On March 26, 2012, the Federal Trade Commission released its final report on “Protecting Consumer Privacy in an Era of Rapid Change” (“Final Report”), effectively adopting the Commission’s preliminary staff report announced in December 2010 (“Staff Report”) with important changes.
Overview
The Final Report adopts the general framework for privacy protection from the Staff Report, recast as privacy by design, simplified consumer choice, and transparency. The framework covers the use of personal and profiling information across all industries, on and offline. While the Final Report recognizes the growing success of voluntary Do Not Track tools, the Commission urges industry to increase their effectiveness or legislation will be needed.
Much of the change from the Staff Report to the Final Report reflects the FTC aligning with the Administration's approach to privacy. For example, the Commission discarded the Staff Report’s list of permissible “commonly accepted” business uses in favor of contextual justification. It accepts that relationships between companies and their customers vary widely, so privacy protections require flexibility that is best worked out in stakeholder discussions and self-regulatory codes (with the FTC enforcing any promises made). It restates and renames Fair Information Practice Principles consistent with the White House/Commerce department February 2012 White Paper.
The Final Report affirms the Commission’s earlier view that privacy related harm can be presumed from consumer fear of disclosure of private information without any actual economic or physical harm. It also justifies the costs of compliance with new privacy protections on grounds that businesses benefit in building consumer trust and increased customer engagement.
The Commission does not recommend that any existing sector-specific privacy laws sunset even if a new baseline for all other industries is established, leaving those industries to figure out how to comply with multiple sets of obligations.
The Final Report backs off of the Staff Report position that all data which can be “reasonably linked” to a specific person or device is personally identifiable information subject to protection. Although the Commission adopts parameters for use of de-identified data with less stringent privacy rules, it seems to continue to treat linkage to a device as equivalent to linkage to a person.
Finally, the Commission adopts sweeping principles for consumer access to data held by any company. For data brokers, the Final Report recommends a new opportunity for consumers to access a list of all categories of data held by any broker. For companies that purchase consumer data, the Commission establishes a sliding scale of access that depends on the use and sensitivity of the data, and recommends that these entities disclose the sources of information they collect on consumers. And the Final Report warns entities that do not consider themselves subject to the access and correction provisions of the Fair Credit Reporting Act that the law might extend to more types of transactions than commonly understood.
Detailed Analysis
Scope of Rules. Like the Staff Report, the Final Report proposes privacy regulation that extends to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.” This includes all businesses that handle consumer data—online, offline, bricks and mortar.
Small Business Exception. The Final Report, however, provides an exception for businesses that “collect or use non-sensitive data from fewer than 5,000 individuals a year” when the use is for limited purposes “such as internal operations and first party marketing,” and the data is not shared with third parties.
No Sunset of Existing Privacy Regimes. Sectors of industry already governed by existing laws -- health, finance, cable television and telecommunications -- are not exempt. Rather, the Commission believes its framework augments existing privacy requirements, and directs “entities covered by those other statutes [to] view the framework as best practices.”
Use of De-Identified Data. The Staff Report deemed anonymous or de-identified data to be personally identifiable information subject to consumer choice if it could "reasonably” become linked to any specific person or device. The Final Report, however, attempts to allow the use of de-identified information where: (1) the company takes reasonable measures to ensure the data is de-identified (with reasonable measures defined by the context of the collection and use); (2) the company publicly commits to maintain and use the data in a de-identified fashion (with FTC enforcement); and (3) if the company makes anonymized data available to other companies, it contractually prohibits the third party from re-identifying the data and takes appropriate steps to address contract violations. It is not entirely clear what the Commission intends this standard to allow, because it appears to continue in its view that the potential linkage of data to a device is equivalent to linkage to a person.
Privacy By Design. The Final Report recommends baseline privacy principles, bringing the Staff Report into close alignment with the Administration’s White Paper. These include the overriding principle that companies should incorporate privacy protections into their routine practices, including data security; limit the collection of data to that which is consistent with the context of a particular transaction or consumer relationship, or as required by or specifically authorized by law; retain and destroy data with practices tailored to the purpose for which it was collected, taking into account the nature of the data; and reasonable steps to ensure data accuracy.
Mobile Devices and Geolocation Data. The Commission sees mobile devices as facilitating unprecedented levels of data which can be used to track and predict consumer behavior. The Commission calls on companies to limit collection to data they need for the requested service or transaction, and to have reasonable policies of purging data. The Commission urges entities in the mobile ecosystem to work together to establish standards of collection, transfer, use and disposal, particularly for location data. It also urges them to improve notice and choice about third party use of data.
Deep Packet Inspection (DPI).
The Commission’s view is that ISPs, operating systems, and browsers (“large platforms”) should give consumers a choice whether the entity may use DPI for marketing purposes. The Commission finds that “take it or leave it” choice is inappropriate in the sale of broadband Internet service, where the Commission believes consumers have few options. As a consequence, it believes the provider should never require the consumer to agree to tracking of all online activity for marketing purposes as a condition of service. Network management, security, and other uses of DPI, however, would not trigger this requirement.
The Commission recognizes that Google and Facebook have nearly the same view into the habits of users as ISPs and operating systems, but excuses them from the choice requirement imposed on other large platforms. In an effort to improve adherence to a technology–neutral approach, the Commission plans to host a workshop in the second half of 2012 to explore the issues.
First Party Marketing Practices that Require Choice. Although under the Final Report most first-party marketing practices are deemed consistent with the customer’s relationship with the company, the FTC clarified that several common practices require greater disclosure or consumer choice:
- A retailer must provide consumers a choice before “retargeting” ads to the consumer on a separate website (i.e. the ad follows the user from the advertiser’s retail website).
- Cookies, web beacons, social plug-ins (such as Facebook’s “Like” button) and similar technology that allows a company with a first-party relationship with the consumer to track the consumer’s activities across other websites are not likely to be consistent with the consumer’s’ first-party relationship, and would require choices.
- Affiliates are third parties unless the affiliate relationship is clear to the consumer. Common branding is one way of making the relationship clear; otherwise, sharing of data between affiliates requires consumer choice.
- Cross channel marketing—including across platforms—is generally consistent with the context of the consumer’s interaction. In this practice, a consumer who makes an in-store purchase receives, for example, a coupon or ad through the mail or electronically. Regardless of the means of contact, receipt of a message from a company with which the consumer has done business is likely to be consistent with the consumers’ relationship, and would not require any choice.
- The Commission believes companies should improve the transparency of data enhancement. First-party marketers need not give consumers a choice before the data is enhanced with third party data, but should improve their disclosure of data enhancement practices, including disclosure of third party suppliers of data.
Collection of “Sensitive Data.” Companies should generally give consumers a choice before collecting “sensitive data” for first-party marketing. Sensitive data is defined, at minimum, to include data about children, health and financial information, Social Security numbers, and certain geolocation data. Companies that target teens should consider additional protections even where it may not be necessary to provide opt-in. Where a company’s business by definition targets customers based on sensitive data (e.g., health or financial services) the company should seek affirmative express consent (“opt-in”) from the consumer. The incidental collection of sensitive data, as with product recommendations from Amazon.com, need not provide choice.
Do Not Track. The Final Report reflects the FTC’s enthusiasm for Do Not Track mechanisms to allow consumers to opt out of online tracking. The Commission recognizes rapid and recent progress made in the industry, as with the evolution of the Digital Advertising Alliance’s tools, the W3C Internet standards efforts to create global Do Not Track standards, and more technical improvements by Mozilla and Microsoft in their respective browsers.
Nonetheless, the Commission finds much lacking in current Do Not Track technology options, and lists five characteristics any Do Not Track system must have to be effective: universal implementation; it must be easy to find, understand and use; it must be persistent through technical changes such as browser updates and cookie deletion; and it must be “comprehensive, effective and enforceable.” To satisfy the Commission, any mechanism should insulate consumers out of behavioral tracking “through any means and not permit technical loopholes.” The Commission warns that legislation may be required to achieve what it views as adequate Do Not Track protection.
Elsewhere, however, the Final Report permits tracking for purposes such as internal operations, fraud prevention, legal compliance and first-party marketing. (The Chairman expressed his personal opinion that Do Not Track means “do not collect” and “do not advertise back,” a statement seemingly in conflict with the Final Report’s statement of permissible tracking without consent.)
Affirmative Consent. The Final Report requires affirmative express consent – opt-in by the consumer after disclosure of the practice –for material retroactive changes to privacy representations, such as those that led to FTC investigation and settlements with Facebook and Google. The only example provided is that a material change would mean sharing consumer information with third parties after committing at the time of collection not to share the data. “Material change” is otherwise undefined, left to case-by-case assessment and uncertainty.
Transparency. The Final Report amplifies the Staff Report’s recommendation that companies increase the transparency of data practices. The Department of Commerce will convene multi-stakeholder groups to work on privacy issues, and the Commission suggests that venue would be a useful forum for industry sectors to work together to develop more standardized, streamlined privacy policies and definitions.
As in the Staff Report, the Commission expressed particular concern with disclosures in the mobile industry, where small screens limit the consumer’s viewing experience. The Commission thus prioritizes a “Dot Com Disclosures” workshop for May 30, 2012 to address mobile privacy disclosure and how to make them short, effective, and accessible to consumers on a small screen.
Consumer Access to Data Including Data Brokers. Any company that maintains data profiles—including third party data brokers—is expected to provide consumers with access to retained data that is proportional to the sensitivity and the intended use of the data at issue. The Commission divides all entities into three categories: those that maintain data for marketing purposes; those that maintain data for non-marketing purposes that are not covered by the Fair Credit Reporting Act (FCRA); and those covered by the FCRA.
For companies that maintain data solely for marketing purposes – data brokers and marketing third parties -- the Commission requires individualized access and correction rights. These companies are expected to provide consumers with access to a list of the categories of data they hold, and allow them to suppress the use of such data for marketing. The Final Report also encourages these companies to find new ways to provide individualized access where feasible, as with Yahoo!’s Ad Interest Manager.
Companies not subject to the FCRA who use data for purposes in addition to marketing are covered by the Commission’s new “sliding scale” approach, where access to personal data is scaled to the use and sensitivity of the data. These companies should give consumers access to the types of information the companies maintain and disclose their sources of information, including data brokers. The Commission’s goal is to bring consumers closer to data brokers.
Companies that hold and use data for use by creditors, employers, and other benefits are often governed by the FCRA. But the Commission warned companies which may think they are not subject to FCRA -- like developers of mobile apps that compile public information on individuals -- could be bound to comply with FCRA.
The Commission recommends legislation to establish procedures for consumer access to data broker information, like the Data Accountability and Trust Act, H.R. 2221, passed by the House on Dec. 8, 2009. Separately, the Commission recommends that data brokers explore a potential centralized database for consumers, which would allow consumers to identify the brokers and learn how they collect and use information. The Commission plans to investigate this further with industry members. It also generally supports exploration of the concept of an “eraser” button through which people – especially teens who may disclose personal information more impulsively – can delete content that they post online.
Next Steps
The Commission flags five action items for the coming year: work with industry to further implement Do Not Track mechanisms and standards; push mobile service providers to improve privacy protection; support legislation governing data brokers; explore privacy “and other issues” related to tracking of online consumer activity by providers of large Internet platforms, like ISPs, operating systems, browsers, and social media; and promote sector-specific codes of conduct.