Key Takeaways from the FTC’s Landmark Privacy Report
Now, more than ever, it is critical that companies adopt meaningful and compliant privacy policies.
On March 26, 2012 the Federal Trade Commission (“FTC” or “Commission”) published a landmark privacy report entitled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers” (the “Report”). [See the FTC.gov FTC Privacy Report.]
The Report finalizes a preliminary FTC staff report previously issued in
December 2010 and calls for industry best practices
and consumer privacy legislation.
Every business that collects, maintains, uses or sells personally identifiable information about consumers must now make privacy a priority and expect stepped-up FTC enforcement activity.
Pursuant to the privacy framework first articulated in December 2010, companies must take care to incorporate:
- Privacy by Design — building in privacy protections right at the inception of new products and services;
- Privacy Choices for Consumers — taking into account the opportunity for choice at a meaningful moment and in a meaningful context; and
- Greater Transparency — more robust, frequent and meaningful consumer privacy notices and disclosures.
Interestingly, the Report would not apply the framework to entities which have a first party relationship with a consumer, do not collect or use sensitive information about that consumer, do not share any consumer information with third parties, or collect data from under 5,000 consumers.
For those companies which collect, maintain, use and/or sell consumer data, the Report presents numerous critical takeaways:
- For the FTC, privacy is now a priority and regulatory enforcement actions are on the horizon;
- Entities that do not have a “first party” relationship with consumers are subject to enhanced privacy scrutiny (e.g., data brokers);
- Do Not Track may actually mean Do Not Collect; and
- Companies must consult with an FTC regulatory compliance and enforcement action attorney to conduct privacy risk assessments.
In designing and implementing the new privacy framework, the Report virtually guarantees enforcement priority in key areas, including, do not track, mobile devices, data brokers, and large platform providers. In addition to enforcement, the Report calls upon Congress to adopt comprehensive privacy legislation, including data security legislation and so-called “data broker” legislation.
The Report also identifies five categories of personally identifiable, “sensitive,” information which the FTC believes warrants heightened privacy protections and regulatory scrutiny. These categories include information about children, health information, financial information, social Security number information, and geo-location information.
Clearly, data brokers (entities that do not have a business relationship with the consumer whose information they are collecting) and large platform providers (e.g., ISPs, operating systems, browsers, and social media sites) are targeted for enhanced privacy scrutiny.
Both collect personally identifiable information, either without a direct, first party relationship with consumers or, at least, collect this information outside the bounds of that relationship.
This means that consumers’ ability to be informed about
and participate in the data sharing relationship is limited.
This means that these companies collecting personally identifiable information outside of a first party relationship are now likely to be subject to heightened FTC scrutiny and enforcement risk.
According to the FTC, information brokers should be required to provide consumers with access and correction rights, as well as a robust notice informing consumers about the types of information that these companies collect and maintain about them, as well as the sources of that information.
Large platform providers are seen as presenting special privacy threats because they are able to collect information about consumer behavior across the Internet and do so without the benefit of consumer knowledge or consent.
The Report’s Do Not Track recommendation is akin to an EU data privacy approach. It urges that companies operating on the Internet should implement easy-to-use, persistent, and effective Do Not Track systems.
The Report suggests that, absent consumer notice and consent,
Do Not Track means Do Not Collect.
This applies on – and off -line. Therefore, unless reasonable justification exists for tracking, such as transaction fulfillment, routine data exchanges, or consumer consent, the FTC believes it is flat out inappropriate to track. Clearly, this signals the beginning of efforts by the FTC to preclude businesses from collecting personally identifiable information without express authorization.
Far reaching, unintended consequences are almost certain and companies are now charged with evaluating the personally identifiable information that they collect – particularly when it is information about consumers with whom they do not have a commercial relationship. Companies must be prepared to evaluate whether the collection practice is authorized or a necessary component of their business practices.
The recent Report is a clear statement by the FTC and companies should now expect active privacy enforcement activities from the FTC. In fact, the FTC Chairman recently referred to the Commission as “the nation’s privacy protection agency” and called this era “a decisive moment for consumer privacy.”
While the “recommendations” in the Report are supposed to be nothing more than “best practices,” greater FTC law enforcement activity for all of the “best practice recommendations” in the Report should be anticipated pursuant to the Commission’s authority over practices which are deemed to be unfair or deceptive.
The “deception” prong of the FTC’s authority extends not merely to representations that are affirmatively misleading or deceptive, it also arguably includes instances where a company’s failure to make a material disclosure results in deception.
For example, the Commission may consider it a deceptive practice when a company fails to disclose that they are collecting and using sensitive information, fails to disclose that they are tracking consumers across the Internet, and/or fails to even disclose that they collect information about a consumer.
The FTC has and will continue to aggressively apply its authority to prohibit deceptive practices and misrepresentations, especially within the performance marketing sector. In doing so, the FTC will almost certainly continue to mandate disclosures where an omission would be tantamount to a deceptive practice.
Companies must critically examine all disclosures and representations about their collection, maintenance, use and dissemination of personally identifiable information. Full and complete disclosures must be made.
What is not new is that the Report essentially calls for a commercial awareness about privacy practices. What is new is the necessity and scope of privacy risk assessments. A privacy risk assessment must now include, without limitation, a thorough review of relevant FTC privacy actions, an evaluation of whether a company’s privacy practices align with the Report, and a comprehensive analysis of corporate disclosures, information practices, and privacy policies.
This guest post was written by Richard B. Newman, an Internet law attorney that specializes in performance marketing and regulatory compliance at Hinch Newman LLP in California and New York.
Disclaimer: This article is intended for informational purposes only and does not constitute legal advice. Consult with an experienced Privacy Law Attorney for assistance interpreting the FTC’s Privacy Report and to discuss a privacy risk assessment.