On December 1, 2010, the Federal Trade Commission (FTC) released its long-awaited preliminary report on the protection of consumer privacy titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The FTC is seeking input on this proposal and intends to issue a final report sometime in 2011.
The report, which covers both online and offline data collection and use, reiterates certain concrete steps that the FTC believes organizations should take related to choice and transparency and also provides broad guidance that applies to all commercial entities that collect or use consumer data, including companies that do not interact directly with consumers, such as information brokers. The framework is not limited to personally identifiable information (PII); it applies to all consumer data that can be linked to a specific individual or to a computer or other device.
Focusing on new and growing threats to consumer privacy driven by innovations that rely on consumer data, the proposal outlines a three-step framework for data protection:
1) Privacy by Design – Organizations should integrate privacy concepts into every stage of the life-cycle of their products and services, develop marketing initiatives and data-sharing activities based on privacy guidance from the inception of such projects, and develop and maintain comprehensive information programs to protect and manage consumer data within the organization itself. Data security, reasonable collection limits, sound retention practices, and data accuracy are critical program components.
2) Choice – Organizations should offer clear and easy-to-use choice mechanisms at the point when the consumer is making a decision about his/her data, such as at the point of collection, implement a “do not track” mechanism, such as a persistent web browser setting that allows consumers to block all tracking of their online activities, obtain consumer consent before sharing data for marketing purposes with third parties or even with its affiliates if the affiliate relationship is not clear to consumers, and require enhanced consent for sensitive information, such as data about children, financial and medical information, and precise geolocation data.
3) Transparency – While privacy policies remain a critical tool for notifying consumers (and regulators) of an organization’s privacy practices, in general, most privacy polices need to be streamlined and simplified, and organizations must obtain consumer consent before implementing a change in policy that affects previously collected data. Organizations also should explore mechanisms for providing consumers with access to their data.