received over 450 comments from businesses, privacy advocates, and
consumers and claims that the final Report retains the basic
principles outlined previously, but claiming it makes several
important refinements. There's also a brief new video explaining the FTC's positions. Here
are the key take-aways from the final report:
Privacy by Design. Companies should build
privacy protections into their everyday business practices. That
includes limiting data collection and retention, securing the
information they hold on to, safely disposing of what they no
longer need, and implementing reasonable measures to ensure
information is accurate.
Simplified Choice. Companies should give
consumers a choice at a time and in a context that matters to
people. The preliminary report noted that choice shouldn't be
necessary for certain "commonly accepted practices." The
final Report concludes that choice needn't be provided for data
practices that people would expect, given the context of the
transaction, the company's relationship with the consumer, or
as required or specifically authorized by law.
Do Not Track. The Report also reaffirms the
Commission's strong support for Do Not Track.
Improved Transparency. Companies should
increase the transparency of their data practices by developing
clearer, more standardized privacy disclosures and could give
people reasonable access to their information.
Exemption of Small Businesses. To minimize the
effect on smaller companies, the final framework doesn't apply
to them if they collect only non-sensitive data from fewer than
5,000 consumers a year, provided they don't share the data with
"First, the Report is rooted in its insistence that the
"unfair" prong, rather than the "deceptive"
prong, of the Commission's Section 5 consumer protection
statute, should govern information gathering practices (including
"tracking"). "Unfairness" is an elastic and
elusive concept. What is "unfair" is in the eye of the
"Second, the current self-regulation and browser
mechanisms for implementing Do Not Track solutions may have
advanced since the issuance of the preliminary staff Report"
and the Report does not adequately take account of this
"I am concerned that "opt-in" will necessarily
be selected as the de facto method of consumer choice for a wide
swath of entities that have a first-party relationship with
consumers but who can potentially track consumers' activities
across unrelated websites, under circumstances where it is
unlikely, because of the "context" (which is undefined)
for such tracking to be "consistent" (which is undefined)
with that first-party relationship: 1) companies with multiple
lines of business that allow data collection in different contexts
(such as Google); 2) "social networks," (such as Facebook
and Twitter), which could potentially use "cookies,"
"plug-ins," applications, or other mechanisms to track a
consumer's activities across the Internet; and 3)
"retargeters," (such as Amazon or Pacers), which include
a retailer who delivers an ad on a third-party website based on the
consumer's previous activity on the retailer's
"I question the Report's apparent mandate that ISPs,
with respect to uses of deep packet inspection, be required to use
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Several US states have recently passed or proposed new or amended data breach notification laws, making a total of 47 states that now have laws requiring businesses to notify individuals when data security breaches compromise their personal information.