (W3C). Accordingly, the FTC expects to see continued progress in this area as the DAA members and other key stakeholders continue discussions within the W3C process to work to reach consensus on an effective Do Not Track system in the coming months.

     •     Large platform providers that can comprehensively collect data across the Internet present special concerns. The FTC singles out for special attention ISPs, operating systems and browsers as these technologies are essentially able to track most if not all of a user’s online activities. The Report notes that while Google and Facebook are rapidly expanding their reach, they currently are not so widespread that they can track a consumer’s every movement across the Internet. Accordingly, the FTC is hosting a workshop in the second half of 2012 to explore privacy issues raised by all of these large platform providers.

    •     Companies should obtain affirmative express consent before making material retroactive changes to privacy representations. The FTC reaffirmed its commitment to this requirement noting the recent Google and Facebook settlements. A material change includes sharing consumer information with third parties after committing at the time of collection not to share the data or expanding the scope of these disclosures. Other situations require a case-by-case analysis based on the context of the consumer’s interaction with the business.

     •     Companies should obtain consumers’ affirmative express consent before collecting sensitive data. As noted above, sensitive information includes information about children, financial and health information, Social Security numbers and precise, individualized, geo-location data.


     •     Baseline principle: Companies should increase the transparency of their data practices.

     •     Prominence. The Report stressed that choices should be presented to consumers in a prominent, relevant and easily accessible place at a time and in a context when it matters to them.

     •     Clarity. The Commission calls on industry to make privacy statements shorter, clearer and more standardized; to give consumers reasonable access to the data and to undertake to educate consumers as to how they collect use and share their data.

     •     Major Principles:

            o          Simplification. Privacy notices should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy policies.

            o          Access. Companies should provide reasonable access to the consumer data they maintain; the extent of the access should be proportionate to the sensitivity of the data and the nature of its use.

            o          Data Brokers. The FTC particularly focuses on data brokers, urging Congress to legislate with respect to establishing a procedure for consumers to access information held by data brokers. Additionally, the Commission recommended that data brokers explore the idea of creating a centralized website where they could identify themselves to consumers and describe how they collect consumer data and disclose the types of companies to which they sell the information.

            o          Teen Data. The FTC supports an “eraser button,” particularly for teens who can be more impulsive than adults, implementing the principle of the “right to be forgotten.”

            o          Consumer Education. All stakeholders should expand their efforts to educate consumers about commercial data privacy practices.


The Report concludes by recommending that Congress consider baseline privacy legislation while industry implements the final privacy framework through individual company initiatives and through strong and enforceable self-regulatory initiatives. The FTC notes there are a number of specific areas where policy makers have a role in assisting with the implementation of the self-regulatory principles that make up the privacy framework, and the Commission’s plans for the upcoming year reflect these.

     •     FTC Action Plan for the next year:

            o          Do Not Track. The Commission will work with privacy groups and industry to complete implementation of an easy-to use, persistent, and effective Do Not Track system.

            o          Mobile privacy disclosures. On May 30, 2012, the FTC will hold a workshop to provide business guidance about online advertising disclosures.

            o          Data Brokers. The Commission supports introduction of targeted legislation to provide consumers with access to the information about them held by data brokers.

            o          Large Platform Providers. The FTC will hold a workshop in the latter half of 2012 to explore privacy and other issues related to comprehensive tracking by large platform providers (ISPs, operating systems, browser vendors and social media providers).

            o          Promote enforceable self-regulatory codes. The FTC will assist the Commerce Department in undertaking a project to facilitate the development of sector specific codes of conduct.

            o          Significance of Self-Regulatory Codes. To the extent that strong privacy codes are created through self-regulation, the FTC will view adherence to the codes favorably in connection with its law enforcement activities. The FTC will continue to enforce the Act to take action against companies that engage in unfair or deceptive practices, including the failure to abide by the self-regulatory programs they join. 

The Report is a wealth of information for businesses that collect personal information and must comply with data privacy laws. As the most comprehensive and concrete framework provided by the FTC to date, companies should use the Report as a roadmap for developing their privacy compliance programs and adapting existing privacy programs.

Written by:

Foley & Lardner LLP

Foley & Lardner LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.