The U.S. Federal Trade Commission's recently proposed framework for offline and online businesses and policymakers may have a significant impact on entities that collect, maintain and use consumer data. The deadline for public comment is January 31, 2011.

On December 1, 2010, the U.S. Federal Trade Commission (FTC) issued its long-awaited preliminary privacy report Protecting Consumer Privacy in an Era of Rapid Change. As the culmination of three public consultations, the report proposes a new framework for offline and online businesses and policymakers, including Congress, as to how consumers' privacy should be protected. The revised framework is intended to guide Congress as they contemplate potential laws, as well as steer industry toward developing stronger self-regulations. Some consumer advocacy groups believe the report could be more robust, while businesses are grappling with the impact the proposed framework will have on their bottom line. The report poses a number of questions on which the FTC is seeking public comment by January 31, 2011.

Background

Section 5 of the FTC Act, which prohibits deceptive or unfair acts or practices, is the FTC's primary authority for protecting consumers' privacy. The FTC also enforces certain sector-specific privacy statutes including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (which covers so-called financial institutions), the Children's Online Privacy Protection Act, the CAN-SPAM Act and the Do Not Call rule (authorized under the Telemarketing and Consumer Fraud and Abuse Prevention Act).

Historically the FTC has approached consumer privacy issues under Section 5 of the FTC Act using two models: the notice-and-choice model and the harm-based model. The notice-and-choice model is premised on providing notice to consumers about what information may be collected from them and how that information is used, then allowing consumers to choose or consent to how their information is used. This model gave rise to the privacy policies consumers encounter today. The FTC has brought a number of enforcement actions under Section 5 where companies failed to maintain the protections promised to consumers in their privacy policies.

Under the harm-based approach, the FTC focuses on practices that either cause or are likely to cause consumers some physical or economic harm. The FTC has brought dozens of cases against companies that allegedly failed to protect consumers' data by not taking appropriate and reasonable steps to protect their computer networks (e.g., by failing to remedy common security vulnerabilities or by failing to develop and maintain a computer security plan) or by not adequately disposing of consumer data.

The FTC has questioned both the notice-and-choice and harm-based models in recent years. The commission posits the notice-and-choice model has produced lengthy and dense privacy policies that do not lead to informed consumer choice, while the harm-based model has struggled to keep pace with technological innovations. The FTC has also been frustrated with the slow pace of industry self-regulation efforts. Against this backdrop, the FTC hosted a series of roundtables to discuss how to address these issues. The report is the product of the discussions during those roundtables.

The Report

The scope of the proposed framework is broad, encompassing both online and offline collection, maintenance and use of consumer data. The framework includes three elements: privacy by design, streamlined consumer choice and increased transparency for consumers.

First, privacy by design calls for companies to incorporate privacy protections throughout their business processes and organization. For example, entities should "bake" privacy into their data security practices, collecting only what is reasonably necessary for legitimate business purposes, not retaining consumer data any longer than reasonably necessary and ensuring the accuracy of collected data, especially where the data is used to deny some benefit to a consumer. The report counsels firms to implement thorough privacy programs, scaled to the risks presented by the firm's collection, maintenance and use of consumer data. The FTC is seeking comment on ways to incentivize companies to design privacy into their business operations, and how other industry participants, such as browser vendors, website operators and advertising companies, can contribute technologies designed to enhance consumer control.

The second element of the proposed framework suggests consumers should be given simplified choices regarding how their data may be used. Certain "commonly accepted practices," such as order fulfillment or fraud prevention, would not require consumer consent. However, for those practices that would require consent, the report suggests companies offer consumers choices about how their data is used at the point of collection of the data at issue. The FTC is seeking comment on the scope of commonly accepted practices and sensitive information, and the most effective mechanisms for gathering consumers' consent.

With respect to behavioral advertising, the FTC also supports the implementation of a uniform "do not track" mechanism to allow consumers to opt out of persistent tracking for targeted advertisements. This mechanism would not utilize a registry like the FTC's Do Not Call list, but likely would be a browser-based tool. The FTC is seeking comments regarding the form and breadth of such a do-not-track option, and the impact the do-not-track option may have on stakeholders including online publishers, advertisers and consumers.

The third element of the report's framework calls for greater transparency of companies' data practices. For example, privacy notices should be shorter, easier to understand and more standardized so that consumers are better informed and able to compare privacy policies across firms. The report also suggests companies such as third-party data brokers should provide access to the consumer data they maintain. Further, companies should alert consumers and obtain affirmative consent before using consumer data in a materially different way than claimed when the data was originally collected. The FTC is seeking comments on how to improve privacy policies, the scope and means of access to consumer data, and the types of changes to privacy policies that warrant disclosure.

Next Steps

The regulatory environment and firms' compliance obligations will not immediately change as a result of the report, but significant changes are on the horizon. In the short term, the report will further guide the broader discussion of how to address consumer privacy concerns in the face of a quickly evolving technological environment. The longer term impact of the report is less clear, though. The proposed framework is not by itself an enforcement mandate. However, companies can expect they will be subject to heightened scrutiny under the broad proposed framework if they do not take reasonable privacy protection measures scaled to the level of risk their privacy practices pose. Congress is generally receptive to consumer privacy protection concerns, and immediately following the report's release, held a hearing on the feasibility of potential do-not-track legislation. The Department of Commerce has also announced that it will release a "Green Paper" including privacy policy recommendations and a series of related questions.

While the FTC's report proposes a framework for addressing consumer privacy concerns, it poses more questions than answers for how to implement that framework. The wide scope of the proposed framework encompasses any online or offline entities that collect, maintain and use consumer data. As such, any potential regulatory changes will affect a wide variety of companies. If elements of the proposed framework, such as the do-not-track option, prove as popular with consumers as the FTC's Do Not Call list, many companies, including online publishers and advertisers, may experience a significant negative economic impact. Interested parties should consider responding to any of the report's more than 60 questions for comment on the proposed framework.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.