- Privacy by Design – Companies are urged to “incorporate substantive privacy and security protections into their everyday business practices and consider privacy issues systemically, at all stages of the design and development of their products and services.” Companies are urged to collect information only for a specific purpose, limit the amount of time that data is stored, use reasonable safeguards, and develop comprehensive, company-wide privacy programs. However, the FTC staff also recognizes that these measures need to be tailored to each company’s data practices – companies that collect limited amounts of non-sensitive data need not implement the same types of programs required by a company that sells large amounts of sensitive personal data.
- Simplified Choice – Companies should “describe consumer choices clearly and concisely, and offer easy-to-use choice mechanisms . . .at a time and in a context in which the consumer is making a decision about his or her data.” The FTC is proposing a new “laundry list” approach to determine whether or not companies need to provide choice to consumers. For example, defined “commonly accepted practices” generally will not require choice, whereas other practices may require either (1) some type of choice mechanism; (2) enhanced choice mechanism; or (3) even more restrictions than enhanced consent. As this is designed for both online and offline behaviors, categorizing each company’s practices as “commonly accepted” or not could be a daunting task. A chart below outlines the basics of simplified choice.
- Do-Not-Track: The day after the report issued, the Commerce Department’s NTIA testified to Congress that it would be convening industry and consumer groups to discuss the “achieving voluntary agreements” on Do-Not-Track. The FTC would then “ensure compliance with these voluntary agreements, as appropriate.”
- ABA Antitrust Section Members note: Companies in markets with limited competition may be subject to “Enhanced Privacy protections” and/or “Additional Enhanced Privacy Protections.”
- Greater Transparency – Companies should “make their data practices more transparent to consumers”. The FTC suggests developing a standardized policy like the notice templates currently developed for financial companies complying with Gramm-Leach-Bliley. The FTC is also considering whether increase the transparency of data broker activities and proposes allowing consumers to access (but not necessarily change) profiles compiled about them from many sources.
Choice Not Required
|
Choice Mechanism REQUIRED
|
||||
Choice Not Required
|
No choice, but Additional Transparency (Notice)
|
(Unspecified – presumably Company Discretion; also Do Not Track)
|
Enhanced Consent (Affirmative Express Consent)
|
“Even more heightened restrictions” than Enhanced Consent
|
Do Not Track
|
1. “Commonly Accepted Practices”
Laundry list of practices, report suggests: first party marketing (FTC seeks comment on scope); internal operations, legal compliance, fraud prevention.
|
1. Technically Difficult/not feasible to provide choice mechanism: e.g. Data Brokers? (comment sought)
2.“Enhancement?” – compiling data from several sources to profile consumers (comment sought re: whether choice should be provided about these practices?)
|
1. Not “Commonly Accepted Practices” and not “Technically Difficult” e.g. Data Brokers (comment sought).
|
1. Sensitive Information for online behavioral advertising; information about children, financial & medical information, precise geolocation data.
2. Sensitive Users: Children: Teenagers (staff seeks comment); Users who lack meaningful choice (lack of competition in market) (Staff seeks comment).
3. Changing specific purpose: Use of data in materially different manner than claimed when data was posted, collected, or otherwise obtained.
|
1. Lack of alternative consumer choices through Industry factors (competition): Broadband ISP deep packet inspection.
2, Others?
|
1. Online Behavioral Advertisers.
2. Others?
|