By Mehmet Munur
The Federal Trade Commission released a preliminary staff report titled Protecting Consumer Privacy in an Era of Rapid Change
that proposes three new principles of Privacy by Design, Simplified Choice, and Greater Transparency to supplement its notice/choice and harm based model to address the commercial use of consumer information. The proposed scope of the staff report is all commercial entities that collect or use consumer data that can reasonably be linked to a specific consumer, computer, or other device. When finalized, this framework may require major changes to the way companies draft, present, and abide by privacy notices and the way consumers make choices when their information is collected. However, the report is only preliminary and the FTC is seeking comments on the proposed framework, including whether it should recommend legislation in this area if the private sector is unable to implement a uniform effective choice mechanism.
In its news release
, the FTC states that the it is not satisfied with “industry efforts to address privacy through self-regulation,” which “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The report also suggests that the FTC’s notice/choice and harm based model's shortcomings coupled with the advances in technology necessitate a new framework. The FTC came up with these new principles based partly on the three roundtables
conducted in the past year, which found that collection of consumer information was ubiquitous, consumers did not understand this collection and could not make meaningful choices, privacy was important to consumers, and the distinction between personally identifiable information and anonymous information was blurring.
Using this new framework, under the Privacy by Design principle, the FTC proposes that companies incorporate substantive privacy protections into their practices, including data security, collection limitations, retention practices, data accuracy, training, and assigning employees to oversee privacy issues.
Under the Simplified Choice principle, FTC suggests that companies need not provide notice regarding commonly accepted practices, such as service fulfillment, internal operations, fraud prevention legal compliance, and first-party marketing. However, the FTC suggests that companies should offer consumers informed, meaningful, clear, concise, just-in-time choices for uses that are not commonly accepted. The FTC also suggests that Do Not Track technology may have to be implemented to accomplish this goal in the behavioral advertising arena, but that its implementation will have to differ from the Do Not Call registry due to the differences in technology.
Under the Greater Transparency principle, the FTC suggests that privacy notices should be clearer, shorter, and standardized. Additionally, under this principle, companies should provide consumers with reasonable access to their information, obtain express consent before using consumer information in a materially different manner than claimed when the information was collected, and educate consumers. The FTC recommends that companies standardize the format and terminology of these notices and offers GLBA notices as guidance. Therefore, the new framework may require the rewrite of all online privacy policies, especially if it requires standardized forms and terminology. At a minimum, it may require privacy policies to be adjusted for a layered approach
At times, the report raises more questions than it answers. The report includes 6 pages of questions for comments to be submitted to the FTC.
It also leaves the legislative door open, but recommends robust, enforceable self-regulation. It is also broad in scope. It mentions everything from deep packet inspection to flash cookies to HTML 5 evercookies
Nevertheless, the FTC reiterates its willingness to “take action against companies that cross the line with consumer data and violate consumers’ privacy – especially when children and teens are involved.” The day before the announcement of the staff report, the FTC also announced an enforcement action against EchoMetrix
regarding the disclosure of children’s information to third party marketers without adequate disclosure to parents.