This post, written by Colin J. Zick, was originally posted on Foley Hoag’s Security, Privacy and the Law blog.
* * * * *
FTC has released the final version of its original 2010 Report — "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers." As we have discussed previously, comments on the draft report were taken through January 31, 2011 and the final report had been expected in 2011.
The FTC received over 450 comments from businesses, privacy advocates, and consumers and claims that the final Report retains the basic principles outlined previously, but claiming it makes several important refinements. There’s also a brief new video explaining the FTC’s positions. Here are the key take-aways from the final report:
- Privacy by Design. Companies should build privacy protections into their everyday business practices. That includes limiting data collection and retention, securing the information they hold on to, safely disposing of what they no longer need, and implementing reasonable measures to ensure information is accurate.
- Simplified Choice. Companies should give consumers a choice at a time and in a context that matters to people. The preliminary report noted that choice shouldn’t be necessary for certain “commonly accepted practices.” The final Report concludes that choice needn’t be provided for data practices that people would expect, given the context of the transaction, the company’s relationship with the consumer, or as required or specifically authorized by law.
- Do Not Track. The Report also reaffirms the Commission’s strong support for Do Not Track.
- Improved Transparency. Companies should increase the transparency of their data practices by developing clearer, more standardized privacy disclosures and could give people reasonable access to their information.
- Exemption of Small Businesses. To minimize the effect on smaller companies, the final framework doesn’t apply to them if they collect only non-sensitive data from fewer than 5,000 consumers a year, provided they don’t share the data with third parties.
Most interesting to me is the Dissenting Statement of Commissioner J. Thomas Rosch, in which he makes several interesting points:
- "First, the Report is rooted in its insistence that the “unfair” prong, rather than the “deceptive” prong, of the Commission’s Section 5 consumer protection statute, should govern information gathering practices (including “tracking”). “Unfairness” is an elastic and elusive concept. What is “unfair” is in the eye of the beholder."
- "Second, the current self-regulation and browser mechanisms for implementing Do Not Track solutions may have advanced since the issuance of the preliminary staff Report" and the Report does not adequately take account of this change.
- "I am concerned that "opt-in” will necessarily be selected as the de facto method of consumer choice for a wide swath of entities that have a first-party relationship with consumers but who can potentially track consumers’ activities across unrelated websites, under circumstances where it is unlikely, because of the “context” (which is undefined) for such tracking to be “consistent” (which is undefined) with that first-party relationship: 1) companies with multiple lines of business that allow data collection in different contexts (such as Google); 2) “social networks,” (such as Facebook and Twitter), which could potentially use “cookies,” “plug-ins,” applications, or other mechanisms to track a consumer’s activities across the Internet; and 3) “retargeters,” (such as Amazon or Pacers), which include a retailer who delivers an ad on a third-party website based on the consumer’s previous activity on the retailer’s website.
- "I question the Report’s apparent mandate that ISPs, with respect to uses of deep packet inspection, be required to use opt-in choice."