Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Monday, March 26, 2012

FTC Issues Final Privacy Report

By Mehmet Munur

Today, the Federal Trade Commission released its final report titled Protecting Consumer Privacy in an Era of Rapid Change that announces its best practices privacy framework. The final report reinforces the FTC’s commitment to Privacy by Design, Simplified Choice for Consumers, and Greater Transparency principles. The final report reduces the scope of the privacy framework by creating an exception for small businesses and an exception for de-identified data. The report includes further information relating to when companies should provide choice for consumers and creates a new “context of the transactions” standard for choice. The final report calls on Congress to enact base-line privacy legislation. The report also calls on the industry to start complying with the privacy framework as a best practice, even though the FTC may not be able to rely on all of its recommendations in the final report for its enforcement actions. The report also commends industry actions in the behavioral advertising arena while highlighting the need to do more in order to address the implications of the report in both the online and the offline world. The FTC will focus on Do Not Track, Mobile, Data Brokers, Large Platform Providers, and Self-Regulatory Codes throughout this year to promote the implementation of the framework. Therefore, the FTC will continue the development of the privacy framework with stakeholders, industry, consumer groups, and the Department of Commerce. 

Scope of the Privacy Framework.
The final report builds on the preliminary report of the same name released in December 2010, which we discussed at the time of its release. The privacy “framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” The FTC has decided to include a fewer than 5,000 consumers per year small business exception in order to reduce the impact of the privacy framework on small businesses. However, the more important reduction in scope comes in the form of what FTC defines as information that cannot be reasonably linked to a specific consumer, computer, or other device.

In its preliminary report, the FTC referenced the problems in anonymization and the disappearing distinction between personally identifiable information and non-personally identifiable information. The FTC relied on articles such as Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization by Paul Ohm and the Robust De-anonymization of Large Sparse Datasets by Arvind Narayanan and Vitaly Shmatikov relating to Netflix. However, the FTC narrowed down the reasonably linked to specific consumer, computer, or other device standard by creating another exception. A company will be able to take advantage of this exception if the company 1) takes reasonable measures to ensure that the data is de-identified, 2) publicly commits to maintaining and using the data in a de-identified fashion, and not to attempt to re-identify the data, and 3) contractually prohibits any other entities from re-identifying the data—if it shares the information with others. This approach is different than the approach suggested by Jane Yakowitz in the Tragedy of the Data Commons article, which would have allowed a freer flowing stream of anonymized data. Nevertheless, it allows entities to retain de-identified data for longer periods for research and share it with others with reasonable assurances that they will not be held liable under the privacy framework. 

Privacy by Design.
Since the release of the preliminary report, the FTC has reinforced the importance of the Privacy by Design prong of the privacy framework with the Google and Facebook enforcement actions. Therefore, the FTC remains committed the encouraging companies to create privacy as a default option in the products and services they offer. As a result, FTC believes that “[c]ompanies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.”

While the FTC’s data security requirements are easier to article under its enforcement actions, the boundaries of the reasonable collection limits data accuracy remain less clear. The Sears enforcement action and the FrostWire enforcement action likely remain important for reasonable collection limits for the online context. In this final report, the FTC explains that “[c]ompanies should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law.” As a result, the relationship with the consumer play a large role in what type of information should be collected from the consumer. This requirement also fits well with the Obama administration’s Consumer Privacy Bill of Rights Respect for Context principle.

However, the FTC’s approach to the Privacy By Design prong of the framework appears to be flexible because different industries will need to collect different information. 

Simplified Consumer Choice.
The FTC has further elaborated the different actions that companies should obtain choice for while omitting choice in other, more obvious circumstances. The FTC states that “[c]ompanies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.” FTC further elaborates “whether a practice requires choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer’s existing relationship with the business, or is required or specifically authorized by law.” The reasons for this revision appear to be two-fold: comply with the Consumer Privacy Bill of Rights context principle and providing a more objective standard for providing choice. Nevertheless, the FTC still believes that the five practices in the preliminary report—fulfillment, fraud prevention, internal operations, legal compliance and public purpose, and most first-party marketing—provide good examples of practices that would meet this standards.

With regards to practices that require choice, the FTC states that “companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data.” At least two of those circumstances would be when “(1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes.” However, the FTC notes that the time and manner that the choice is offered will change from industry to industry and that there is not a one-size-fits all solution. In the online setting, the FTC suggested that making the choice at account creation may be advantageous. However, in an offline retailer, this choice may be made later after waiting “for a disclosed period before engaging in practices for which choice is being offered.”

Finally, the FTC alluded to the possibility that a take-it-or-leave-it approach may be appropriate in some circumstances—such as where 1) there is adequate competition, 2) transaction does not involve an essential product or service, and 3) company clearly and conspicuously discloses the terms of the transaction. 

With the Transparency prong of the framework, the FTC once again calls for “clearer, shorter, and more standardized” privacy policies, reasonable access to data, and consumer education. The FTC believes in standardized elements for privacy policies; however, it calls on the industry to develop the format and terminology for these. The FTC also states that it will work the Department of Commerce in developing these standardized elements.

The FTC also states that the right to access should be reasonable and, therefore, “proportional to the sensitivity and the intended use of the data at issue.” Once again, the FTC takes a sliding-scale approach to the disclosure of the information held by companies about individuals: the more sensitive the information, the more individualized the notice, access, and corrections rights attached to the data. 

The FTC has answered some questions with this final report, at the same time; it has left a lot to be decided by various industry groups, the Department of Commerce, and future workshops. As a result, the final report feels incomplete.

However, the final report is now supported by enforcement actions. FTC has been able to get the industry to move mainly based on the enforcement actions it has brought since the preliminary report, including Google, Facebook, cookies, and mobile apps. Therefore, FTC has brought substantive enforcement actions to support many of the prongs of the preliminary report, even though other parts of the report appear to be best practices. However, the FTC seems to be looking forward to the solutions that are in the works by the World Wide Web Consortium and the major browser developers for issues relating to behavioral advertising.

On the other hand, Congress has failed to pass any baseline privacy and data security legislation that the FTC called for. Therefore, FTC’s privacy framework will likely continue to be a work-in-progress that will take more concrete shape with each future workshop. Companies should make plans to abide by the major points of the privacy framework created by the report and to contribute to the workshops and call for comments by the FTC and Department of Commerce.

Labels: , , , ,