U.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
1. December 9, 2010 FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert
Privacy developments have been in the spotlight recently. On December 1, 2010, the
This Alert provides only Federal Trade Commission (FTC) issued its long-awaited draft staff privacy report,
general information and “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for
should not be relied upon as Businesses and Policymakers.” While only a “preliminary staff report,” this 122-page report
legal advice. We would be evidences the FTC staff’s current views on best practices in the privacy area, especially as
pleased to discuss our
they relate to online privacy and the use of consumer data. The draft report is available
experience and the issues
online.
presented in this Alert with
The FTC staff seeks comments on core issues raised by the draft report, including the
those contemplating
feasibility of a “Do Not Track” mechanism for online consumer behavior (such as
investments in these markets.
searching, purchases and browsing behavior), how to balance the needs of businesses
For more information, contact and the privacy interests of consumers. Comments may be submitted through January 31,
your Patton Boggs LLP 2011; a final report is expected late in 2011.
attorney or the authors listed
below. The agency’s draft staff report is both non-controversial and controversial. The basic
proposal for a new privacy framework is non-controversial and reflects good business
Deborah M. Lodge practices; however, some of the implementation suggestions – such as the “Do Not Track”
202-457-6030 concept – are controversial and will be hotly debated. The basic, non-controversial
dlodge@pattonboggs.com framework stresses the following:
Nick Allard
202-457-6465 • Privacy by Design – Companies should consider consumer privacy issues
nallard@pattonboggs.com throughout their business and implement controls and protection for sensitive
consumer data at every stage of their businesses.
• Simplified Choices – Companies should give consumers specific choices about
WWW.PATTONBOGGS.COM
how their data will be collected and used. Affirmative consent should be obtained if
a company wants to use or disclose the data for a purpose that differs from the
reasons for the original collection.
• Greater Transparency – Companies should make their collection and use of data
more transparent; consumers should be given access to their data. Privacy notices
should be standardized (as recently urged for Gramm Leach Bliley basic notices
for financial privacy).
In its recommendations the report does not distinguish between “personally identifiable
information” and general consumer data. Rather, it focuses more generally on “consumer
data” – which likely reflects the view that consumer data need not be drilled down to bank
account numbers or financial information in order to be connected to a particular person,
household or computer.
2. Fundamentally, the report reflects the “Fair Information Practice Principles” that have been
the cornerstone of government efforts to adopt adequate safeguards for protecting the
privacy of consumer data. The generally-recognized five core principles of privacy
protection are: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4)
Integrity/Security; and (5) Enforcement/Redress. While the FTC first embraced these
principles in 2000, some aspects of these principles – such as a consumer’s ability to
continually access data and to be given the opportunity to know how the data will be used
downstream – have never been fully adopted by most American businesses.
Other parts of the preliminary staff report are more controversial and have already been
the subject of Congressional hearings. They will be explored more deeply in the coming
months. The following suggestions are among the most controversial:
• “Do Not Track” – Perhaps the most controversial part of the preliminary report is
the FTC’s call for a “Do Not Track” mechanism. This would presumably give
consumers a way to “opt-out” of having their Internet behavior – browsing,
searching, purchasing, etc. – tracked and used for marketing purposes. Or possibly
to “opt-in” to having their online practices tracked. It is not yet clear how this would
work, what or who would be covered or what technologies would be used. In the
report, the FTC staff suggests that “Do Not Track” could be accomplished through
either legislation or “robust, enforceable, self-regulation.”
• Choice/Control – The FTC staff urges a better mechanism so that consumers will
be presented with specific options regarding the collection and use of their data,
and be given the opportunity to choose how their data will be used. These choices
should be presented in an understandable way and at the time the information is
sought. Under current law, companies are not generally required to give
consumers a choice in most circumstances (with specific exceptions for certain
sensitive data such as healthcare, credit and financial data). The draft report
proposes that aside from some “commonly accepted practices,” an effective choice
mechanism should be provided, and those choices honored throughout the “life” of
the data.
• Future Control – Another controversial issue is the FTC staff’s suggestion that
companies continually watch and review consumer preferences and seek
additional affirmative express permission to use the consumer data for uses that
were not anticipated or disclosed when the data was initially collected. This topic
raises the issue of downstream control and whether there are effective
mechanisms for sellers and others that collect the data to even know the spectrum
of potential downstream uses of the data.
• Special Data – The draft report invites comments about whether certain kinds of
data warrant special treatment – such as information about children, financial and
medical information. Some of these categories already receive special protections
under current law. The report posits that companies should seek “affirmative
express consent” before collecting or using such sensitive data. It also seeks
comments on whether teens need special online privacy protections (such as the
Children’s Online Privacy Protection Act requires for children under 13), and
whether geo-physical data should have more specific and narrow collection, use
and deletion parameters.
3. The draft report will likely generate significant debate over additional controversial issues,
including fundamental points of consumer expectations and the FTC’s proper role, as a
cheerleader and/or enforcement cop, in helping the business community to balance those
expectations with business needs and technical possibilities.
Some of those more philosophical issues were highlighted by two FTC commissioners
who issued separate concurring statements on the draft staff report. While both supported
the issuance of the report, Commissioner William Kovacic (a Republican who chaired the
commission from March 2008 to March 2009) expressed concern that some of the staff’s
recommendations – especially the “Do Not Track” proposal – are premature and should be
preceded by a fuller study of consumer expectations for privacy and a fuller contextual
study of privacy concepts and frameworks. Commissioner J. Thomas Rosch questioned
whether the report’s call for a revised enforcement framework – replacing “notice” or
“harm” paradigms with more “choice-based” concepts – was needed or feasible. In his
view, many of the staff’s concerns with current privacy practices could be addressed
effectively under the current FTC framework of regulating deceptive and unfair practices
that result in harm to consumers.
On December 2, 2010, the day after the draft staff report was released, the House
Commerce Subcommittee of Commerce, Trade and Consumer Protection held a hearing
titled, “Do Not Track Legislation: Is Now the Right Time?” Representatives from the
government, consumer advocacy groups, technology think tanks and industry testified on
the need for, and feasibility of, the “Do Not Track” mechanism proposed by the draft
report. The participants debated whether the proposal would be an intrusive and
burdensome governmental imposition on the freedom of the Internet, whether the industry
– primarily online sellers, marketers, and search engines – could and would propose
effective self-regulation solutions and whether consumer expectations about privacy were
fundamentally not being met.
The debate is far from over and will affect many aspects of our online lives. The debate is
caused by current data tracking and mining possibilities – which are both blessings and
curses of the Internet and technological innovation. That same technology will likely lead
to additional innovations with feasible solutions, more control over individual’s personal
and behavioral data and probably even more intrusive “Big Brother is watching”
possibilities. Additional perspective is expected when the Department of Commerce’s
Internet Policy Task Force issues its proposed framework for an updated approach to
privacy (likely late in 2010 or early 2011).
We urge businesses to heed the FTC’s call for comments. The FTC staff’s review will be
better informed and will be more likely to reflect marketplace realities if they hear from
online businesses about commercial needs for consumer data, the benefits of targeted
marketing and the economic realities of the free Internet. We would be pleased to address
any questions concerning the FTC staff report, the comments sought by the FTC and
privacy practices and procedures in general.
WASHINGTON DC | NORTHERN VIRGINIA | NEW JERSEY | NEW YORK | DALLAS | DENVER | ANCHORAGE
DOHA, QATAR | ABU DHABI, U.A.E.