The Federal Trade Commission recently released its long-awaited Final Report on protecting consumer privacy, in which it stated that consumers should have more choice and control over how their personal information is collected and used. The FTC’s Final Report offers non-binding recommendations for companies “that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.” The Final Report comes more than a year after the FTC first issued its proposed framework for regulating consumer privacy and just a month after the White House released a proposed Consumer Privacy Bill of Rights.
Recognizing the potential burden of the Final Report’s recommendations on small businesses, the FTC stated that its conclusions did not apply to companies that merely collect and do not transfer non-sensitive data on fewer than 5,000 consumers a year. Similarly, a company’s data collection practices may fall outside the scope of the Final Report if: (1) a given data set has been reasonably stripped of personally identifiable information; (2) the company publicly commits not to re-identify such information, and (3) the company requires any secondary users of the data to keep it in de-identified form. While the majority of the Final Report discusses protecting consumer privacy online, the FTC noted that its recommendations would also apply to companies collecting personal information offline, such as financial institutions and healthcare industries. With these qualifications, the Final Report provides three best practices for companies collecting personal information from consumers:
(1) Privacy By Design
The Final Report recommends that companies build in consumer privacy protections at every stage of the development of their products and services. Specifically, companies should incorporate reasonable procedures for collecting, securing, and retaining customer data. The Final Report commends a number of leading online service companies that have adopted stringent encryption systems in the face of increasing cyberattacks. Companies should limit data collection to activities which are “consistent with the context of a particular transaction,” and provide prominent notices to consumers regarding the collection of data unrelated to the requested service. Companies should also destroy consumer data when the company no longer needs this information to provide the requested service. On this point, the FTC expressed support for offering consumers an “eraser button” on social media websites to allow the deletion of personal information at the user’s discretion. Additionally, companies should ensure that data collected remains accurate and offer customers an opportunity to correct erroneous information. By adopting these policies, most online services’ default privacy settings would be strong.
(2) Simplified Consumer Choice
The FTC also advised companies to provide easy-to-use mechanisms allowing customers to determine how their data is collected and used. The application of the simplified consumer choice policy will vary depending on the context of the interaction between the company and the consumer. For example, a car dealership may send a coupon to a customer based upon personal information obtained during prior purchases at the dealership without providing the customer with a choice. By contrast, if the car dealership intends to sell that customer’s personal information to a third-party data broker for use in unrelated marketing activities, the car dealership must provide the consumer with the ability to prevent the sale of his or her information.
For most online services, the FTC suggested that companies allow users to choose data sharing preferences during the registration process or at least before any personal information is collected. The FTC identified company practices requiring consumers to disclose personal data in order to obtain important services on a “take it or leave it basis” as especially problematic and inconsistent with the public interest.
The Final Report generally concludes that companies should provide consumers with the ability to opt out of being tracked across third parties’ websites. However, the FTC stopped short of recommending that Congress pass “do not track” legislation and stated that the FTC would work closely with stakeholders to develop an industry-led solution. The FTC reaffirmed its commitment expressed in recent enforcement actions to requiring companies to give prominent disclosures and to obtain express affirmative consent for material retroactive changes to privacy policies and before collecting especially sensitive information such as health, financial, and precise geolocation data. The Final Report indicates that the FTC will host a workshop on the concerns raised by the data collection practices of large ISPs, search engines, and social networking platforms later this year.
(3) Information Collection Transparency
The Final Report also encourages transparency by recommending that companies allow consumers more options to access their personal data. Specifically, the FTC indicated its support for recent legislation which would give access rights to consumers for information held by data brokers. The Final Report also suggests that the data broker industry should explore the idea of creating a centralized website where data brokers identify themselves to consumers, describe how they collect consumer data, and disclose the types of companies to which they sell information. At a minimum, the Final Report asks all companies collecting personal data to improve their consumer outreach and education efforts relating to data privacy practices.