Sweeping changes to the existing sector-focused privacy rules in the US have been proposed by two US agencies – one responsible for protecting consumers and the other for promoting commerce. These proposals have been issued at a time when the US appears to be engaged in ever greater cooperation with the EU on privacy and data protection matters, far more so than in the past. A summary of the key provisions of each report are provided below.
In December 2010 the Federal Trade Commission (FTC) released a preliminary report titled Protecting Consumer Privacy in an Era of Rapid Change (the Report), which proposed a new framework for consumer privacy. The Report comes out of a series of public roundtables hosted by the FTC aimed at exploring the effectiveness of current privacy standards, and soliciting ideas regarding how to address new and ever-evolving challenges in the area of privacy. The FTC plans to issue final recommendations before the end of 2011.
Of particular note in the Report is the sweeping scope of the newly proposed framework, which applies to “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.” The FTC’s focus extends to both the offline and online collection of sensitive information “regardless of whether [the collecting] entities interact directly with consumers.” Additionally, the FTC’s interest is not limited to the collection of so-called “personally identifiable information.” Rather, information that can be linked to a specific computer or other device is also captured by the reach of this new framework. This latter deviation appears to have been an acknowledgment of the fact that the distinction between personally identifiable information and non-personally identifiable information is being blurred by technology that can “re-identify” consumers from allegedly anonymous data.
The newly proposed framework consists of three principal components aimed at enhancing consumer privacy. First, the FTC proposes that companies adopt a “privacy by design” approach in which privacy protections are incorporated into a company’s everyday business practices in a systematic manner. These protections include, for example, providing reasonable security safeguards for consumer data, collecting only the data required for a specific business need, implementing reasonable data retention periods and taking steps to ensure data accuracy (particularly if such data could be used to deny benefits or cause harm).
Second, the FTC suggests that companies should provide a simplified choice for consumers deciding whether to have their information shared. The framework proposes a two-pronged approach to choice, which acknowledges that there are certain uses of information for which consumers do not need to exercise a choice. Specifically, the framework proposes a number of “commonly accepted practices” (which are open for comment) – such as product service fulfillment or internal operations – for which companies should not need to seek consumer consent once the consumer opts to use the product or service in question. Any uses beyond these routine practices would require companies to give consumers the ability to make a meaningful and informed choice with respect to collection and use of their personal data. The FTC also notes that, regardless of the context in which the consumer chooses to not have his or her information collected or used, the choice should remain constant and not be subject to repeated requests for consent by the company. The Report discusses various concepts of “informed consent” (including a discussion of opt-in versus opt-out provisions), but does not favor one approach over another. Among others, this is one topic on which the FTC is seeking public comment.
In connection with a somewhat more particularized discussion of choices available to consumers in the context of behavioral advertising, the FTC indicates its support for what it believes to be a comprehensive consumer choice mechanism, referred to as “Do Not Track.” The effect of this mechanism would be to prevent websites and online services from tracking consumers’ browsing activities. Congressional committees have already met to discuss the “Do Not Track” construct. It is likely that the FTC’s suggestions and the questions raised in the Report will continue to provide a rich source for Congressional and industry debate in the coming months.
Third, the Report states that companies should promote greater transparency of their data collection practices. The simplified choice mechanisms discussed above are one manner in which companies can increase transparency. To this end, the FTC recommends that website privacy policies be simplified and that consumers be able to access the data that companies have collected about them. Improving the ability of consumers to compare data collection practices across companies could result in a competitive market for privacy. Another method for promoting transparency is to make a prominent disclosure to consumers before making material changes to a company’s data collection policies. Finally, the FTC encourages parties to educate consumers about commercial privacy practices as a means of achieving greater transparency and awareness among consumers.
Commerce Department Report
Also in December 2010 the US Department of Commerce’s Internet Policy Task Force issued a green paper titled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” (Green Paper). The Commerce Department recounts the growth of the Internet-based economy over the past 15 years ,and how the uses of personal information for commercial purposes has helped spur this growth. The Commerce Department suggests, however, that privacy laws have failed to keep up with the growing use of personal information online for commercial purposes, which is causing consumers to have a “sense of insecurity” as to whether new technologies and services will cause harm. Further, the Green Paper contends that a key foundation for the success of the Internet-based economy has been consumer trust. If, however, consumers perceive greater risk to their privacy, this trust will erode and consumers will hesitate to embrace new services and technologies thus impeding economic development and growth.
Based on a review of privacy practices, law and policy, as well as public comments, the Green Paper presents a “Dynamic Privacy Framework” (Framework) for online commercial privacy for consideration by businesses, legislators and public policy leaders. The Framework provides four broad categories of policy recommendations, described below, that are intended to balance the goals of protecting online consumer privacy while bolstering continued innovation and economic growth. The Commerce Department does not present specific policy recommendations in the Green Paper. If appropriate, however, the Department may consider specific proposals in a subsequent white paper. It should also be noted that the Framework would apply only to commercial privacy policies and not personal information collected by the federal government or specific industry sectors, such as health care, financial services or education, that are covered by their own privacy laws and policies.
First, the Framework includes a call to “revitalize” Fair Information Practice Principles (FIPPs) by having the US government adopt a “baseline” set of FIPPs for commercial data privacy in the United States. Government recognition of a standard set of FIPPs should promote informed consent and transparency without imposing undue burdens on commercial entities, promote the development and use of voluntary codes of conduct, create safe harbors against FTC enforcement, and lower barriers to foreign trade.
Third, consistent with its mission to support economic development for US interests, the Commerce Department states that there is an “urgent need” for US leadership on global privacy issues. Differences between US and other national privacy laws are barriers to foreign trade. Consequently, the United States should lead in the development of an online privacy framework that promotes both consumer trust and innovation. Legislators and public policy leaders should pursue the goal of decreasing regulatory barriers to trade and commerce for US businesses by promoting global privacy interoperability based on long-standing principles developed by the Organisation for Economic Cooperation and Development (OECD) and Asia-Pacific Economic Cooperation (APEC).
Finally, the Green Paper calls for the development of a federal commercial data security breach notification law to establish national standards and obligations for private industry, which would be enforceable by the FTC and states. There are already a number of data breach laws at the state level, but not at the national level. The Commerce Department believes that a national approach to data breaches would encourage compliance by industry and reduce the costs for doing so because companies could develop a single, nationwide data management program.
It appears likely that the new US Congress will take up privacy issues, and the effort to do so seems to enjoy bipartisan support. Certainly, Congress will review the two Reports as it considers any possible privacy legislation.
As legal developments in this area seem likely, companies should revisit their data privacy practices and consider what steps would need to be taken to comply with the types of measures outlined in the Reports. If you have any questions about the Reports or any data privacy issues, please contact your principal Squire Sanders lawyer or one of the individuals listed in this Alert.