The Federal Trade Commission (FTC) has just released its long-awaited (and 123-page long) report on consumer privacy: "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (the "Report").
This Report is the result of a year-long effort by the FTC, through a series of roundtables, to explore the privacy issues and challenges associated with 21st century technology and business practices. According to the Report, "many companies -- both online and offline -- do not adequately address consumer privacy issues. Industry must do better."
The Report proposes a new framework for addressing the commercial use of consumer data which builds upon the current so-called "notice-and-choice" and "harm-based" models of consumer privacy, the FTC's law enforcement experience, and the record from the roundtables. This new framework (the "Framework") would apply "broadly" to online and offline commercial entities "that collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer or device."
The three main components of the Framework are:
1) Companies should adopt a "privacy by design" approach -- The Framework suggests that companies should build privacy into their everyday business practices, including such practices that provide reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining the data only as long as necessary to fulfill that purpose, safely disposing of data no longer being used, and implementing reasonable procedures to promote data accuracy.
2) Companies should simplify the choices presented to consumers about data practices -- The Framework proposes that consumer choice not be required for data practices that are "commonly accepted," but otherwise, consumers should be able to make informed and meaningful choices. Importantly, the Framework suggests that "this may entail a 'just-in-time' approach, in which the company provides the consumer with a choice at the point the consumer enters his personal data or before he accepts a product or service." Further, the Report states: "The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted ads. Commission staff supports this choice, sometimes referred to as 'Do-Not-Track'".
3) Proposal of a number of measures that companies should take to make data practices more transparent to consumers - these measures include (a) review and improvement of privacy policies to make them more clear, concise and easy-to-read, (b) providing consumers with reasonable access to the data that companies maintain about them, with particular mention of data brokers, (c) provide "robust notice" and obtain affirmative consent for material, retroactive changes to data collection policies (note that this does not only apply to published privacy policies), and (d) undertake a broad effort to educate consumers about commercial data practices and the choices available to them.
The Commission staff is seeking comment on the Framework by January 31, 2011.
We will have more on the details of the Framework in coming posts.
(Added 12:10 pm) The Commission's press release can be found here.