The preliminary Staff Report issued by the FTC earlier this month is the most aggressive effort by the FTC to date on the issue of online and mobile privacy generally. The preliminary Staff Report proposes a “do not track” mechanism along with an overall online privacy framework that would rigidly regulate how information is collected both online and through mobile devices, how it can be used, and how it must be stored. Deviating from the distinction between “personally-identifiable information” and “non-personally-identifiable information” that has formed the foundation for other privacy regulations and legislation, the framework proposed in the preliminary Staff Report maintains that such dichotomy is no longer relevant. Because this is arguably a profound change in the existing state of regulation in this area, the preliminary Staff Report is being circulated for comment before it becomes final. This article provides a basic outline of the proposed framework for those who may not already be familiar with the preliminary Staff Report.

In December 2009, the FTC launched a series of roundtable discussions and included a wide range of participants– academics, technologists, privacy experts, businesses, consumer advocates and regulators. These discussions recognized the tension between privacy and innovation. On the one hand, the participants recognized a “need to improve transparency [on how the information is being used], simplify the ability of consumers to exercise choices about how their information is collected and used, and ensure that businesses take privacy-protective measures as they develop and implement systems.” On the other hand, the FTC received input that any proposed regulations to restrict the exchange and use of consumer data should be carefully drawn so as to preserve the substantial consumer benefits. These benefits include underwriting the cost of providing the social media and Web sites, and allowing businesses to develop new products and services with convenience and cost savings to consumers. For example, some people may prefer seeing pop up ads relating to products they have purchased in the past than having “spam” ads that have nothing to do with their individual buying decisions.

Here is the proposed framework for businesses. This is a preliminary proposal that includes some “vanilla” provisions with which many people seem to be in agreement. The major dispute concerns the “opt out” – “Do Not Track” – provision because it raises an immediate concern that innovation and development will be stunted.

  1. Scope: The guidelines will apply to all commercial entities that collect or use consumer data that can be reasonably identified to a specific consumer, computer or other device.
  2. Companies should incorporate privacy protections into their business practices such as data security, the collection of a reasonable amount of information and not more, sound retention practices (not an unduly long period of time), and data accuracy (so misinformation is not reported on consumers).
  3. Companies should simplify consumer choice with standardized and less lengthy privacy disclosures that are more understandable. In the past, companies had been using what is referred to as the “notice-and-choice” model. However, the FTC Report states this model has been unsuccessful because “it has led to long, incomprehensible privacy policies that consumers typically do not read, let alone understand.” Thus, consumers typically indicate that they have read the privacy policy in order to have access to something, such as Facebook, YouTube or Twitter, when they are just checking the box without reading or understanding the privacy disclosure. The FTC Report also states the opinion that self-regulation by the industry has failed to provide adequate protection.
  4. The disclosure should also disclose and get consent for how the information is going to be used and provide it at the time the consumer is making a decision to share his information. The disclosure should include the anticipated ways in which the information will be used since the proposed guidelines would limit the future use of the information accordingly.
  5. A special choice mechanism for online behavioral advertising where the consumer can choose “Do Not Track” as an option.

The “Do Not Track” provision is the most controversial guideline in the preliminary Staff Report. It has been criticized in a Concurring Statement of Commissioner J. Thomas Rosch as being a serious threat to the important benefits to consumers and businesses that the preliminary Staff Report recognizes are a direct result of the increasing flow of information. Commissioner Rosch cites to the benefits listed in the preliminary Staff Report:

“[B]enefits specific to business models such as online search, online behavioral advertising, social networking, cloud computing, mobile technologies, and health services. Participants noted that search engines provide customers with instant access to tremendous amounts of information at no charge to the consumer. Online advertising helps to support much of the content available to consumers online and allows personalized advertising that many consumers value. Social networking services permit users to connect with friends and share experiences online, in real time. These platforms also facilitate broader types of civic engagement on political and social issues.”

Interested stakeholders now have the opportunity to influence the framework that will appear in the final FTC Report. The answers to the questions raised in the preliminary Staff Report may change the framework that is currently being proposed. Comments and answers to these questions are due at the end of January. Further, there is a question of whether or not the FTC can mandate the “Do Not Track” option. David C. Vladeck, director of the FTC’s consumer protection bureau, has stated at a program sponsored by Consumer Watchdog, that he does “not think that under the FTC’s existing authority [the FTC] could mandate unilaterally a system of ‘do not track.'”

In the meantime, the FTC is enforcing and filing actions under the Fair Credit Reporting Act, which protects sensitive consumer information from disclosure, and also Section 5 of the FTC Act, which prohibits deceptive and unfair trade practices.

For further information, please contact Michelle Sherman at (213) 617-5405. (Follow me on Twitter!)