On December 1, 2010, the FTC issued a preliminary staff report proposing a framework for protecting the privacy of consumer data while also allowing for innovation of new products and services that utilize consumer information. The report, entitled "Protecting Consumer Privacy in an Era of Rapid Change — A Proposed Framework for Businesses and Policymakers," discusses three fundamental concepts: (i) privacy by design, (ii) simplified consumer choice, and (iii) greater transparency with respect to data collection and sharing practices. Somewhat scolding the industry, the report stated that industry efforts to address privacy through self-regulation "have been too slow, and up to now have failed to provide adequate and meaningful protection."

The report can be found on the FTC Web site (http://tinyurl.com/37ul4jv).

The aspect of the report getting the most attention is the FTC's recommendation of a "Do Not Track" mechanism, akin to the "Do Not Call" list but utilized to indicate that an individual does not want his or her Internet activity to be tracked. Rather than a true list, Do Not Track would be accomplished through a simple, easy-to-use mechanism, such as a setting on consumers' browsers enabling consumers to choose whether to allow the collection of data regarding their online searching and browsing activities.

In connection with the release of the report, FTC Chairman Joe Leibowitz indicated a clear intent for the FTC to exercise its enforcement muscle where necessary, stating the FTC "will take action against companies that cross the line with consumer data and violate consumers' privacy — especially when children and teens are involved."

The report notes that while most companies have privacy policies explaining their information practices, the policies are lengthy disclosures using legalistic terms that consumers rarely read and likely do not understand if they do. Simply put, the FTC believes today's privacy policies place too much burden on consumers to understand companies' data collection and sharing practices.

The first concept addressed in the report is "privacy by design," whereby companies build privacy protections into their everyday business practices. These types of protections include security for consumer data, limiting collection and retention of such data to the extent possible, and procedures to enhance data accuracy. Additionally, the report recommends that businesses implement and enforce privacy practices through the company, such as designating employees to be responsible for privacy, training, and undertaking privacy assessments for new products and services.

Second, the report discusses the concept of consumer choice: permitting consumers to have clear and effective choices regarding collection and sharing of their information before it is collected — not after it has been collected or after having to read a long, complicated privacy policy that may be difficult to find, and certainly difficult to understand. The report recognizes that certain practices are commonly accepted and should not require notice and choice. For example, consumers understand that their personal information must be used to process online payments, fulfill products and services that have been purchased, and for internal operations such as improving services, fraud prevention, and legal compliance. The report included first-party marketing in the bucket of commonly accepted practices — the practice of online retailers recommending products and services based on prior purchases from the retailer. The Do Not Track mechanism is an example of simplified choice for consumers.

Finally, the FTC recommends improving the transparency of data collection and sharing practices, such as standardized notices that allow consumers to compare privacy practices of various businesses. Privacy policies should be shorter and clearer. The FTC used the recently promulgated model financial privacy notices for compliance with the Gramm-Leach-Bliley Act, and requested comments on the feasibility of standardizing the format and terminology for data collection, sharing, and privacy disclosures. Additionally, the report urges industry to provide consumers with appropriate access to their information, particularly for non-consumer-facing entities such as data brokers.

The report further recommends that industry undertake a comprehensive effort to educate consumers about information collection and sharing practices and the choices available to them. An important aspect of both choice and transparency is that companies must provide prominent disclosures and obtain opt-in consent before using consumer data in a materially different manner than claimed when the data was collected, posted, or obtained.

The report encourages all interested parties to submit written comments on the proposed framework by January 31, 2011. Among other things, the FTC staff asked how commonly accepted practices should be defined; whether choice could ever be offered on a take-it-or-leave-it basis, particularly for free e-mail and storage services; how a do-not-track system should be designed; the potential impact of a do-not-track system on both advertisers and consumers; and whether additional notice and choice systems should be explored in the context of social media, particularly for teenaged users.

For businesses, this is a call to action. Most businesses today collect information about their customers and potential customers online. Companies particularly affected by the report should consider submitting comments to the FTC. Specific questions are contained in Appendix A of the report (http://tinyurl.com/37ul4jv). A careful reading of the report is warranted so that businesses fully understand the FTC's current position (albeit in the form of proposed guidance) with respect to data collection practices. Finally, notwithstanding the fact it is a proposal and will likely be modified in the future, it is clear that in some form or another, privacy and enforcement will continue to be squarely in the sights of the FTC. Accordingly, companies should ensure they are on the path to privacy by design by instilling an environment of sensitivity to data privacy and security practices throughout the organization.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.