FTC releases final report on Consumer Privacy
March 27, 2012 - The Federal Trade Commission this week released its final report on protecting consumer privacy, including a series of recommended best practices and amended proposals from the preliminary report released in December 2010 which ABM submitted extensive comments to.
ABM has been heavily engaged in the privacy arena over the last several years, advocating for a business capacity exemption. Such an exemption would ensure that laws aimed at protecting consumer privacy do not limit the ability of b-to-b companies to collect and use information about an individual in a business capacity.
In the report, called “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,” the FTC recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation. The FTC says it received more than 450 comments on its preliminary recommendations that helped shape the final report.
Other Final Report recommendations for companies handling consumer data include,
--Privacy By Design: The FTC says companies should build in privacy protections at every stage in product development including “reasonable security” for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy.
--Simplified Choice for Businesses and Consumers: Companies should give consumers the option to decide what information is shared and with whom. The FTC says this should include a Do-Not-Track Mechanism for consumers to control tracking of their online activities.
--Greater Transparency: companies should disclose details about their data collection and use of consumers’ information, including providing consumers access to the data collected about them.
While the preliminary privacy protection report recommended that the proposed framework apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer or other device, the new report excludes companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year.
The final report also says that data is not “reasonably linked” to consumers, computers or devices if a company takes reasonable measures to de-identify the data, commits not to re-identify it and prohibits downstream recipients from re-identifying it.
Five Action Items
Over the next year, the FTC says it will focus on five main action items including,
Do-Not-Track: The Commission says it recognizes work in this area including browser vendors developing tools to allow consumers to limit data collection about them; the Digital Advertising Alliance developing its own icon-based system and committed to honor browser tools; and the World Wide Web Consortium developing standards.
Mobile: The FTC is encouraging companies to work toward privacy protections and disclosures. On May 30, the FTC will host a workshop addressing how mobile privacy disclosures can work on small screens.
Data Brokers: The FTC calls for data brokers to make their operations more transparent by creating a centralized website to identify themselves and disclose how they collect and use consumer data.
Large Platform Providers: The report cites privacy concerns about the extent that Internet service Providers, operating systems, browsers and social media companies track consumers’ online activities. The FTC will host a public workshop in the second half of 2012 dedicated to the issues surrounding comprehensive tracking.
Promoting Enforceable Self-Regulatory Codes: The FTC says it will work with the Department of Commerce and industry stakeholders to develop industry-specific codes of conduct.
The final report was approved by a vote of 3-1 with FTC Commissioner J. Thomas Rosch dissenting on the issuance of the Final Privacy report because he believes it is based on “unfairness” rather than deception; the current state of “Do Not Track” leaves too many questions unanswered; “opt-in” will be selected as the de facto method of consumer choice; and the report’s recommendations may be interpreted as federal requirements despite being characterized as characterized as only “best practices.”
“We’re glad to see the FTC finalizing its report and we look forward to continuing to engage with the FTC, the Commerce Department, the White House and Congress to make sure that they understand the difference between a business user and a consumer in regard to consumer privacy protection. At the end of the day, we still prefer self-regulation to government regulation in this matter, but we want to work with policymakers to ensure ABM members are protected from any overly broad regulation in this area, ” says ABM’s Washington lobbyist Tom Carpenter.
By Matt Kinsman