On December 1, 2010, the Federal Trade Commission issued a preliminary staff report proposing a framework to balance “the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services.” The FTC’s position on industry self-regulation is that industry efforts to address privacy through self regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The report is designed to reduce the burdens on consumers and businesses.
One of the more controversial suggestions in the report is the implementation of a “Do Not Track” mechanism controlled by the end user’s browser preferences allowing consumers to choose whether to allow the collection of data regarding their online searching and browsing activities.
We are currently being briefed by the DMA, ESPC, IAPP, and OTA and will send additional information as it develops. In the meantime, here is a summary of the key points from f the FTC report:
1. Companies should adopt a “privacy by design" approach by building the Fair Information Practices into everyday business practices. Such protections include:
Providing reasonable security for consumer data
Collecting only the data needed for a specific business purpose
Retaining data only as long as necessary to fulfill that purpose
Disposing safely of data no longer being used
Implementing reasonable procedures to promote data accuracy
2. Companies should implement and enforce procedurally sound privacy practices throughout their organizations, including:
Assigning personnel to oversee privacy issues
Training of employees on privacy issues
Conducting privacy reviews when developing new products and services
3. Companies should provide choices to consumers about their data practices in a simpler, more streamlined way than has been used in the past.
Inferred consent for obvious practices:
The FTC believes that it is reasonable for companies to engage in certain commonly accepted or obvious practices where consent is properly inferred – namely, product and service fulfillment, internal operations such as improving services offered, fraud prevention, legal compliance, and first-party marketing. It is not clear what types of practices are obvious or commonly accepted.
No inferred consent where practices are not obvious:
For data practices that are not “commonly accepted,” (or, put another way, "obvious") consumers should be able to make informed and meaningful choices.
To be most effective, choices should be clearly and concisely described and offered when – and in a context in which – the consumer is making a decision about his or her data. It is not clear when these need to be opt-in or opt-out, and we will need to explore further commenting on this issue.
Depending upon the particular business model, this may entail a “just-in time” approach, in which the company provides the consumer with a choice at the point the consumer enters his personal data or before he accepts a product or service.
Support for Do Not Track:
The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads.
4. Companies should make their data practices more transparent to consumers by:
Improving privacy policies, making them more consistent and easier to read so interested parties can compare data practices and choices across companies.
Providing consumers with reasonable access to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers.
Extending access in a manner that is proportional to both the sensitivity of the data and its intended use.
Providing robust notice and obtaining affirmative consent for material and retroactive changes to data policies.
5. All stakeholders should undertake a broad effort to educate consumers about commercial data practices and the choices available to them.
For more information on the aforementioned report use the links below or contact Rick Buck, VP Privacy/ISP relations, CIPP email@example.com.