On March 26, 2012, the FTC released its final report titled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers.”  The report reflects feedback from the FTC’s privacy roundtables as well as over 450 public comments received in response to its proposed framework released in December 2010.  The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer or other device, with an exemption for entities that collect only non-sensitive data from fewer than 5,000 consumers per year and do not share the data with third parties.

The FTC has called on individual companies, trade associations and self-regulatory bodies to adopt the principles contained in the report, specifically:

  • Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services. 
    • Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.
    • Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.
  • Companies should simplify consumer choice.
    • Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.
    • For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data.  Companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected, or (2) collecting sensitive data for certain purposes. 
  • Companies should increase the transparency of their data practices.
    • Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices.
    • Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.
    • All stakeholders should expand their efforts to educate consumers about commercial data privacy practices.

Additionally, the FTC has committed to being active in the following areas over the next year:

  • Do Not Track – While progress has been made in implementing Do Not Track, the FTC has stated that it will continue to work with the Digital Advertising Alliance and the World Wide Web Consortium to “…complete implementation of an easy-to use, persistent, and effective Do Not Track system.”
  • Mobile – The FTC has initiated a project to update its business guidance about online advertising disclosures. 
  • Data Brokers – The FTC has indicated that it supports legislation that would provide consumers with access to their information that is in the possession of data brokers.  The FTC has also called on data brokers to create “…a centralized website where data brokers can (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”
  • Large Platform Providers – The FTC has expressed concerns regarding the tracking of consumers by ISPs, operating systems, browsers and social media.  
  • Promoting Enforceable Self-Regulatory Codes – The FTC has stated that it will participate in the Department of Commerce’s project to facilitate the development of sector-specific codes of conduct.  The FTC has indicated that, to the extent strong privacy codes are developed, adherence to such codes will be viewed favorably by the FTC.   

A copy of the report is available here.