FTA Releases Final Report on Consumer Privacy

Transcription

1 APRIL 3, 2012 PRIVACY, DATA SECURITY & INFORMATION LAW UPDATE FTC Releases Final Report on Consumer Privacy: Calls for Enhanced Practices and Further Congressional Action On March 26, 2012, the Federal Trade Commission ( FTC or Commission ) released its long-awaited report on consumer privacy, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (the Report ). 1 The Report presents the Commission s conclusions drawn from its review of consumer privacy practices and regulations, including hundreds of comments from industry, consumer groups, and other stakeholders, following the FTC s call for a new privacy framework in a December 2010 preliminary staff report (the preliminary report ). 2 This report was issued as a Commission document, rather than a staff draft, over the dissent of Commissioner J. Thomas Rosch. The key concepts advanced by the FTC include the following: privacy by design, meaningful consumer choice, and industry transparency. The Commission suggests that the framework provided within the Report should serve as a baseline model for business-consumer privacy expectations. The Report states that the FTC will not proceed to enforce standards unless they already are part of existing law but clarification is lacking as to what that will mean in practice. By elaborating a baseline set of privacy expectations, the Report indicates that the FTC will continue its diminishment of the value of consumer-facing privacy policies. The Report also suggests that the Commission will increase its scrutiny of unfair privacy trade practices. Significantly, the Report offers no cost-benefit analysis to justify its new standards and does not acknowledge the importance of preserving innovation on the Internet as clearly as the FTC staff's preliminary report. 3 The new Commission document appears to be considerably more regulatory in tone and intent than the preliminary staff report and the White House approach, although the Commission expresses the belief that its framework is consistent with the policies outlined in the Obama Administration s Consumer Privacy Bill of Rights. The White House paper, titled Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and 1 FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Mar. 26, 2012), hereinafter Report, available at 2 FTC, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010) (hereinafter Report ), available at See Sidley Update: FTC Report Heralds Intensified Privacy Regulation (Dec. 16, 2010), available at 3 For an overview of the privacy framework as it was proposed in the preliminary report, see Sidley Update: FTC Report Heralds Intensified Privacy Regulation (December 16, 2010), available at This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, and One South Dearborn, Chicago, IL 60603, Prior results do not guarantee a similar outcome.

2 Page 2 Promoting Innovation in the Global Digital Economy ( Administration White Paper ), was released on February 23, The FTC intends the Report to help establish best industry practices and assist Congress in developing privacy legislation. The FTC also expects its Report to complement the Department of Commerce s parallel privacy initiative. 5 Notably, the FTC explains in the Report that it does not anticipate using the privacy framework elaborated within the Report as a predicate for future law enforcement actions under the FTC Act. In the Report, the Commission urges companies to implement best practices including making privacy the default setting for commercial data practices and providing consumers with control over the collection and use of their personal data to protect consumers personal information, enhance trust, and stimulate commerce. The FTC suggests that privacy by design, simplified choice for businesses and consumers, and greater transparency should be the basic tenets of companies privacy practices. The FTC plans to promote the implementation of the privacy framework through focusing on five major aspects of the framework. The FTC plans to work with the Digital Advertising Alliance and World Wide Web Consortium to advance international standards for Do Not Track, and with industry and the Department of Commerce to develop sector-specific codes of conduct as suggested in the Administration White Paper. The FTC asks the data broker industry to consider the creation of a centralized website to provide consumers with information about the industry and about how to access or exercise choice relating to their data. Finally, the FTC plans to host two public workshops in 2012: one workshop, on May 30, will focus on the development of improved privacy protections in the context of mobile services, including the adoption of short and effective privacy disclosures for use on mobile devices; the second workshop, scheduled for the second half of the year, will explore issues relating to how large platform providers, such as Internet Service Providers, operating systems, browsers, and social media, may comprehensively track consumers online activities. The Report differs in several respects from the framework outlined in the preliminary report. First, the FTC will not apply the privacy framework to companies collecting only non-sensitive data from fewer than 5,000 consumers per year, so long as the companies do not share the consumer data with third parties. Second, the Commission revised its approach to how companies should provide privacy choices to consumers: the Report advocates a context of the interaction standard, under which companies would not be required to provide consumers with choice prior to collection of the consumers data for practices that are consistent with the context of the transaction, consistent with the company s relationship with the consumer, or as required or authorized under law. In essence, this approach would favor first-party Internet advertisers and undercut third-party Internet advertisers and advertising networks and exchanges. Third, the Commission recommends that Congress consider enacting legislation to bring transparency for and control over information brokers practices, in addition to general, baseline privacy legislation. Fourth, and finally, the Report singles out the use of deep packet inspection for advertising/tracking purposes as a practice that is of special concern to the FTC. In particular, the FTC suggests that large platform providers, including internet service providers, browsers, and operating systems, might be subject to additional Commission scrutiny because of their ability to comprehensively track consumers. The FTC Privacy Framework The FTC intends the final privacy framework to explain best practices for companies working with consumer data and to assist Congress as it considers privacy legislation. Although the framework excludes many small businesses, it 4 See Sidley Update: White House Issues First Ever Administration-Level Data Privacy Framework (Feb. 29, 2012), available at 5 The FTC notes in the Report that Commission and Department of Commerce staff have communicated regularly with respect to developing a consistent approach to privacy protection. Report at 3. The FTC also notes that the new framework reflects similar international interest in developing more inter-operable systems.

3 Page 3 expressly applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties. The FTC also took pains to ensure that the framework is seen as a complement to guidance existing under the Health Insurance Portability and Accountability Act ( HIPAA ), the Health Information Technology for Economic and Clinical Health Act ( HITECH ) and the Gramm- Leach-Bliley Act ( GLBA ) that will provide a baseline for companies not subject to sectoral regulation. The Commission asserts in the Report that, despite FTC involvement in its development and enforcement, the proposed framework will be self-regulatory. Privacy By Design. The framework reiterates the FTC s earlier call for adoption of privacy by design, explaining that companies should promote consumer privacy throughout their organizations and at every stage of product/service development. Practically, this means that companies should incorporate substantive privacy protection into their business practices, including through adoption of robust data security measures, reasonable limits on the collection of data, sound retention and disposal policies, and mechanisms for ensuring data accuracy. The FTC views these measures as being consistent with the policies outlined in the Obama Administration s Consumer Privacy Bill of Rights, although privacy by design was notably absent from the White House White Paper. According to the FTC, these procedures and policies should be maintained through the life cycle of a company s products/services, and might include the implementation of accountability mechanisms and of regular privacy risk assessments, although it does not provide anything more than generalized guidance about the desired type and level of such mechanisms and assessments. 6 Choice. The FTC also calls for simplified consumer choice as part of the privacy framework. In order to lessen the burden of this requirement, the agency made clear that certain commonly accepted or obvious practices do not require consumer choice: companies will not need to provide choice before collecting or using consumer data for practices that are obvious from the context of the transaction or with the company s relationship with the consumer, or as required or authorized under law. This approach reflects a potential expansion of the practices not requiring choice under the preliminary report s framework. Where consumer choice is required, the FTC stresses that companies should offer the choice at the time and in the context in which consumers are actually making choices about their data, as opposed through the use of more traditional privacy policies posted on advertiser websites. The FTC suggests that, generally, companies should obtain express consumer consent before using consumer data in ways that are materially different than the prospective uses cited when the data were collected, or when collecting sensitive data for certain purposes. Transparency. The final aspect of the FTC framework focuses on the Commission s aim to increase transparency in companies data practices. The FTC calls on companies to provide: clearer, shorter, and more standardized privacy policies that will allow consumers to better comprehend and compare privacy practices; reasonable access to consumers for data maintained about them, proportionate to the sensitivity of the data and the nature of its use; and expanded efforts to educate consumers. Discussion of What Constituted "Harm" In the Report, the Commission reiterates its perspective that privacy-related harms go beyond economic or physical harm or unwarranted intrusions. Instead, the Report urges, the privacy framework should recognize a more 6 The Report cites, as examples of how procedural safeguards might work in practice, the Commission s recent settlement orders with Google and Facebook. The orders mandate privacy programs that must, at a minimum, contain procedures or controls addressing (1) the designation of personnel responsible for management of the privacy program; (2) risk assessments addressing employee training and management, and product design and development; (3) implementation of controls to address identified risks; (4) appropriate oversight of service providers; and, (5) continual revision and adjustment in light of regular testing and monitoring. See In the Matter of Google, Inc., FTC Docket No. C-4336 (Oct. 13, 2011) (consent order), available at

4 Page 4 expansive range of harms that including those that might arise from unanticipated uses of consumer data. The FTC explains that, while imposing new privacy protections may be costly, it will ultimately help consumers and benefit businesses by encouraging and building consumer trust in the market, and that businesses are already marketing privacy as a competitive business advantage. Expanded Scope of Consumer Data The Report notes concerns about the decreasing relevance of the personally identifiable information ( PII ) label, referencing studies demonstrating consumer discomfort or objections to being tracked, regardless of the involvement or use of PII. The Report states that it was appropriate for the Commission to more comprehensively examine various types of data to determine whether they have privacy implications. As a result of its review since the preliminary report, the Commission s framework incorporates a more wide-ranging scope of data, including any data that, while not yet linked to a particular consumer, computer, or device, may reasonably become so. The Commission encourages companies to de-identify data and recognizes in the Report that contractual restrictions on re-identification are generally adequate safeguards, even though it theoretically might be mathematically or practically possible to re-identify data. Accordingly, the Commission clarifies in the Report its reasonable linkability standard. Under this standard, in order to establish that data are not reasonably linkable to a particular consumer or device, a company must: (1) take reasonable measures to ensure de-identification of data; (2) publicly commit to maintain and use the data in a de-identified fashion; and (3) contractually prohibit downstream entities with which the company shares the data from attempting to re-identify the data. Take it or Leave it Choice The Report addresses instances where consumer use of a particular service or product is contingent upon acceptance of the company s data practices, which the Commission refers to as a take-it-or-leave-it privacy choice. The Commission notes that this approach is problematic from a privacy perspective, particularly in markets where consumers have limited choices, and might not offer consumers what the Commission would consider to be a meaningful choice. It is not clear that the FTC believes meaningful choice requires a cost-less choice, as some European regulators have advocated, or merely a more robust disclosure of costs associated with choice. Instead, the FTC suggests that these one-sided transactions may place consumers privacy interests at risk, and that take-it-orleave-it choice is only acceptable for less important products and services in markets with sufficient alternatives and where the terms of the exchange are transparent and fairly disclosed. Do Not Track The Report reiterates the Commission s desire for a workable Do Not Track mechanism, and applauds industry efforts to improve consumer control over behavioral tracking. In encouraging industry development of the Do Not Track mechanism, the FTC reiterates that the mechanism should include five key principles: (1) the mechanism should be universally implemented to cover all parties that would track consumers; (2) the mechanism should be easy for consumers to find, understand, and use; (3) the choices should be persistent and not subject to easy or accidental override; (4) the system should be comprehensive, effective, and enforceable; and (5) the mechanism should opt consumers out of all collection of behavioral data for all purposes other than those consistent with the context of the interaction. Deep Packet Inspection The Report singles out that the use of deep packet inspection ( DPI ) for advertising/tracking purposes as of particular concern to the FTC. The Report notes general consensus among commentators that DPI deployed for

5 Page 5 marketing purposes is distinct from other forms of marketing practices employed by companies which have first-party relationships with consumers, and thus at a minimum should require consumer choice. The report does not address, however, the effects of this approach in skewing the market for Internet advertising to Internet sites and away from Internet providers. Despite the fact that Internet providers tend to have a closer relationship with consumers than the websites they visit, the FTC folds this analysis in with the framework s general consideration of companies with firstparty relationships tracking consumers across other websites, noting that DPI, like social plug-ins, cookies, and web beacons, should require consumer choice when it is deployed across other parties websites. FTC rejected the argument that a major cross-platform provider like Google can develop as comprehensive a picture of users' data as DPI would allow. Affiliates and Cross-Channel Marketing The Report maintains the Commission s view that affiliates are third parties, necessitating consumer choice before data transfer, unless the affiliate relationship is clear to consumers, e.g., through common branding. In instances where the relationship is not clear, the Commission suggests that consumer notification and consent would be necessary. The Commission agrees with commentators, however, that cross-channel or cross-platform marketing, wherein a company establishes a relationship through one medium and contacts a consumer through another, falls within the first-party marketing concept and would not require obtaining additional choice or consent. Data Enhancement The FTC addresses in the Report how companies should view data enhancement, where companies append thirdparty-sourced data to data obtained directly from consumers. The Commission notes that requiring the first-party company to offer consumers choice over data enhancement would impose costs and logistical problems that could preclude the range of benefits that data enhancement facilitates. Instead, as the framework already suggests, companies seeking to share data relating to customers with third parties should offer consumer choice. Thus, the third-party sharing the data used to enhance the first-party s data would be responsible under the framework for offering consumer choice. Consumer Choice for First-Party Marketing The Report explains the Commission s view that affirmative express consent is an appropriate safeguard for instances in which a company uses sensitive data for first-party or third-party marketing, and that special consideration must be given to protecting sensitive data. As a result, even companies which collected sensitive data through a first-party relationship should offer consumer choice before using any sensitive data for marketing. In instances where a company s business model is predicated on targeting consumers based on sensitive data (e.g., data relating to financial affairs, health, or children), the FTC suggests that the company seek affirmative express consent prior to collecting data from those consumers. Data Brokers The Commission defines data brokers as companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual s identity, differentiating records, marketing products, and preventing financial fraud. The Report explains that the FTC has sought additional Congressional legislation addressing data brokers since 2009, and again requests that Congress develop legislation further regulating data brokers practices to increase transparency in the industry and to enhance consumer access and control over data held by data brokers.

6 Page 6 At the same time, the Report suggests that the data broker industry should explore the idea of establishing a centralized website for data brokers to (a) identify themselves to consumers and (b) provide consumers with information about data collection, consumer access rights, and consumer choice. Industry Efforts, Implementation, and Enforcement Notably, the Commission recognizes that industry has made progress since the preliminary report, including its response to the preliminary report s call for Do Not Track, and urges industry to accelerate the pace of selfregulation. The FTC also explicitly states that the Report s framework is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC in instances where the framework appears to go beyond existing legal requirements. The Commission also notes that it will view adherence to its proposed sector-specific codes of conduct favorably in connection with its law enforcement work. Nonetheless, the Report reflects a shift in the Commission s interpretation of the FTC Act in the privacy and data protection context: whereas FTC privacy enforcement has traditionally been predicated on rooting out deceptive trade practices, the Report and recent cases suggest that the Commission is increasingly concerned about unfair trade practices as they relate to privacy. Commissioner Rosch s Dissent Commissioner J. Thomas Rosch dissented from the issuance of the Report. While noting that he agrees in several respects with the Report s findings, and applauding the Report s recommendations for congressional legislation, Rosch voiced concerns relating to several parts of the Report, including its use of language that hints at the prospect of future law enforcement. Rosch questioned the constitutionality of banning take-it-or-leave-it choice and noted that the Report adopted language most friendly to consumer organizations and large enterprises when labeling behavioral tracking as unfair and considering reputational harm as deserving of Commission redress. In particular, Rosch questioned the Report s apparent mandate that ISPs use opt-in choice before deploying deep packet inspection, while not requiring the same of other large platform providers, suggesting instead that, for all large platform providers, affirmative express consent should be required only in instances where the provider actually seeks to use data to create detailed and comprehensive customer profiles. If you have any questions regarding this update, please contact Andrew J. Strenio, Jr. ( , astrenio@sidley.com), Edward R. McNicholas ( , emcnicholas@sidley.com), Alan Charles Raul ( , araul@sidley.com), Jonathan P. Adams ( , jpadams@sidley.com), or the Sidley lawyer with whom you usually work. The Privacy, Data Security & Information Law Practice of Sidley Austin LLP We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, healthcare lawyers, EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. Sidley provides services in the following areas: Privacy and Internet Litigation and Regulatory Advice Data Breach, Incident Response, and Cybersecurity Advice Global Data Protection and Information Security Information Governance Assessments and Compliance Programs International Data Transfer Solutions, Outsourcing and Cross-Border Issues Cyberlaw, E-Commerce, Social Media, Cloud Computing and Internet Issues EU, China and Japan Compliance Counseling Gramm-Leach-Bliley and Financial Privacy

7 Page 7 HIPAA and Healthcare Privacy Communications Law and Data Protection Workplace Privacy and Employee Monitoring Unfair Competition, Advertising and Consumer Protection Website Policies Online Trademarks and Domain Name Protection Records Retention, Electronic Discovery, Government Access and National Security To receive future copies of this and other Sidley updates via , please sign up at BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas, London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto); Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.