USA: FTC Report on Best Business Practices Protecting Consumer Privacy

On 26 March 2012, the Federal Trade Commission (FTC; chief privacy policy and enforcement agency in USA) has released its final report "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers". In this report, the FTC not only details best practices for businesses to protect the privacy of consumers and to give them greater control over the collection and use of their personal data, but also recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.

1. Recommendations

The FTC calls on companies handling consumer data to implement recommendations for protecting privacy, including:

• Privacy by Design - companies should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy;
    
• Simplified Choice for Businesses and Consumers - companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.
    
• Greater Transparency - companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them.

2. Scope

Recognizing the potential burden on small businesses, the report concludes that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year. Responding to the possibility that , with technological advances, more and more data could be "reasonably linked" to consumers, computers, or devices, The FTC report concludes that data is not "reasonably linked" if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.

3. Consumer's Choice

The report refines the guidance for when companies should provide consumers with choice about how their data is used. It states that whether a practice should include choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer's existing relationship with the business or is required or specifically authorized by law. These practices include product fulfillment and fraud prevention.

4. Data Brokers

The FTC report notes that data brokers often buy, compile, and sell highly personal information about consumers. Consumers are often unaware of their existence and the purposes to which they use the data. The report makes two recommendations to increase the transparency of such practices:

• First, it reiterates the Commission's prior support for legislation that would provide consumers with access to information held by data brokers.
    
• Second, it calls on data brokers who compile consumer data for marketing purposes to explore creation of a centralized website where consumers could get information about their practices and their options for controlling data use.

5. Adoption of Privacy Framework Principles

While Congress considers privacy legislation, the Commission urges individual companies and self-regulatory bodies to accelerate the adoption of the principles contained in the privacy framework, to the extent they have not already done so. Over the course of the next year, Commission staff will work to encourage consumer privacy protections by focusing on five main action items:

• Do-Not-Track - The FTCcommends the progress made in this area: browser vendors have developed tools to allow consumers to limit data collection about them, the Digital Advertising Alliance has developed its own icon-based system and also committed to honor the browser tools, and the World Wide Web Consortium standards-setting body is developing standards. "The Commission will work with these groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system," the report says.

• Mobile - The FTC urges companies offering mobile services to work toward improved privacy protections, including disclosures. To that end, it will host a workshop on May 30, 2012 to address how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens.

• Data Brokers - The FTC calls on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data. In addition, the website should detail the choices that data brokers provide consumers about their own information.

• Large Platform Providers - The FTC report cited heightened privacy concerns about the extent to which platforms, such as Internet Service Providers, operating systems, browsers and social media companies, seek to comprehensively track consumers' online activities. The FTC will host a public workshop in the second half of 2012 to explore issues related to comprehensive tracking.

• Promoting Enforceable Self-Regulatory Codes - The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.

FTC report on "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers" of 26 March 2012