Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
December 9, 2010 FTC Issues Preliminary Staff Report on PrivacyPrivacy Client Alert Privacy developments have been in the spotlight recently. On December 1, 2010, the This Alert provides only Federal Trade Commission (FTC) issued its long-awaited draft staff privacy report, general information and “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for should not be relied upon as Businesses and Policymakers.” While only a “preliminary staff report,” this 122-page report legal advice. We would be evidences the FTC staff’s current views on best practices in the privacy area, especially as pleased to discuss our they relate to online privacy and the use of consumer data. The draft report is available experience and the issues online. presented in this Alert with The FTC staff seeks comments on core issues raised by the draft report, including the those contemplating feasibility of a “Do Not Track” mechanism for online consumer behavior (such as investments in these markets. searching, purchases and browsing behavior), how to balance the needs of businesses For more information, contact and the privacy interests of consumers. Comments may be submitted through January 31, your Patton Boggs LLP 2011; a final report is expected late in 2011. attorney or the authors listed below. The agency’s draft staff report is both non-controversial and controversial. The basic proposal for a new privacy framework is non-controversial and reflects good business Deborah M. Lodge practices; however, some of the implementation suggestions – such as the “Do Not Track” 202-457-6030 concept – are controversial and will be hotly debated. The basic, non-controversial email@example.com framework stresses the following: Nick Allard 202-457-6465 • Privacy by Design – Companies should consider consumer privacy issues firstname.lastname@example.org throughout their business and implement controls and protection for sensitive consumer data at every stage of their businesses. • Simplified Choices – Companies should give consumers specific choices about WWW.PATTONBOGGS.COM how their data will be collected and used. Affirmative consent should be obtained if a company wants to use or disclose the data for a purpose that differs from the reasons for the original collection. • Greater Transparency – Companies should make their collection and use of data more transparent; consumers should be given access to their data. Privacy notices should be standardized (as recently urged for Gramm Leach Bliley basic notices for financial privacy). In its recommendations the report does not distinguish between “personally identifiable information” and general consumer data. Rather, it focuses more generally on “consumer data” – which likely reflects the view that consumer data need not be drilled down to bank account numbers or financial information in order to be connected to a particular person, household or computer.
Fundamentally, the report reflects the “Fair Information Practice Principles” that have beenthe cornerstone of government efforts to adopt adequate safeguards for protecting theprivacy of consumer data. The generally-recognized five core principles of privacyprotection are: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4)Integrity/Security; and (5) Enforcement/Redress. While the FTC first embraced theseprinciples in 2000, some aspects of these principles – such as a consumer’s ability tocontinually access data and to be given the opportunity to know how the data will be useddownstream – have never been fully adopted by most American businesses.Other parts of the preliminary staff report are more controversial and have already beenthe subject of Congressional hearings. They will be explored more deeply in the comingmonths. The following suggestions are among the most controversial: • “Do Not Track” – Perhaps the most controversial part of the preliminary report is the FTC’s call for a “Do Not Track” mechanism. This would presumably give consumers a way to “opt-out” of having their Internet behavior – browsing, searching, purchasing, etc. – tracked and used for marketing purposes. Or possibly to “opt-in” to having their online practices tracked. It is not yet clear how this would work, what or who would be covered or what technologies would be used. In the report, the FTC staff suggests that “Do Not Track” could be accomplished through either legislation or “robust, enforceable, self-regulation.” • Choice/Control – The FTC staff urges a better mechanism so that consumers will be presented with specific options regarding the collection and use of their data, and be given the opportunity to choose how their data will be used. These choices should be presented in an understandable way and at the time the information is sought. Under current law, companies are not generally required to give consumers a choice in most circumstances (with specific exceptions for certain sensitive data such as healthcare, credit and financial data). The draft report proposes that aside from some “commonly accepted practices,” an effective choice mechanism should be provided, and those choices honored throughout the “life” of the data. • Future Control – Another controversial issue is the FTC staff’s suggestion that companies continually watch and review consumer preferences and seek additional affirmative express permission to use the consumer data for uses that were not anticipated or disclosed when the data was initially collected. This topic raises the issue of downstream control and whether there are effective mechanisms for sellers and others that collect the data to even know the spectrum of potential downstream uses of the data. • Special Data – The draft report invites comments about whether certain kinds of data warrant special treatment – such as information about children, financial and medical information. Some of these categories already receive special protections under current law. The report posits that companies should seek “affirmative express consent” before collecting or using such sensitive data. It also seeks comments on whether teens need special online privacy protections (such as the Children’s Online Privacy Protection Act requires for children under 13), and whether geo-physical data should have more specific and narrow collection, use and deletion parameters.
The draft report will likely generate significant debate over additional controversial issues, including fundamental points of consumer expectations and the FTC’s proper role, as a cheerleader and/or enforcement cop, in helping the business community to balance those expectations with business needs and technical possibilities. Some of those more philosophical issues were highlighted by two FTC commissioners who issued separate concurring statements on the draft staff report. While both supported the issuance of the report, Commissioner William Kovacic (a Republican who chaired the commission from March 2008 to March 2009) expressed concern that some of the staff’s recommendations – especially the “Do Not Track” proposal – are premature and should be preceded by a fuller study of consumer expectations for privacy and a fuller contextual study of privacy concepts and frameworks. Commissioner J. Thomas Rosch questioned whether the report’s call for a revised enforcement framework – replacing “notice” or “harm” paradigms with more “choice-based” concepts – was needed or feasible. In his view, many of the staff’s concerns with current privacy practices could be addressed effectively under the current FTC framework of regulating deceptive and unfair practices that result in harm to consumers. On December 2, 2010, the day after the draft staff report was released, the House Commerce Subcommittee of Commerce, Trade and Consumer Protection held a hearing titled, “Do Not Track Legislation: Is Now the Right Time?” Representatives from the government, consumer advocacy groups, technology think tanks and industry testified on the need for, and feasibility of, the “Do Not Track” mechanism proposed by the draft report. The participants debated whether the proposal would be an intrusive and burdensome governmental imposition on the freedom of the Internet, whether the industry – primarily online sellers, marketers, and search engines – could and would propose effective self-regulation solutions and whether consumer expectations about privacy were fundamentally not being met. The debate is far from over and will affect many aspects of our online lives. The debate is caused by current data tracking and mining possibilities – which are both blessings and curses of the Internet and technological innovation. That same technology will likely lead to additional innovations with feasible solutions, more control over individual’s personal and behavioral data and probably even more intrusive “Big Brother is watching” possibilities. Additional perspective is expected when the Department of Commerce’s Internet Policy Task Force issues its proposed framework for an updated approach to privacy (likely late in 2010 or early 2011). We urge businesses to heed the FTC’s call for comments. The FTC staff’s review will be better informed and will be more likely to reflect marketplace realities if they hear from online businesses about commercial needs for consumer data, the benefits of targeted marketing and the economic realities of the free Internet. We would be pleased to address any questions concerning the FTC staff report, the comments sought by the FTC and privacy practices and procedures in general.WASHINGTON DC | NORTHERN VIRGINIA | NEW JERSEY | NEW YORK | DALLAS | DENVER | ANCHORAGE DOHA, QATAR | ABU DHABI, U.A.E.