Advertising, Marketing & Promotions Alert ... - Davis & Gilbert LLP

18 downloads 475 Views 2MB Size Report
framework for some “best practices” for businesses to adopt ... could develop clearer, more standardized privacy ...
MARCH 2012

ADVERTISING, MARKETING & PROMOTIONS

>> ALERT FINAL FTC PRIVACY REPORT SEEKS NEW LAWS, SUPPORTS ‘DO NOT TRACK,’ EXEMPTS SMALL BUSINESSES, AND TARGETS DATA BROKERS The final privacy report just issued by the Federal Trade Commission (FTC) substantially reflects the preliminary staff report (click here to view previous Alert) on consumer privacy and data collection practices issued by the FTC in December 2010 – albeit with a number of rather important changes. In “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” the FTC sets forth a framework for some “best practices” for businesses to adopt to protect the privacy of American consumers and to give them greater control over the collection and use of their personal data. These best practices include making privacy the “default setting” for commercial data practices and giving consumers greater control over the collection and use of their personal data through simplified choices and increased transparency.

RECOMMENDATIONS In particular, the FTC’s recommendations include: Privacy by Design Companies should build in consumers’ privacy protections at every stage in developing their products, including reasonable security for consumer data, limited collection and retention of that data, and reasonable procedures to promote data accuracy.

Attorney Advertising

Simplified Choices for Businesses and Consumers Companies should give consumers the option to decide what information is shared about them, and with whom. Significantly, the FTC supports the industry initiatives to implement a Do-Not-Track mechanism online that would provide a simple, easy way for consumers to control the tracking of their activities. Greater Transparency Companies should disclose details about their collection and use of consumers’ information and provide consumers access to the data collected about them. For instance, businesses could develop clearer, more standardized privacy disclosures and could give people reasonable access to their information.

CHANGES FROM DRAFT REPORT Scope One of the more significant changes from the draft report is the framework’s scope. The draft report recommended that the proposed framework apply to

THE BOTTOM LINE Based on the FTC’s final privacy report, it is clear that privacy and data security issues continue to be a focus of regulators and should be carefully addressed by every business in every industry.

all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer, or other device. The final report, however, provides that the framework does not apply to companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided they do not share the data with third parties. It also concludes that data is not “reasonably linked” to consumers, computers, or devices, and therefore cannot be used to identify an individual, if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it. >> continues on next page

MARCH 2012

ADVERTISING, MARKETING & PROMOTIONS >> ALERT Commonly Accepted Practices The final report also refines the guidance for when companies should provide consumers with choice about how their data is used. The draft report sets forth a list of five categories of “commonly accepted” information collection and use practices for which companies would not have needed to provide consumers with choice (product fulfillment, internal operations, fraud prevention, legal compliance and public purpose, and first-party marketing). The final report, however, discards the five enumerated categories of commonly accepted practices in favor of a more flexible standard which states that whether a practice should include choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer’s existing relationship with the business or is required or specifically authorized by law, such as product fulfillment and fraud prevention. Data Brokers Noting that data brokers often buy, compile, and sell highly personal information about consumers, the final report reiterates the FTC’s support for previously introduced legislation that would provide consumers with access to information held by data brokers and it calls on data brokers who compile consumer data for marketing purposes to explore creation of a centralized website where consumers could get information about their practices and their options for controlling data use.

FURTHER FTC ACTION EXPECTED This final report apparently is not going to be the FTC’s last word on privacy.

Over the course of the next year, the FTC’s staff will focus on the following privacy-related topics: Do-Not-Track This is an area where the FTC recognizes that progress has been made, and in particular it highlights initiatives taken by a number of browser vendors and the Digital Advertising Alliance. The final report adds that the FTC will work with browser vendors, industry groups, and the World Wide Web Consortium standards-setting body to “complete implementation of an easy-to-use, persistent, and effective Do Not Track system.” Mobile The FTC is urging companies offering mobile services to work toward improved privacy protections, including shorter, effective and accessible privacy disclosures. It is clear that the FTC is concerned that privacy issues are not being properly addressed in the rapidly expanding mobile marketplace. Large Platform Providers The FTC will explore issues related to comprehensive tracking of consumers’ online activities by Internet service providers, operating systems, browsers and social media companies that seek to comprehensively track consumers’ online activities. The FTC will host a public workshop in the second half of 2012 to explore issues related to comprehensive tracking. Promoting Enforceable SelfRegulatory Codes Finally, the FTC says that it will work with the Department of Commerce and industry stakeholders to develop

industry-specific codes of conduct. It expects that it will take compliance with privacy codes into account in its enforcement efforts.

CONCLUSION The FTC’s final report, in which it also recommends that Congress consider enacting general privacy legislation and data security and breach notification legislation, adds to the wave of privacy proposals, agency actions, and privacy lawsuits and developments that we have seen in the past few weeks alone (see, for example, “Mobile App Operators Announce Agreement with California Attorney General,” “Obama Administration Releases New Privacy Framework; Interactive Industry Responds to Calls for a ‘Do Not Track’ Option,” and “European Commission Proposes Comprehensive Reform of EU Data Protection Rules”). We will continue to monitor, analyze, and report on these developments as they occur.

FOR MORE INFORMATION Gary A. Kibel Partner 212.468.4918 [email protected] or the D&G attorney with whom you have regular contact.

Davis & Gilbert LLP T: 212.468.4800 1740 Broadway, New York, NY 10019 www.dglaw.com © 2012 Davis & Gilbert LLP