FTC Issues Guidance on Consumer Data Protection
The Federal Trade Commission (FTC) has released a report recommending best business practices “to protect the privacy of American consumers and give them greater control over the collection and use of their personal data.” Titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” the guidance reportedly expands on preliminary findings first issued in December 2010 and covered in Issue 374 of this Update.
In particular, the March 2012 report urges companies to protect consumer
privacy by (i) building protections into every stage of product design,
including “reasonable security for consumer data, limited collection and
retention of such data, and reasonable procedures to promote data accuracy”;
(ii) giving consumers a “Do Not Track” mechanism to opt out of data collection;
and (iii) providing greater transparency about the collection and use
of consumer information. Unlike the preliminary version, which applied its
framework to all businesses, the final report excludes smaller entities that
“collect and do not transfer only non-sensitive data from fewer than 5,000
consumers a year.” It also refines the guidance “for when companies should
provide consumers with choice about how their data is used,” stating that
companies need not provide this choice if the practice of collecting data is
consistent with the context of the transaction and the company’s relationship
with the consumer, “or as required or specifically authorized by law.”
In addition to encouraging industry “to accelerate the pace of its self-regulatory
measures,” FTC calls on Congress to enact privacy legislation that
would mandate greater transparency about data collection practices and give
consumers the right to access and dispute personal data held by information
brokers. In the meantime, however, the commission intends to promote
enforceable self-regulatory codes and “take action against companies that
engage in unfair or deceptive practices, including the failure to abide by the
self-regulatory programs they join.” To this end, the framework stipulates
five main action items that include the implementation of “an easy-to use,
persistent and effective Do Not Track system” and improvements to mobile
service privacy, but also address “the invisibility of… data brokers” as well as
issues related to comprehensive tracking instituted by large platforms, “such
as Internet Service Providers, operating systems, browsers, and social media.”
“If companies adopt our final recommendations for best practices—and many
of them already have—they will be able to innovate and deliver creative new
services that consumers can enjoy without sacrificing their privacy,” said FTC
Chair Jon Leibowitz in a March 26, 2012, press release. “We are confident that
consumers will have an easy to use and effective Do Not Track option by the
end of the year because companies are moving forward expeditiously to
make it happen and because lawmakers will want to enact legislation if they
don’t.” See The Wall Street Journal, March 28, 2012.