On March 26, 2012, the Federal Trade Commission issued a new privacy report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report charts a path forward for companies to act in the interest of protecting consumer privacy.
In his introductory remarks, FTC Chairman Jon Leibowitz indicated his support for Do Not Track stating, “Simply put, your computer is your property; no one has the right to put anything on it that you don’t want.” In later comments he predicted that if effective Do Not Track mechanisms are not available by the end of this year, the new Congress likely would introduce a legislative solution.
The FTC’s privacy framework focuses on three principles (privacy by design, simplified consumer choice and transparency), and provides steps companies can take to implement them. These principles are reflected in recent FTC consent orders entered into with Google and Facebook, and they mirror similar requirements in the European Commission’s proposed privacy regulation.
The simplified choice principle builds on the preliminary 2010 report which excluded five categories of “commonly accepted” information collection and use practices. Instead, the final report took a modified approach that relies on the context of the transaction. This gives companies greater flexibility but requires them to assess that context of the interaction. This furthers the need for a company to have a comprehensive program.
The FTC has indicated that its principles should facilitate global interoperability: they are consistent with both the APEC Privacy Framework and the OECD guidelines, and the privacy by design principle specifically is reflected in forthcoming guidance from Canadian privacy authorities. Privacy by design requires implementation of privacy protections in all aspects of a company’s business operations, which has been a key element of the Centre for Information Policy Leadership’s work on accountability. Commonly accepted information collection and use practices were first articulated by the Business Forum on Consumer Privacy.
The FTC’s report recommends that Congress act in three areas, calling for baseline privacy legislation and renewing the call for legislation to address issues surrounding data security and the activities of data brokers. The report also identifies five ways in which the FTC intends to promote the framework’s implementation through policymaking in 2012, calling on the business community to join the Commission in its efforts to:
- Work with browser makers, the Digital Advertising Alliance and the World Wide Web Consortium to complete work started on a Do Not Track solution.
- On May 30, 2012, convene a workshop to explore how to make privacy disclosures for mobile applications short, effective and accessible.
- Encourage data brokers to create a centralized website that identifies data brokers and describes the access rights and other choices they offer consumers.
- In late 2012, host a workshop to consider issues surrounding large platform providers that track consumers’ online activities (e.g., ISPs, operating systems, browsers, social media). A senior FTC staffer indicated that these providers’ ubiquitous information collection practices create privacy concerns that cannot effectively be managed by consumer choice alone.
- Participate in the Department of Commerce’s multi-stakeholder process to develop binding codes of conduct, and use the FTC’s authority to prosecute unfair and deceptive practices to enforce such codes when companies assert they will abide by them.
The report issued today was adopted by a 3-1 vote of the Commissioners. Commissioner J. Thomas Rosch issued a dissenting statement citing his concerns that the FTC is emphasizing unfairness rather than deceptiveness in promoting the principles, and that support for the report’s findings by large businesses might stifle innovation.
The FTC’s report is being released just over a month after the Obama Administration issued its Consumer Privacy Bill of Rights, which also calls for increased transparency in privacy and data security practices.