United States: FTC’s Proposed Framework for the Protection of Consumer Privacy: A Signal of Expanded Regulation and FTC Oversight?

Last Updated: January 21 2011
Article by Michael R. Egger

On December 1, 2010, the Federal Trade Commission ("FTC") released a report entitled "Protecting Consumer Privacy in an Era of Rapid Change" (the "FTC Report"), available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf . The FTC Report, which proposes a new framework for protecting consumer privacy, is intended to inform policymakers, as they develop policies and enact privacy-related laws, and to guide and motivate businesses, as they develop and implement best practices and self-regulatory guidelines. The FTC Report raises numerous very interesting and complex policy and practical questions for which the FTC is seeking comment by January 31, 2011. The FTC intends to issue a final report later this year.

CONCERNS WITH EXISTING PROTECTION OF CONSUMER PRIVACY

While acknowledging that companies are using consumer information in new ways to make available innovative products and services, and that many of these companies manage consumer information responsibly, the FTC Report expresses concern that some companies appear to treat consumer information in an irresponsible or reckless manner. The FTC Report describes the myriad ways in which information regarding consumers' purchasing behavior, online browsing habits and other activities is collected, analyzed, combined, aggregated, used and shared. Although the FTC Report acknowledges that some consumers may be aware of these practices and accept them as a tradeoff for access to innovative products and services, the FTC Report cites concern for those consumers who may not be fully aware of the extent to which discrete items of their information are shared, compiled and aggregated, and for those consumers who fail to understand and appreciate the potential consequences and risks arising from these practices.

SCOPE OF PROPOSED FRAMEWORK

The proposed framework would apply to all commercial entities that collect, maintain, share or otherwise use consumer information that can be reasonably linked to a specific consumer, computer or other device, even if the consumer information does not constitute what would traditionally be considered personally identifiable information ("PII"). The broad scope derives in part from the continuing loss of a distinction between PII and non-PII, resulting from technology changes and the ability to re-identify consumers from supposedly anonymous data. The broad scope is designed to encompass both online and offline entities that collect consumer information, regardless of whether such entities directly interact with consumers. The FTC Report acknowledges that further thought needs to be given to defining exceptions from the framework for certain types of businesses, e.g., businesses that collect, maintain or use a limited amount of non-sensitive consumer information.

COMPONENTS OF PROPOSED FRAMEWORK

The proposed framework consists of the following three components:

  • Privacy by Design: Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.
  • Simplified Choice: Companies should simplify and streamline the manner in which they provide choices to consumers as to the collection, use and sharing of their information.
  • Greater Transparency: Companies should increase the transparency of their practices with respect to the collection, use and sharing of consumer information.

PRIVACY BY DESIGN

The FTC Report urges companies to incorporate certain substantive privacy and security protections into their routine business operations and to consider privacy issues at all stages of the development of their products and services. These privacy and security protections are based on the following four principles:

Reasonable Safeguards. Companies should employ reasonable safeguards to protect the consumer information that they maintain, including physical, technical and administrative safeguards. What safeguards are appropriate would depend on the sensitivity of the information, the size and nature of a company's business operations, and the types of risks a company faces.

Scope of Collection. Companies should give due consideration to their information collection practices to ensure that they collect only the information needed to fulfill a specific, legitimate business need. Limiting the scope of collection decreases the risk of unauthorized access as well as the potential harm that could result from such access.

Data Retention. Companies should implement reasonable and appropriate data retention periods so that they store consumer information only for as long as they have a specific and legitimate business need to do so. Having more reasonable and appropriate retention periods is intended to mitigate the risk of companies using stored information in ways that consumers did not anticipate when they provided the information, and to reduce the attractiveness of databases of consumer information as targets for identity thieves.

Data Accuracy. Companies should take reasonable steps to ensure the accuracy of the data they collect, particularly if such data could be used to deny consumers benefits or cause significant harm. For example, some data brokers sell identity verification services to both public and private entities, and if any such data is erroneous and does not match the identifying information presented by a consumer, the consumer can suffer economic or other harm.

To ensure that these four principles are properly incorporated into their business models, the FTC Report urges companies to develop and implement comprehensive privacy programs and to designate specific personnel with responsibility for employee privacy training and for promoting accountability for privacy policies throughout the organization. Companies should also conduct periodic reviews of their internal policies to address changes in their business or other privacy-related developments that may require modifying their practices or privacy policy. The FTC Report indicates support for the use of identity management, data tagging tools, Transport Layer Security/Secure Sockets Layer or other privacy-enhancing technologies to establish and maintain strong privacy policies.

