received over 450 comments from businesses, privacy advocates, and
consumers and claims that the final Report retains the basic
principles outlined previously, but claiming it makes several
important refinements. There's also a brief new video explaining the FTC's positions. Here
are the key take-aways from the final report:
Privacy by Design. Companies should build
privacy protections into their everyday business practices. That
includes limiting data collection and retention, securing the
information they hold on to, safely disposing of what they no
longer need, and implementing reasonable measures to ensure
information is accurate.
Simplified Choice. Companies should give
consumers a choice at a time and in a context that matters to
people. The preliminary report noted that choice shouldn't be
necessary for certain "commonly accepted practices." The
final Report concludes that choice needn't be provided for data
practices that people would expect, given the context of the
transaction, the company's relationship with the consumer, or
as required or specifically authorized by law.
Do Not Track. The Report also reaffirms the
Commission's strong support for Do Not Track.
Improved Transparency. Companies should
increase the transparency of their data practices by developing
clearer, more standardized privacy disclosures and could give
people reasonable access to their information.
Exemption of Small Businesses. To minimize the
effect on smaller companies, the final framework doesn't apply
to them if they collect only non-sensitive data from fewer than
5,000 consumers a year, provided they don't share the data with
"First, the Report is rooted in its insistence that the
"unfair" prong, rather than the "deceptive"
prong, of the Commission's Section 5 consumer protection
statute, should govern information gathering practices (including
"tracking"). "Unfairness" is an elastic and
elusive concept. What is "unfair" is in the eye of the
"Second, the current self-regulation and browser
mechanisms for implementing Do Not Track solutions may have
advanced since the issuance of the preliminary staff Report"
and the Report does not adequately take account of this
"I am concerned that "opt-in" will necessarily
be selected as the de facto method of consumer choice for a wide
swath of entities that have a first-party relationship with
consumers but who can potentially track consumers' activities
across unrelated websites, under circumstances where it is
unlikely, because of the "context" (which is undefined)
for such tracking to be "consistent" (which is undefined)
with that first-party relationship: 1) companies with multiple
lines of business that allow data collection in different contexts
(such as Google); 2) "social networks," (such as Facebook
and Twitter), which could potentially use "cookies,"
"plug-ins," applications, or other mechanisms to track a
consumer's activities across the Internet; and 3)
"retargeters," (such as Amazon or Pacers), which include
a retailer who delivers an ad on a third-party website based on the
consumer's previous activity on the retailer's
"I question the Report's apparent mandate that ISPs,
with respect to uses of deep packet inspection, be required to use
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.