As we've discussed here since December (here, here), the Federal Trade Commission has been in a public comment period for its Privacy Framework. The comment period closed last Friday, and more than 400 comments were filed by individuals, government agencies (both US and international) and industry groups and representatives. Over the next few days, we'll review and summarize the comments received.
MASSACHUSETTS ATTORNEY GENERAL AUTHORS COMMENT LETTER ON BEHALF OF 14 STATES
Written by Stu Eaton
Massachusetts Attorney General Martha Coakley filed a comment letter with the FTC, on behalf of the Attorneys General of fourteen other states (the "States”). The States’ comment focused on three of the questions raised in Appendix A the Privacy Report regarding: (i) whether companies should provide substantive privacy protections in addition to those set forth in the report; (ii) the scope of the definition of sensitive information and sensitive users; and (iii) whether the FTC should explore additional protections in the context of social media services.
The States’ also argued that any federal laws or regulations protecting consumer privacy should not preempt states from enforcing their own laws and regulations. As you'll recall, Massachusetts has one of the toughest set of data security regulations in the country.
Notably absent from the proceedings was the California Office of Privacy Protection, which said it lacked the resources to prepare a comment but, after being contacted by Mintz Levin, explained that it approved of the FTC’s apparent effort to resurrect the forgotten Fair Information Practice Principles that would provide consumers with meaningful choices and more control over personal information by limiting the collection and use of that information.
Details of the AG's letter after the jump.
 Attorneys General from the following states were also signatories to the letter: Arizona, Illinois, Indiana, Iowa, Montana, Nevada, New Mexico, New York, North Dakota, Rhode Island, Tennessee, Vermont, Virginia and Washington.
A. Are there substantive protections, in addition to those set forth in Section V(B)(1) of the report, that companies should provide and how should the costs and benefits of such protections be balanced?
The States believe that companies should incorporate the four substantive privacy protections outlined in Section V(B)(1) of the Privacy Report into their business practices in order to establish “standard, comprehensive privacy protections for consumers.” Section V(B)(1) recommends that all companies protect consumer information by: (1) ensuring reasonable safeguards to protect information; (2) collecting only information needed to fulfill a specific, legitimate business need; (3) implementing reasonable and appropriate data retention periods; and (4) taking reasonable steps to ensure the accuracy of data collected.
To the extent the FTC is contemplating additional regulations to promote more widespread adoption of substantive privacy protections, the States asked the FTC act “with caution” in exempting any entity from regulations that would require an assessment of preventative steps necessary for protecting consumer’s personal information. To balance the business interests and the need for consumer protection, the States support a tailored approach to information security that takes into account a business’s size, scope, resources and particular need to secure the personal information in its possession.
B. How should the scope of sensitive information and sensitive users be defined and what is the most important means of achieving affirmative consent in these contexts?
The States encouraged the FTC to expand the definition of personal information -- defined by most states as a person’s name in combination with either a social security number, state identification number, or financial account number – to include consumers’ medical and health insurance information. The States, which noted that California and Texas already define “personal information” to include medical and health insurance information, believe that additional protection is required because such highly sensitive information is increasingly maintained electronically and transmitted over the Intent.
The States also strongly encouraged the FTC to consider whether location-based data should be considered sensitive information and whether there is any “legitimate purpose” for companies to retain location data. At a minimum, the State’s asked the FTC to impose “strong mechanisms” requiring: (1) consumer consent before a company may share location-based data with third parties; and (2) state and federal efforts to educate consumers about the risks and benefits of location-based services.
C. Should additional protections be explored in the contest of social media services?
Citing a longstanding interest in protecting children and teenagers that use social networking services, the State’s support implementation of additional online safety tools that: (1) protect minors from inappropriate contact on social networking cites; (2) protect minors from inappropriate content on social networking cites; and (3) provide safety tools for all social networking cite users. The State’s provided several examples of such safety measures, including:
- "age-locking" profiles;
- allowing users to restrict “friend requests” to those person who now the user’s last name, and making the functionality mandatory for users under 16 years of age;
- providing methods for underage users to block over-18 users from contacting them or viewing their profiles;
- creating registries to allow parents who do not want their children using social networking sites to register their child’s email address; and
- restricting the display of offline contact information for underage profiles.
Finally, no matter what federal privacy framework is enacted, the States urged the FTC to ensure that they are not preempted from protecting consumers in their jurisdiction and that state regulation is not undermined. The States believe consumers will be afforded the greatest protection if the FTC adopts a “dual sovereignty” model that explicitly recognizes the right of states to enforce their own laws and also to bring actions under any federal law.