Yesterday's blockbuster Privacy Report released by the Federal Trade Commission (blog post here) is as important for the questions it asked of stakeholders in eliciting public comment as for the recommendations it appears to be making.
Since at least a portion of what will end up in the FTC's final report will depend on the comments it receives from now until January 31, 2011 in response to the questions posed, we will look at these in several posts. References to specific concepts are from the Report that you can access through our earlier blog post.
Let's start with questions posed on the scope of the privacy "framework" as proposed in the Report. The FTC is seeking specific comment to the following questions:
- Are there practical considerations that support excluding certain types of companies or businesses from the framework - for example, businesses that collect, maintain or use a limited amount of non-sensitive consumer data?
- Is it feasible for the framework to apply to data that can be "reasonably linked to a specific consumer, computer, or other device?"
- How should the framework apply to data that, while not currently considered "linkable" may become so in the future?
- If it is not feasible for the framework to apply to data that can be "reasonably linked to a specific consumer, computer, or other device," what alternatives exist?
- Are there reliable methods for determining whether a particular data set is linkable or may become linkable?
- What technical measures exist to "anonymize" data and are any industry norms emerging in this area?
Privacy by Design -- The Report suggests that business bake privacy into their organizations through such methods as reasonable safeguards, limited data collection, appropriate data retention periods, and steps to ensure accuracy of data.
The FTC asks for comment on:
- whether there are additional substantive privacy protections that companies should provide and how to achieve a balance between costs and benefits of such protections,
- whether the FTC should define the concept of "specific business purpose" or "need",
- retention periods.
More to follow.