Bill Stevens is as a trial lawyer in our Chicago office
On March 26, 2012, the Federal Trade Commission (FTC), the nation's chief privacy policy and enforcement agency, issued recommendations to businesses and policymakers for the protection of consumer privacy. The recommendations apply to all commercial entities that collect or use online or offline consumer data that are or can be linked to a specific consumer, computer or other devices other than commercial entities that collect non-sensitive data from fewer than 5,000 consumers per year and do not share data with third parties. While the FTC's recommendations are not enforceable, as such, they reflect FTC policy for purposes of unfair and deceptive trade practice actions.
Generally, the FTC's recommendations state that companies that collect and maintain consumer data should issue privacy notices to consumers that are clear, short and standardized, and provide consumers with simplified choices about the company's use of their personal data at a time and in a context that is relevant to the consumer's decision. If the data are sensitive, such as information about children, financial and health information, Social Security numbers, or are used in a materially different manner than claimed when the data were collected, advanced express affirmative consent should be obtained before collecting or using such information.
Considerations for Your Business
Companies that collect and maintain consumer data should adopt privacy programs that identify the personnel responsible for maintaining the company's privacy program, assess the risk of disclosure or improper use of the data, implement controls addressing such risks, and provide for appropriate oversight and regular evaluation, testing and monitoring of such controls.
Companies also should incorporate substantive privacy practices and procedures into their data management practices, such as measures to ensure data accuracy and security, reasonable collection limits and sound retention and disposal practices. These protections should be maintained throughout the life cycle of the company's products and services.
In addition, consumers should be provided with reasonable access to their consumer data proportionate to the sensitivity of the data and the nature of its use. Companies that maintain consumer data solely for marketing purposes should, at the least, provide consumers with access to a list of the categories of data held and an ability to suppress the use of such data, while companies that assemble and evaluate consumer information for use by creditors, employers, insurance companies and companies involved in various types of eligibility decisions should provide consumers with notice, access and correction rights.
FTC Recommendations
The FTC's recommendations addressed the following specific topics:
Do Not Track. The FTC will work with industry and Congress to adopt "Do Not Track" systems relative to online browsing and to develop consumer tools to control the collection and use of their online browsing data.
Mobile Service Providers. Companies providing mobile services should work toward improved privacy protections, including the development of short, meaningful online privacy disclosures. The FTC will host a workshop on May 30, 2012, to address these issues and promote industry self-regulation.
Data Brokers. The FTC supports targeted legislation providing consumers with access to their personal information held by a data broker, and it calls on data brokers to explore the creation of a centralized website for use by consumers that identifies data brokers, describes how data brokers collect and use consumer data, and details consumer rights to access personal data possessed by data brokers.
Large Platform Providers. The FTC will host a public workshop during the second half of 2012 to explore privacy issues in connection with Internet Service Providers, which have access to vast amounts of unencrypted data that their customers send or receive over their networks; operating systems and browsers, which track online consumer activity; and cookies and social widgets, which track consumers across social media.
Self-Regulatory Codes. The FTC is participating in the Department of Commerce's project to facilitate the development of sector-specific self-regulatory codes of conduct relative to consumer privacy. The FTC will view a company's adherence to privacy codes favorably and will take action against a company that fails to abide by the self-regulatory code it adopted.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
