On March 26, 2012, the Federal Trade Commission ("FTC") issued its Protecting Consumer Privacy in an Era of Rapid Change Report (the "Privacy Report"), setting out recommended “best practices” for protecting consumers’ private information. http://www.ftc.gov/os/2012/03/120326privacyreport.pdf. In the Privacy Report, the FTC did a thorough job of identifying the issues that are being discussed among privacy professionals. For example, the privacy by design concept has been implemented by my clients since as early as 2005. Likewise, the Digital Advertising Alliance and others have done an excellent job with the Do Not Track mechanism, which is captured in the Privacy Report. In sum, the Privacy Report does outline general statements on privacy practices that most would agree deserve consideration in every organization.
The problem however is that embodying these concepts in an official report from the FTC that attempts to provide guidance to every industry and business model existing or contemplated creates uncertainty and dilemmas for those companies looking to innovate. The problem begins with the lack of specifics in the Privacy Report, which is understandable because of the vast diversity of businesses and business models addressed by the Privacy Report. The bigger concern however is the historic practice of the FTC using its own guidance to launch investigations and bring enforcement actions. We have been in the midst of a great experiment; businesses are learning how to harvest new technologies and improve the ways to we communicate, while those same businesses are developing better ways to protect individuals and businesses. By making general statements about what should be required or implemented as good privacy practices, without providing clear rules that should be followed by businesses, the FTC threatens to stifle creativity and possibly limit the benefits to consumers.
As stated previously, the issue comes not from the Privacy Report itself, but rather on the obvious effect that it could have on future enforcement activity by the FTC. As I have written before, the FTC has been using prior enforcement actions and its own guidance -- like the new Privacy Report -- as a basis for launching investigations or instituting enforcement actions alleging unfair competition claims under § 5 of the FTC Act. Often the FTC has used a consent decree to educate the market and clarify what conduct is improper with respect to an otherwise murky standard. In other words, the target of the investigation and enforcement action did not have the benefit of this clarification and so may have incurred the costs and business interruption associated with an investigation even though it may have done its best to implement proper procedures based on what it understood where the standards at the time. The dissent of Commissioner J. Thomas Rosch appears to agree that this is a problem.
This uncertainty is heightened further by the FTC’s position in the Privacy Report on consumer harm. Targets of prior investigations could have, but chose not to, challenge whether there was any evidence (or even an allegation) that any consumer has suffered any harm from the conduct. In fact, many courts have not found cognizable injury in private claims following a data breach or alleged privacy violation because a future risk of harm is insufficient . Reilly v. Ceridian Corporation, Case No. 11-1738 (3rd Cir. Dec. 12, 2011), http://www.ca3.uscourts.gov/opinarch/111738p.pdf. For example, the Privacy Report seems to suggest that a claim might arise where practices “unexpectedly reveal previously private information even absent physical or financial harm, or unwarranted intrusions.” p. 8. In other words, the FTC seeks to expand the definition of harm beyond what courts have found permit a private action to proceed.
As a result, businesses will not know exactly what is required of them or when regulators might change course and criticize an action. Such a situation threatens to inhibit business investment and could stifle growth in technology. The FTC should permit industry to continue the experiment with self regulation, allow market forces to operate and consumer choice to decide the proper course – all influencers that the FTC agrees exist. At a minimum, the FTC should hold off on any enforcement actions until the specific rules are better established. Even better, the FTC should reverse its decision to avoid offering opinions and instead provide companies more specific guidance before procedures are implemented and privacy by design is instituted. Holding open forums will not be enough to overcome this uncertainty.
Until then, the Privacy Report has been issued and many articles will be written on what it covers and what it means for various industries. http://www.govinfosecurity.com/articles.php?art_id=4624.
The vast majority of the Privacy Report’s content was expected, but still lacks the detail needed to provide sufficient guidance. The FTC adopted many of the recommendations set out in the preliminary staff report issued in December 2010, including:
1) Privacy by Design – Building privacy into every stage of product development and including data security, reasonable collection limits (including the right to be forgotten), acceptable retention schedules and data disposal practices, and reasonable accuracy practices.
2) Simplified Choice for Businesses and Consumers (including Do Not Track) – giving consumers more choice and simplifying the notices and processes relating to those choices, getting express permission where the use is materially different from the reason the data was originally collected. Choice is not required where the use is “obvious from the context of the transaction or sufficiently accepted or necessary” for operations involving (a) product and service fulfillment, (b) internal operations, (c) fraud prevention, (d) legal compliance and public purpose, and (e) first-party marketing.
3) Greater Transparency – clearer and simpler privacy notices, a consumer friendly process to determine what information is maintained, and education. Several concerns raised by the FTC go to whether a real choice exists, such as “take it or leave it” policies for important product or services.
The FTC also included many of the concepts we have seen in recent enforcement actions and that various commissioners and staffers have discussed at privacy and security conferences. Not surprisingly, the FTC focused on the following areas:
1) Do Not Track – the FTC applauded the self-imposed process developed by the Digital Advertising Alliance and the World Wide Web Consortium, which includes a standard icon, and process to block targeted advertising and online tracking. http://www.w3.org/2011/track-privacy/papers/Yahoo.pdf
2) Mobile –the FTC has been focused on this particular industry and the absence of privacy notices. For example, the recent inquires into mobile app collection of contact lists on the device. http://business.time.com/2012/03/05/u-s-senator-calls-for-apple-google-mobile-privacy-probe/. The FTC is looking for improved privacy protections and short, meaningful disclosures.
3) Data Broker – defining this industry loosely (any organization that collects information from various sources on a specific consumer), the FTC is asking Congress to enact legislation to create consumer rights to know what is collected, the source, and to know their rights regarding that data (i.e., FCRA-light). For companies using this data for marketing purposes, the FTC seeks a website that identifies these companies, describes the data and how it is collected, and gives consumers details about their rights to access and dispute or delete the data.
4) Large Platform Providers – defining this industry as Internet Service Providers, operating systems, browsers and social media, the FTC wants explore the privacy issues relating to the tracking of online consumer activity, although this could be a means to regulate companies that have so far avoided regulation due to lack of visibility or size (e.g., a small company that develops an app that instead injects malware).
5) Enforceable Self Regulatory Codes – using PCI-DSS and other industry developed standards as an examples, the FTC is looking to develop industry-specific codes of conduct that can later serve as the basis for a deceptive practice claim if not adhered to by a company.
The Privacy Report does include some new additions that further expand the scope of what has been expected of companies and thus within the sights of the FTC. http://techatftc.wordpress.com/2012/03/26/tech-highlights-of-the-ftc-privacy-report/
1) PII includes data linked to a device – to date, the laws have focused on data that is associated with an individual. The FTC wants to expand that definition to regulate the collection and use of data (such as browsing history) associated with a device.
2) De-identified information may still be PII – existing laws require that the data be linked to a specific individual. Companies have found ways to us information that has been stripped of the identifying information, i.e., the specific consumer. For example, removing the identity of the purchaser allows the information to still be used to determine how many items were purchased in a particular zip code. The FTC wants to restrict this practice such that the data is still regulated unless (a) the data is not reasonably identifiable, (b) company commits to not re-identify, and (c) requires any downstream companies not to re-identify the data.
We will all continue to monitor how the Privacy Report is implemented and the FTC enforcement actions that follow. Hopefully, the FTC will allow further conversation on all these points before instituting any investigations or enforcement actions. Walking the line between flexibility and certainty will continue to be a challenge. While the conversation is worthwhile and needs to continue, the FTC will need to proceed carefully so as not to mute open dialogue.