ADVERTISING, MARKETING & PROMOTIONS
>> ALERT FINAL FTC PRIVACY REPORT SEEKS NEW LAWS, SUPPORTS ‘DO NOT TRACK,’ EXEMPTS SMALL BUSINESSES, AND TARGETS DATA BROKERS The final privacy report just issued by the Federal Trade Commission (FTC) substantially reflects the preliminary staff report (click here to view previous Alert) on consumer privacy and data collection practices issued by the FTC in December 2010 – albeit with a number of rather important changes. In “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” the FTC sets forth a framework for some “best practices” for businesses to adopt to protect the privacy of American consumers and to give them greater control over the collection and use of their personal data. These best practices include making privacy the “default setting” for commercial data practices and giving consumers greater control over the collection and use of their personal data through simplified choices and increased transparency.
RECOMMENDATIONS In particular, the FTC’s recommendations include: Privacy by Design Companies should build in consumers’ privacy protections at every stage in developing their products, including reasonable security for consumer data, limited collection and retention of that data, and reasonable procedures to promote data accuracy.
Simplified Choices for Businesses and Consumers Companies should give consumers the option to decide what information is shared about them, and with whom. Significantly, the FTC supports the industry initiatives to implement a Do-Not-Track mechanism online that would provide a simple, easy way for consumers to control the tracking of their activities. Greater Transparency Companies should disclose details about their collection and use of consumers’ information and provide consumers access to the data collected about them. For instance, businesses could develop clearer, more standardized privacy disclosures and could give people reasonable access to their information.
CHANGES FROM DRAFT REPORT Scope One of the more significant changes from the draft report is the framework’s scope. The draft report recommended that the proposed framework apply to
THE BOTTOM LINE Based on the FTC’s final privacy report, it is clear that privacy and data security issues continue to be a focus of regulators and should be carefully addressed by every business in every industry.
all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer, or other device. The final report, however, provides that the framework does not apply to companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided they do not share the data with third parties. It also concludes that data is not “reasonably linked” to consumers, computers, or devices, and therefore cannot be used to identify an individual, if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it. >> continues on next page
ADVERTISING, MARKETING & PROMOTIONS >> ALERT Commonly Accepted Practices The final report also refines the guidance for when companies should provide consumers with choice about how their data is used. The draft report sets forth a list of five categories of “commonly accepted” information collection and use practices for which companies would not have needed to provide consumers with choice (product fulfillment, internal operations, fraud prevention, legal compliance and public purpose, and first-party marketing). The final report, however, discards the five enumerated categories of commonly accepted practices in favor of a more flexible standard which states that whether a practice should include choice turns on the extent to which the practice is consistent with the context of the transaction or the co