The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

FTC’s Data Privacy Staff Report – Comments Due Jan. 31

Last week, the Federal Trade Commission released its long-awaited privacy report.  Called “Protecting Consumer Privacy in an Era of Rapid Change”, the 79-page preliminary staff report outlines a framework for consumer privacy based on three principles: (1) Privacy By Design; (2) Simplified Choice; and (3) Transparency. 
 
Some of its key proposals include: a “Do Not Track” browser add-on and other changes to consumer privacy choices; broadening the scope “to all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers;” and looking at whether COPPA-style consent requirements should apply to teenagers. The FTC is requesting comments on the report by January 31, 2011, and plans to issue a final report later in 2011. Annexed to the report are six pages of questions to which the FTC seeks comments.
 
The first half of the report discusses the principles of “notice and choice” and “harm” that have formed the basis for the FTC’s privacy-related policy work, educational efforts, and enforcement actions. It also summarizes the FTC’s activities and provides an overview of key issues raised during several years of roundtable discussions involving consumer advocacy groups, businesses, academicians and others. The second half of the report expands on the new principles, which appear to simply consolidate and expand upon the earlier principles – “notice” becomes “transparency”, “choice” becomes “simplified choice”, and “harm” becomes “privacy by design”:
  • Privacy by Design – Companies are urged to “incorporate substantive privacy and security protections into their everyday business practices and consider privacy issues systemically, at all stages of the design and development of their products and services.” Companies are urged to collect information only for a specific purpose, limit the amount of time that data is stored, use reasonable safeguards, and develop comprehensive, company-wide privacy programs. However, the FTC staff also recognizes that these measures need to be tailored to each company’s data practices – companies that collect limited amounts of non-sensitive data need not implement the same types of programs required by a company that sells large amounts of sensitive personal data.
  • Simplified Choice – Companies should “describe consumer choices clearly and concisely, and offer easy-to-use choice mechanisms . . .at a time and in a context in which the consumer is making a decision about his or her data.”  The FTC is proposing a new “laundry list” approach to determine whether or not companies need to provide choice to consumers. For example, defined “commonly accepted practices” generally will not require choice, whereas other practices may require either (1) some type of choice mechanism; (2) enhanced choice mechanism; or (3) even more restrictions than enhanced consent. As this is designed for both online and offline behaviors, categorizing each company’s practices as “commonly accepted” or not could be a daunting task.  A chart below outlines the basics of simplified choice.  
    • Do-Not-Track: The day after the report issued, the Commerce Department’s NTIA testified to Congress that it would be convening industry and consumer groups to discuss the “achieving voluntary agreements” on Do-Not-Track.   The FTC would then “ensure compliance with these voluntary agreements, as appropriate.” 
    • ABA Antitrust Section Members note: Companies in markets with limited competition may be subject to “Enhanced Privacy protections” and/or “Additional Enhanced Privacy Protections.” 
  • Greater Transparency – Companies should “make their data practices more transparent to consumers”. The FTC suggests developing a standardized policy like the notice templates currently developed for financial companies complying with Gramm-Leach-Bliley. The FTC is also considering whether increase the transparency of data broker activities and proposes allowing consumers to access (but not necessarily change) profiles compiled about them from many sources.
Two Commissioners issued concurring statements to the proposed framework. Commissioner Kovacic called some of the recommendations “premature” – including the Do-Not-Track proposal. He also pointed out the report lacked consideration of the existing federal and state oversight of privacy concerns. Commissioner Rauch issued a concurring statement that applauds the report as a useful “horatory exercise”, but criticizes the new approach. He states that it could be overstepping the FTC’s bounds to consider “reputational harm” and “other intangible privacy interests” if no deception is involved.
 
Stay tuned – there are many privacy developments on the horizon. In remarks delivered with the report, Chairman Liebowitz declared that “despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for Americans consumers.” He signaled that the FTC will be bringing more cases in the coming months – and that cases involving children are of particular interest.  In addition, the Commerce Department’s “green paper” on Commercial Data Privacy is expected soon.
 
                                                            Table – Simplified Choice
 
Choice Not Required
Choice Mechanism REQUIRED
Choice Not Required
No choice, but Additional Transparency (Notice)
(Unspecified – presumably Company Discretion; also Do Not Track)
Enhanced Consent (Affirmative Express Consent)
“Even more heightened restrictions” than Enhanced Consent
Do Not Track
1. “Commonly Accepted Practices” 
Laundry list of practices, report suggests: first party marketing (FTC seeks comment on scope); internal operations, legal compliance, fraud prevention.
 
1. Technically Difficult/not feasible to provide choice mechanism: e.g. Data Brokers? (comment sought)
2.“Enhancement?” – compiling data from several sources to profile consumers (comment sought re: whether choice should be provided about these practices?) 
1. Not “Commonly Accepted Practices” and not “Technically Difficult” e.g. Data Brokers (comment sought).
1. Sensitive Information for online behavioral advertising; information about children, financial & medical information, precise geolocation data.
2. Sensitive Users: Children: Teenagers (staff seeks comment); Users who lack meaningful choice (lack of competition in market) (Staff seeks comment).
3. Changing specific purpose: Use of data in materially different manner than claimed when data was posted, collected, or otherwise obtained.
1. Lack of alternative consumer choices through Industry factors (competition): Broadband ISP deep packet inspection.
2, Others?
 
1. Online Behavioral Advertisers.
2. Others?
 


Leave a comment

Microsoft Announces Do Not Track Feature in IE9

Yesterday, Microsoft announced that Internet Explorer 9, which will be released next year, will have a do not track feature called Tracking Protection.  This feature will rely on lists that users create that show what sites the individual user does not want to share information with.  Lists can be created by individuals or organizations.  Organizations, like consumer advocacy groups, can make lists available for anyone to use.   In its blog, Microsoft said about the new feature: "We believe that the combination of consumer opt-in, an open platform for publishing of Tracking Protection Lists, and the underlying technology mechanism for Tracking Protection offer new options and a good balance between empowering consumers and online industry needs."

The New York Times reported that FTC chairman Jon Leibowitz stated that he was encouraged by Microsoft’s move and that "this announcmeent proves that technology is available to let consumers control tracking."


Leave a comment

Announcing Program on the FTC’s New Privacy Report

Please join us Tuesday, December 14th from 12noon-1:30pm for a telephonic program:  The FTC’s New Privacy Report:  What You Need to Know.  The featured speaker will be Jessica Rich, Deputy Director of the FTC’s Bureau of Consumer Protection.  She will provide background on the report, highlight its key proposals, and discuss the process going forward, including the opportunity to submit public comments in response to the proposed framework.  The session, which will include a Q&A opportunity, will be moderated by two distinguished privacy scholars, Fred Cate of Indiana University School of Law and Jeffrey Rosen of The George Washington University Law School.  Don’t miss this chance to hear directly from the FTC about the report!

The program is sponsored by the ABA Antitrust Section’s Privacy and Information Security, Civil Enforcement, Consumer Protection and Private Advertising Litigation Committees. 

To register, click here.


Leave a comment

Texas State Employees’ Birth Dates are Private

On Friday, the Texas Supreme Court issued a decision that state employees’ birth dates are private and therefore exempt from open records requests. 

The case arose because the Dallas Morning News had requested a copy of the Comptroller’s payroll database for state employees.  The Comptroller responded with the full name, age, race, sex, salary, agency, job description, work address, pay rate, and work hours for each employee.  However, the Comptroller withheld birth dates, stating that they were confidential. 

The Texas Public Information Act exempts from disclosure information from a "personnel file, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." Tex. Gov’t Code § 552.102(a).  The court discussed the potential for identity theft as a result of disclosure of birth dates, noting that birth dates are a valuable piece of information for identity thieves and that "almost every major consumer protection entity … advises citizens against publicizing their dates of birth or using their dates of birth as pin numbers and passwords."

Concluding that state employees have a "nontrivial privacy interest" in their birth dates, the court then examined whether the public interest outweighed those privacy interests.  The Dallas Morning News argued that the public has an interest in monitoring the government, and that birth dates could be used to determine whether school districts and hospitals have hired convicted felons or sex offenders.  However, since the Dallas Morning News failed to produce evidence of specific government wrongdoing, the court rejected this argument.  Additionally, the Comptroller had demonstrated that each employee was distinguishable using only the information produced.  Thus the court held that the state employees’ privacy interests "substantially" outweighed the public interest, and concluded that "disclosing employee birth dates constitute a clearly unwarranted invaction of personal privacy."

The Freedom of Information Foundation of Texas expressed disappointment with the decision, stating the birth dates are vital information for journalists, researchers, and others using data bases to identify an individual.   They also noted that the state of Texas sells birth date information on a regular basis, and that the ruling could cost the state tens of millions of dollars each year.


Leave a comment

New FTC Privacy Report – Telephone Press Conference Today – Dec. 1, 2010

Dec. 1, 2010.   The Federal Trade Commission Chairman Leibowitz, Deputy Director of the Bureau of Consumer Protection Jessica Rich, and Chief Technologist Edward Felten will be holding a telephone conference this afternoon at 1pm to answer reporters’ questions about the new FTC privacy report released today.  

Call-in lines (press only):

United States – (800) 398-9367 /  International – (612) 332-0820

Confirmation # – 182971

For more information, contact the FTC Office of Public Affairs – 202-326-2180


Leave a comment

November Privacy and Information Security Update Program – Dec. 9

Please join us on Thursday, December 9 from 1:00 pm – 2:00 pm EST for our next privacy and information security update program. Reed Freeman, Julie O’Neil, and Kimberly Robinson of Morrison & Foerster LLP will discuss legislative, regulatory, enforcement and litigation developments that have taken place during the month of November. Aryeh Friedman of Pfizer will moderate. For information about membership, or to RSVP for call-in details, please contact Jeanne Welch at jawelch@vorys.com.


Leave a comment

“Do Not Track” – House Committee Hearings – Dec. 2

The House Commerce Committee’s hearing on the FTC’s proposed "Do Not Track" registry is scheduled for tomorrow, December 2nd. Details, along with a witness list, are on the House Commerce Committee’s website.
According to the announcement, the hearing "will examine the feasibility of establishing a mechanism that provides Internet users a simple and universal method to opt-out from having their online activity tracked by data-gathering firms."  It not clear whether tomorrow’s hearing will address hybrid online/offline tracking. Apple responded in July to a Congressional letter regarding its GPS-based tracking practices, but it is not on the invited witness list.
The concept of a universal “Do Not Track” list traces back to at least 2007, when an alliance of privacy groups proposed a list to the FTC, modeled after the FTC’s successful “Do Not Call” list (See Wall Street Journal Article).