A few months ago, the FTC released its widely-anticipated report “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” (Privacy Report). Although the final Privacy Report largely echoes the same overall framework for consumer privacy that was presented in the FTC’s 2010 preliminary Privacy Report, some things have been changed or clarified, in response to issues raised in the 450 comments to the preliminary report that the FTC received, or other industry developments and activities. Among other highlights, the Privacy Report reflects the FTC’s decision to now support general consumer privacy legislation (in addition to earlier-voiced support for data security legislation); expresses more satisfaction with evolving self-regulatory frameworks operating in the behavioral advertising area; and announces a series of workshops and focus areas for the coming year:
- Working with industry to implement a Do Not Track program;
- Updating existing “dot.com” disclosures to also address mobile services;
- Encouraging data brokers to provide more disclosures to consumers;
- Reviewing the practices of “Large Platform Providers,” whose operations may pose heightened privacy concerns due to their scope; and
- Working with the Department of Commerce (DOC) to develop enforceable privacy codes of conduct.
This last item related to enforceable codes of conduct reflects the FTC’s role within a somewhat larger context, outlined in a recently-released White House strategy for consumer privacy. The White House’s strategy, unveiled last month in an appropriately-colored white paper, calls for a “Consumer Privacy Bill of Rights,” enforceable codes of conduct, increased global interoperability in consumer privacy frameworks, and continued FTC enforcement actions against unfair or deceptive acts. Although the DOC may be leading the multi-agency effort to develop “enforceable codes of conduct” (begun a few weeks ago when DOC’s National Telecommunications and Information Administration (NTIA) issued a request for public comment), both the White House and DOC still envision a preeminent role for the FTC, both in enforcement, and arguably policy.
Which brings us to the theme of this piece − what does the Privacy Report suggest about the FTC’s enforcement focus for 2012? Long-time followers of the FTC’s approach to consumer privacy should by now know at least three things:
- FTC policies and frameworks are carefully and consciously-developed over time, and respond to changes in technologies, practices, and industry comments (see the 2008 Mapping the Mobile Marketplace, 2009 Self-Regulatory Principles for Online Behavioral Advertising, 2010 preliminary Privacy Report, and the 2009-2010 series of privacy workshops);
- FTC enforcement actions reinforce announced policies (see timing of Frostwire for unfairness and Chitika for opt-out functioning; GoogleBuzz, and Facebook for using wider agreements to also address companies’ mobile applications); and
- When the FTC brings an enforcement action in a new area, it often focuses on practices that also implicate existing “hot button” areas, where its authority is more recognized (see warning letters sent to providers of background screening mobile applications thought to violate FCRA, or COPPA violations in W3 Innovations).
Luckily, the FTC’s Privacy Report may provide a roadmap − with graphic illustration − for this year’s enforcement priorities, a view echoed by Commissioner Rosch in his dissent to the report. Companies wishing not to appear as signposts on this roadmap would be well-advised to pay particular attention to any business practices that:
- ignore changes or clarifications the FTC made in the Privacy Report after weighing comments to the 2010 preliminary report;
- are the focus of workshops planned for this year on specific areas of concern; or
- use or collect sensitive data.
For example, companies may wish to pay closer attention to their data practices, in light of the Privacy Report’s reiteration of how broadly the FTC considers covered data. In exchange for limiting the scope of the framework to companies that don’t collect sensitive data, data from over 5,000 consumers annually, and don’t share data with third parties, the FTC has made clear that when it says it is concerned with data that can be reasonably linked to a particular consumer, computer, or device, it is not just talking about PII. Companies that collect information about browsing habits, purchases, or other consumer interests and link that data to consumers, IP addresses, cookie user-identifiers, or MAC addresses, need to remember that the FTC thinks all this data is covered. Also, responding to press reports suggesting it is becoming easier to link even anonymous data to particular consumers, computers, or devices, companies have to take extra care to avoid having their data found reasonably linked, by doing more to “anonymize” data, publicly commit to not themselves try to link such data, and contractually prohibit anyone else that might receive their data from trying to link it.
Similarly, companies providing opt-out mechanisms or participating in Do Not Track initiatives should ensure their disclosures and practices match − especially if their opt-out only applies to the use of data for a particular purpose (e.g., reception of targeted ads), instead of from data collection. Also, data brokers, mobile applications’ developers, and “Large Platform Providers” (ISPs, social networking sites, browser or operating system providers) may also find it advisable to revisit their practices in advance of the upcoming workshops. And, of course, any company that collects or uses sensitive data − relating to children, health, financial, or precise physical location − should remember their practices are often the source of heightened scrutiny.
Finally, companies interested in obtaining insight into the ever-elusive but beckoning prospect of a safe harbor in consumer privacy practices may wish to take a closer look at the numerous “best practices” outlined in the Privacy Report. Although these practices remain only aspirational, they will likely inform the FTC’s efforts in helping to craft codes of conduct through DOC’s multi-stakeholder effort.