Federal Trade Commission's privacy report released today
support a "Do Not Track" Mechanism that will help give
people control of the collection and use of their
personal data when they are online.
In the report, "Protecting Consumer Privacy in an Era of
Rapid Change: A Proposed Framework for Businesses and
Policymakers," the FTC also recommends that U.S. congress
consider enacting general privacy legislation, data
security and breach notification legislation, and data
"If companies adopt our final recommendations for best
practices ? and many of them already have - they will be
able to innovate and deliver creative new services that
consumers can enjoy without sacrificing their privacy,"
said Jon Leibowitz, Chairman of the FTC. "We are
confident that consumers will have an easy to use and
effective Do Not Track option by the end of the year
because companies are moving forward expeditiously to
make it happen and because lawmakers will want to enact
legislation if they don't."
The final privacy report expands on a preliminary staff
report the FTC issued in December 2010. The final report
calls on companies handling consumer data to implement
recommendations for protecting privacy, including:
- Privacy by Design - companies should build in
consumers' privacy protections at every stage in
developing their products. These include reasonable
security for consumer data, limited collection and
retention of such data, and reasonable procedures to
promote data accuracy;
- Simplified Choice for Businesses and Consumers -
companies should give consumers the option to decide what
information is shared about them, and with whom. This
should include a Do-Not-Track mechanism that would
provide a simple, easy way for consumers to control the
tracking of their online activities.
- Greater Transparency - companies should disclose
details about their collection and use of consumers'
information, and provide consumers access to the data
collected about them.
The final report notes that the FTC received over 450
comments on the staff's preliminary recommendations.
Based on technological advances and industry developments
since the December 2010 staff report and in response to
the comments, the agency revised its recommendations.
Firstly, the final report changes the guidance's scope.
The preliminary report recommended that the proposed
framework apply to all commercial entities that collect
or use consumer data that can be linked to a specific
consumer, computer, or other device. Recognizing the
potential burden on small businesses, the report
concludes that the framework should not apply to
companies that collect and do not transfer only
non-sensitive data from fewer than 5,000 consumers a
year. The report also responds to comments filed by
organizations and individuals that, with technological
advances, more and more data could be "reasonably linked"
to consumers, computers, or devices. The final report
concludes that data is not "reasonably linked" if a
company takes reasonable measures to de-identify the
data, commits not to re-identify it, and prohibits
downstream recipients from re-identifying it.
The report also refines the guidance for when companies
should provide consumers with choice about how their data
is used. It states that whether a practice should include
choice turns on the extent to which the practice is
consistent with the context of the transaction or the
consumer's existing relationship with the business or is
required or specifically authorized by law. These
practices include product fulfillment and fraud
The report also contains important recommendations
regarding data brokers. It notes that data brokers often
buy, compile, and sell highly personal information about
consumers. Consumers are often unaware of their existence
and the purposes to which they use the data. The report
makes two recommendations to increase the transparency of
such practices. First, it reiterates the Commission's
prior support for legislation that would provide
consumers with access to information held by data
brokers. Second, it calls on data brokers who compile
consumer data for marketing purposes to explore creation
of a centralized website where consumers could get
information about their practices and their options for
controlling data use.
While the U.S. Congress considers privacy legislation,
the FTC urges individual companies and self-regulatory
bodies to accelerate the adoption of the principles
contained in the privacy framework, to the extent they
have not already done so. Over the course of the next
year, Commission staff will work to encourage consumer
privacy protections by focusing on five main action
- Do-Not-Track - The Commission commends the progress
made in this area: browser vendors have developed tools
to allow consumers to limit data collection about them,
the Digital Advertising Alliance has developed its own
icon-based system and also committed to honor the browser
tools, and the World Wide Web Consortium
standards-setting body is developing standards. "The
Commission will work with these groups to complete
implementation of an easy-to-use, persistent, and
effective Do Not Track system," the report says.
- Mobile - The FTC urges companies offering mobile
services to work toward improved privacy protections,
including disclosures. To that end, it will host a
workshop on May 30, 2012 to address how mobile privacy
disclosures can be short, effective, and accessible to
consumers on small screens.
- Data Brokers - The Commission calls on data brokers to
make their operations more transparent by creating a
centralized website to identify themselves, and to
disclose how they collect and use consumer data. In
addition, the website should detail the choices that data
brokers provide consumers about their own information.
- Large Platform Providers - The report cited heightened
privacy concerns about the extent to which platforms,
such as Internet Service Providers, operating systems,
browsers and social media companies, seek to
comprehensively track consumers' online activities. The
FTC will host a public workshop in the second half of
2012 to explore issues related to comprehensive tracking.
- Promoting Enforceable Self-Regulatory Codes - The FTC
will work with the Department of Commerce and industry
stakeholders to develop industry-specific codes of
conduct. To the extent that strong privacy codes are
developed, when companies adhere to these codes, the FTC
will take that into account in its law enforcement
efforts. If companies do not honor the codes they sign up
for, they could be subject to FTC enforcement actions.