The Federal Trade Commission (FTC) issued its much-awaited final privacy report, “Protecting Consumer Privacy in an Era of Rapid Change, Recommendations for Businesses and Policymakers” (the Report).
The Report provides companies with self-regulation guidelines, and it calls for businesses collecting consumer data to implement best practices to protect this data. According to the Report, “the framework is meant to encourage best practices and is not intended to conflict with requirements of existing laws and regulations” (p.16).
The FTC believes that self-regulation has not yet gone far enough, with the expectation of Do Not Track (p. 11). Yet, the Report also recommends that Congress pass baseline and technologically neutral privacy legislation, as well as data security legislation. Privacy legislation would give businesses clear guidance, and would also serve as a deterrent by providing remedies to aggrieved parties. The FTC also recommends the passage of legislation targeted at data brokers, which would allow consumers to have access to their personal data held by data brokers.
Scope of the Privacy Framework
The framework would apply to all commercial entities collecting or using consumer data that can be reasonably linked to a specific consumer, computer, or other device.
It would not apply however, to entities collecting only non-sensitive data from fewer than 5,000 consumers a year, if they do not share that data with third parties, thus to avoid an entity out of the scope of the Framework from selling its collected data to a data broker.
As noted by the Report, HR 5777, the Best Practices Act, contained a similar exclusion, for entities collecting information for fewer than 10,000 individuals during any 12-month period, if the data is not sensitive.
The frameworks would, however, apply to both online and offline data. That way data collected by data brokers would be included in its scope. Also, as noted by the FTC, consumer data collection is ‘ubiquitous,’ whether it occurs online and offline, and the privacy concerns these practices raise are similar (p. 17).
The framework would apply to data that is reasonably linkable to a specific consumer, computer, or device (p. 18).
Under the final framework, data would not be considered as “reasonably linkable to a particular consumer or device” if a company implements three signification protections for that data (p. 21):
– Taking reasonable measures to ensure that the data is de-identified
– Publicly commit to maintain and use the data in a de-identified fashion
– If making the de-identified data available to third parties, prohibiting by contract that third parties attempt to re-identify the data
Interestingly, the issue of what is personal data is also debated right now in the European Union EU). Recital 24 of the recent EU Commission data protection proposal hints that IP addresses or cookies do not need to be necessarily considered as personal data, as they need to be combined with unique identifiers and other information to allow identification. In a recently published opinion on the proposal, the Article 29 Working Party stated that personal data needs to be more extensively defined, as being all data related to an identifiable individual, and that IP addresses should thus be considered related to identifiable individuals, especially if processing IP addresses or cookies is done to identify users of the computer.
Privacy by Design
The baseline is that “[c]ompanies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services” (p. 22).
Such Privacy protections include four substantive principles:
– Data security
– Reasonable collection limits
– Sound retention practices
– Data accuracy
The Report notes that the FTC has been enforcing data security obligations under Section 5 of the FTC Act, the FCRA and the GLBA (p. 24) and also notes that several companies have already implemented data security protection measures, such as secure payment card data, browser privacy, or SSL encryption (p.25).
Reasonable Collection Limit
The FTC believes that companies should limit data collection “to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law” (p. 27).
Sound Data Retention
Companies should not retain data if it is no longer necessary for the legitimate purpose for which is has collected. The FTC does not, however, set a data retention timetable. Instead, it states that the data retention period can be flexible, and may vary according to the type of data collected and its intended use (p. 29).
What companies would have to do in order to ensure the accuracy of the data collected depends on the data’s intended use and whether it is sensitive data or not.
Part II to be posted later this week.