The Federal Trade Commission (FTC) issued a staff report last week that calls on companies to more effectively protect consumer privacy.  Stressing that current models for consumer privacy protections have failed to keep pace with technological growth and consumer expectations, the FTC proposes a framework intended to inform future laws and policies. 

Titled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers," the report is aimed broadly at "all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device." This significantly shifts traditional notions of consumer data protection beyond the scope of "personally identifiable information" (PII) to include data previously considered by many to be "anonymous" data such as Internet Protocol (IP) addresses and mobile device IDs.  The FTC reasons that the distinction between PII and non-PII has lost significance due to technological developments that more easily allow data to be re-identified.

The proposed framework encourages policymakers and businesses to address three main points: "privacy by design," "simplified choice" (including a browser-based "Do Not Track" mechanism), and "greater transparency." 

First, the FTC encourages companies to adopt a "privacy by design" approach.  This approach incorporates privacy-protective physical technical, and administrative safeguards into a company's everyday business practices.  Examples of this approach include "providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfill that purpose, and implementing reasonable procedures to promote data accuracy." 

Second, the FTC proposes that companies provide consumers with clear and direct choices regarding data practices that are not "commonly accepted" and are likely to be unexpected by consumers.  The staff identified a "limited set" of practices considered to be "commonly accepted," which fall into the following categories:

• Product and service fulfillment,
  
  
• Internal operations,
  
  
• Fraud prevention,
  
  
• Legal compliance and public purpose,
  
  
• First-party marketing.

Sharing of data with service providers in support of commonly accepted practices would also not require consent.  Given the limited nature of the list of "commonly accepted practices," anything falling outside of this list would presumably require consent.  Examples given by the FTC of practices not considered "commonly accepted" include deep-packet inspection and third-party data collection. 

For practices not "commonly accepted," the FTC framework would require companies to give consumers informed and meaningful choices, which the FTC  says would be most effective when offered in real time, as consumers make decisions regarding their data.  Choices "buried in long privacy policies" or offered as pre-checked boxes would not be "effective means of obtaining meaningful, informed consent." 

The FTC specifically addressed choice in the context of online behavioral advertising, proposing a browser-based "Do Not Track" mechanism that would operate like a cookie and maintain a persistent presence on the user's Web browser.  The "Do Not Track" feature would allow consumers to universally signify their choices regarding certain data tracking practices.  Data tracking practices in which a Web site owner tracks its own visitors would not need to be subject to the Do Not Track mechanism.  Such first party tracking would be considered a commonly accepted practice as an "internal operation."  The FTC also rejected a Do Not Track mechanism based on a registry of unique identifiers such as IP addresses.

Third, the FTC suggests that companies take a number of discrete measures aimed at creating greater transparency.  For example, the FTC states that company privacy policies should be "clear, concise and easy-to-read."  Concerned about data brokers with whom consumers rarely interact directly, the FTC also recommends that companies provide consumers with "reasonable access" to information maintained about them.  Recognizing the potentially high cost to business, the FTC would permit access to be proportional to the sensitivity of the data retained.  The FTC further encourages companies to provide "robust notice and obtain affirmative consent" for retroactive data policy changes.  Finally, the FTC encourages all stakeholders to engage and educate consumers about "commercial data practices" and available consumer choices.  

Given recent congressional proposals for future legislation aimed at protecting consumer privacy and the FTC's broad powers under the fairness doctrine of the FTC Act, companies may wish to proactively consider the following action items to incorporate the FTC's recommendations:

• Review business operations to understand the type of data collected from individuals, including non-PII with the potential for identification or re-identification, and the potential impact on consumer privacy and data security;
  
  
• Evaluate how you implement and enforce privacy practices within your organization, including assignment of personnel to oversee privacy issues and training of employees on privacy;
  
  
• Consider developing and implementing privacy-protective practices and guidelines specific to every stage of business operations that handle individual data;
  
  
• Review your current notice and consent practices and consider adding consent for any data practices likely to surprise a reasonable consumer, preferably at the point of data collection;
  
  
• Review customer-facing privacy policies for opportunities to provide greater clarity and transparency;
  
  
• Consider the potential impact that a universal, browser-based "Do Not Track" feature would have on current tracking activities on your site;
  
  
• Evaluate current data collection and retention practices to understand the costs, benefits and feasibility of providing consumers with "reasonable access" to their data;
  
  
• Update business processes to ensure that all new campaigns or programs involving collection of consumer data receive a thorough privacy impact review; and
  
  
• Explore opportunities beyond your privacy policy to educate consumers about how data is used by your organization.

The FTC will take public comments on its report until January 31, 2011.

If you would like assistance in reviewing the impact of this report to your organization, please contact Susan Lyon at slyon@perkinscoie.com or 206-359-8002.

© 2010 Perkins Coie LLP