SIMPLIFIED CHOICE

The FTC Report urges companies to present choices to consumers regarding the collection, use and sharing of their information in a simpler and more streamlined manner. For certain common business practices that are deemed to be obvious from the context of the transaction or that are sufficiently accepted or necessary for public policy reasons, "simplified choice" actually means that companies need not request consent from consumers to engage in them. These common business practices, referred to as "commonly accepted practices," are as follows:

Product and Service Fulfillment. Websites routinely collect consumers' contact information and credit card payment information in order to process and fulfill consumers' orders.

Internal operations. Hotels and restaurants collect customer satisfaction surveys to improve their customer service. Websites collect information about visits and click-through rates to improve site navigation.

Fraud prevention. Retailers' efforts to prevent fraud include checking drivers' licenses, employing fraud detection services and scanning ordinary web server logs.

Legal compliance and public purpose. Search engines, mobile applications, and pawn shops share their customer data with law enforcement agencies in response to subpoenas. Businesses report a consumer's delinquent account to credit bureaus.

First-party marketing. Retailers recommend products and services based upon consumers' prior purchases on the website or at an offline retail store.

As to all other business practices for which consumer consent is required, the FTC Report urges that choices be presented clearly and concisely, taking into account that both the context and the timing of presenting choices have an impact on consumer understanding. For companies with relationships with consumers, e.g., online retailers, choices should be presented when the consumer is requested to provide any personal information. The FTC Report queries whether some form of enhanced consent should be required for sensitive information and sensitive users, e.g., requiring affirmative express consent from children, particularly teens, and for financial and medical information and precise geolocation data. The FTC Report addresses the challenges of ensuring that consumers have meaningful choice with respect to the collection of information by companies that do not directly interact with consumers. These companies, commonly referred to as information or data brokers, may be unable to present choices at the point of collection or use of consumer information. The FTC Report also devotes considerable attention to the high-profile issue of behavioral advertising. Although it acknowledges the development of certain tools to enable consumers to better control the use of their information for behavioral advertising, and efforts by industry to develop self-regulatory guidelines and an opt-out mechanism for behavioral advertising, the FTC Report states that efforts to implement an effective mechanism for choice on an industry-wide basis have fallen short. Consequently, the FTC Report indicates support for a more uniform and comprehensive mechanism, sometimes referred to as "Do Not Track." As conceived, this mechanism would involve the placement of a persistent setting, similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted advertisements.

Greater Transparency

The proposed framework calls for several measures directed at making more transparent to consumers companies' practices with respect to the collection, use and sharing of consumer information. Specifically, in order to improve the ability of consumers to compare practices across companies, the FTC Report calls for companies to make privacy policies more uniform, perhaps using standardized forms and terminology, much shorter in length, and written more simply in a manner that consumers will be better able to understand. The FTC Report also urges companies to provide consumers with reasonable access to their information, while acknowledging that requiring such access raises concerns as to the cost of providing access, the ability of companies to authenticate the identity of consumers requesting access, and the potential privacy threats of requiring access. In order for companies' efforts to provide consumers with simplified choice and greater transparency to be meaningful, companies must provide prominent disclosure and obtain express affirmative consent for any material changes to their privacy policy that would apply retroactively to any information previously collected. Finally, it is proposed that stakeholders undertake accelerated efforts to educate consumers about commercial data practices and the choices available to them.

Conclusion

The FTC Report raises some very complex policy and practical issues regarding consumer privacy. Those companies whose businesses rely on the collection, compilation, aggregation, sharing or use of consumer information should closely track the FTC's further development of the proposed framework as the FTC considers input and feedback from individual businesses, industry, consumer groups, academics and government. It seems likely that some changes are imminent, some of which may be significant.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
22 Oct 2019, Other, New York, United States

DLaw will be hosting a two-day summit on Disruptive Innovations in Legal Services providing a meaningful exploration of digital technology for the legal services professionals from specific emerging tools to new business models to creative client acquisition and retention strategies.

29 Oct 2019, Webinar, California, United States

In the digitized world of the twenty-first century, it is more important than ever for every organization to know as much as possible about the information it creates, stores, received and maintains.

14 Nov 2019, Other, California, United States

LinkedIn, Facebook, YouTube, Twitter, and other social networking sites offer lawyers myriad avenues for communicating with each other and the public about a host of issues.

 
In association with
Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions