The Federal Trade Commission is urging companies that collect and use consumer data to adopt the best practices described in its recently released final report on privacy titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policy Makers.”

The FTC’s report follows closely on the heels of the Obama Administration’s recently released white paper on consumer privacy that urged Congress to enact legislation to enact a “Consumer Privacy Bill of Rights.” (For more on the administration’s report, see our March 14, 2012, legal alert.)

Referring to the best practices as a “privacy framework,” the FTC states in the report that it intends the framework not only to guide companies in the development of self-regulatory measures but also to “assist Congress as it considers privacy legislation.” Citing the need for clear standards and “adequate legal incentives” such as civil penalties and other remedies to deter companies from cutting corners on consumer privacy, the FTC calls on Congress to consider enacting technologically neutral and flexible baseline privacy legislation.

The FTC also reiterates its call for federal data security legislation and voices its support for legislation that would provide consumers with access to information about them held by data brokers. At the same time, the FTC indicates that “to the extent the framework goes beyond existing legal requirements,” the FTC does not intend to use the framework “as a template for law enforcement actions or regulations” under laws currently enforced by the FTC.

The framework is intended to apply to all commercial entities that collect (online or offline) or use consumer data that reasonably can be linked to a specific consumer, computer or device. While generally adopting the framework proposed by the FTC in 2010, the final report would exclude companies that collect or use only non-sensitive data (e.g., data that is not a Social Security number or financial, health, children’s, or geolocation information) from fewer than 5,000 individuals per year and do not share the data with third parties. It also includes steps a company can take to “de-identify” data so that it would not be considered “reasonably linkable.”

The framework consists of the following best practices:

Privacy By Design

Companies should (1) incorporate substantive privacy protections into their everyday business practices, such as data security, reasonable limits on collection and retention, and data accuracy, and (2) maintain comprehensive data management procedures covering the entire life cycle of their products and services. The report includes a “data collection and disposal case study” focused on concerns raised by mobile devices.

Simplified Consumer Choice

Companies should provide easy-to-use choice mechanisms that allow consumers to control whether their data is collected and how it is used. However, companies need not offer choice before collecting and using data for practices that are (1) consistent with the context of the interaction between the company and consumer, or (2) required or specifically authorized by law. Examples of such practices include product and service fulfillment, fraud prevention, internal operations, legal compliance and public purpose. The report includes a discussion of when the use of data in first-party marketing would meet the consistency standard as well as the permissibility of a “take-it-or-leave-it” approach to choice. Choice, when required, should be offered at a time and in a context that is relevant to the consumer’s decision about whether to allow data collection or use (which would typically be before or at the time of collection). Affirmative express consent should be obtained before a company uses consumer data in a way that is materially different from that claimed at the time of collection or when collecting sensitive data for certain purposes.

Transparency

Privacy notices should be clearer, shorter, and more standardized. The report raises the particular challenges associated with providing notice in the mobile context and notes that mobile privacy disclosures will be among the topics addressed at a workshop the FTC has scheduled for May 30, 2012, on advertising disclosures in online and mobile media. At a minimum, companies should offer consumers reasonable access to the types of consumer data they maintain about them and the data’s sources, and, when warranted by the data’s use or sensitivity, provide access to individualized data and correction rights. All stakeholders—businesses, industry trade groups, consumer groups and government—should increase their efforts to educate consumers about data privacy practices.

Although it appears the FTC does not intend to use the framework as a basis for bringing enforcement actions, the FTC plans to promote voluntary implementation of the framework by industry through its policymaking efforts.

The five main areas on which the FTC will focus those efforts are:

  • Development by industry of “an easy-to-use, persistent, and effective Do Not Track system” that consumers can use to control the tracking of their online activities
  • Improvement by providers of mobile services of existing privacy protections for such services, including the development of “short, meaningful disclosures” for mobile services
  • Creation by data brokers of a centralized website on which brokers would identify themselves to consumers, describe how they collect and use consumer data, and explain what rights consumers have to access data and make choices
  • Further study of privacy and other issues relating to the tracking of consumer online activity by large platform providers
  • Encouraging the development by industry stakeholders of sector-specific, self-regulatory codes while enforcing the FTC Act “against companies that engage in unfair or deceptive practices, including the failure to abide by self-regulatory programs they join”

Ballard Spahr’s Privacy and Data Security Group includes experienced lawyers who help clients navigate the many laws designed to safeguard health, financial, and other private information; counsel clients on compliance, data mining, online marketing, and mobile privacy; and assist clients in responding to security breaches.

Ballard Spahr’s Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products, its experience with the full range of federal and state consumer credit laws throughout the country, and its skill in litigation defense and avoidance. The group also produces the CFPB Monitor, a blog that focuses exclusively on important Consumer Financial Protection Bureau developments. To subscribe, use the link provided to the right.

For more information, please contact Consumer Financial Services Group Practice Leader Alan S. Kaplinsky at 215.864.8544 or kaplinsky@ballardspahr.com; Consumer Financial Services Group Practice Leader Jeremy T. Rosenblum at 215.864.8505 or rosenblum@ballardspahr.com; John L. Culhane, Jr., at 215.864.8535 or culhane@ballardspahr.com; Barbara S. Mishkin at 215.864.8528 or mishkinb@ballardspahr.com; or Mark J. Furletti at 215.864.8138 or furlettim@ballardspahr.com.

 


Copyright © 2012 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

 

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.