This post was written by Paul Bond, Chris Cwalina, Amy Mushahwar and Fred Lah.
The FTC just released its long-awaited Protecting Consumer Privacy in an Era of Rapid Change. This preliminary staff report proposes a major change in U.S. privacy law. The FTC is accepting comments on this report until January 31, 2011, and if you could be affected by these changes and would like to submit comments, or if you are considering submitting comments to the report (or perhaps you aren’t sure if you should), Rimon can help. While we are still reviewing the 123-page report in depth, we wanted to share a few thoughts from an initial reading.
The report proposes a major change in the framework of U.S. privacy law, stating bluntly: “Industry must do better.” The report notes, among other things:
- Notice-and-consent doesn’t work. People don’t read or understand privacy notices as now written. The Commission’s view is that privacy policies have become “long” and “incomprehensible.”
- Waiting for harm to consumers isn’t an effective way to enforce privacy norms. Harm has traditionally meant economic or physical harm. Privacy harms include reputational harms and even the emotional harm of having one’s information “out there,” or “fear of being monitored.” The new framework must address and allay these anxieties; however, there is some disagreement among the Commissioners. Commissioner J. Thomas Rosch, in his concurrence, notes “the Commission could overstep its bounds” if it were to begin analyzing these more intangible harms when assessing consumer injury.
- Industry self-regulation is too little, too late, and has failed to provide adequate and meaningful protection.
The report challenges a number of privacy and security assumptions. The report:
- Casts severe doubt on claims that de-identified information need not be protected, citing multiple instances and methods by which personally identifiable information (PII) can be culled from “non-name” information (e.g., IP addresses, other unique identifiers). The distinction between PII and non-PII is, the report says, “of decreasing relevance.” Consequently, the scope of the report is very broad and applies to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer or other device.“
- Purports to apply in the online and offline world, and not only to companies that work directly with consumers.
- Suggests that consumers must be made aware of and consent to onward transfers of information to non-affiliates no matter what the industry, universalizing the consumer notice requirements that previously only applied to certain highly regulated industries (e.g., telecommunications, education, health care, financial services), or certain types of sensitive data (e.g., credit data, bank accounts, medical records).
- Distinguishes between “commonly accepted data practices” and all other data practices. Borrowing from GLBA and HIPAA, using data to aid law enforcement, or in response to judicial process or to prevent fraud, would not require notice to or consent of consumers, but ALL other data practices (e.g., behavioral advertising and deep packet inspection that are explicitly named as not commonly accepted data practices) would require notice and consent in a form easy to read and understand, ideally provided to the consumer when the consumer enters his or her personal data. The report suggests opt-in consent be obtained prior to implementing any material changes to company policy that would apply to data collected under a prior privacy policy.
- Suggests that to promote a free and competitive market, the privacy practices of companies need to be more transparent to consumers, and that consumers be given “reasonable access” to their data.
- Notes that appropriate data-retention periods should be a legal requirement. The report sites geolocation data as especially important to phase out.
- Endorses a “Do Not Track” mechanism, recognizing that such a mechanism would be far more complex than the National Do Not Call registry. The FTC supports either legislation or self-regulatory efforts to develop a system whereby a consumer could opt not to be “tracked.” The FTC has expressed a distinction between “tracking” and “interest-based” advertising. And, in later discussions regarding the report, the FTC has stated that it will treat first-party advertising more favorably than third-party ad servers. The FTC has not decided on the technical mechanism for creating such a registry, but it recognizes a browser-based solution – similar to the privacy plug-in on the Firefox browser or incognito mode in Google Chrome. The FTC has not indicated if opt-in or opt-out would be the default browser setting for any browser privacy technology deployed.
So what should businesses do?
First, companies should carefully review the report and all the questions made open for public comment. These are listed in Appendix A to the report, but additional questions are posed in the Commissioner dissent statements.
Second, companies should strongly consider commenting on the report. In our experience, the FTC will listen and often address business concerns. But you must be heard. Trade associations are a good place to start, but individual company voices are important, especially if you have unique issues that should be addressed.
Third, now is a good time for you to pull back and consider your privacy policies, practices and programs, and the extent to which privacy is incorporated into your everyday business practices. The report suggests every company should adopt “privacy by design,” “building privacy protections into everyday business practices,” “assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services.”
You can read and obtain a copy of the FTC’s full report here.
If you need help, want more information, want to comment, or simply require some guidance – whether counsel or representation – in an area that is of critical importance to businesses and consumers, please don’t hesitate to contact Paul Bond, Chris Cwalina, Amy Mushahwar, Fred Lah or me, Joe Rosenbaum, or any of the Rimon attorneys with whom you regularly work.