Francoise Gilbert

In its long awaited report on privacy protection, which was published on December 1, 2010, the Federal Trade Commission outlines a Proposed Privacy Framework for businesses and policy makers. The Proposed Framework would focus on the collection, maintenance, sharing, or use by commercial entities of consumer personally identifiable information, online and offline. “Personally identifiable information” is defined as data that can be reasonably linked to an individual, computer, or device.

The proposed Framework does not promote the adoption of legislation, but it identifies three areas of focus:

  • Promoting privacy throughout the organization, and at every stage of the development of products and services;
  • Simplifying choices for consumers; and
  • Providing greater transparency of data practices.

The FTC staff has requested that comments on each component of the Privacy Framework and how it might apply in the real world be filed by January 31, 2011. The Commission will issue a final report in 2011.

This article provides an overview of the Proposed Privacy Framework and analyses its potential effects on US businesses.  For a comparison of the Proposed Privacy Framework with the data protection laws in effect in the European Union and elsewhere in the world, see FTC Draft Privacy Framework: Getting a Little Closer to the EU Approach by Francoise Gilbert, published in BNA Privacy & Security Law Report, 9 PVLR 1672, (December 6, 2010) (subscription required), http://news.bna.com/pvln/PVLNWB/split_display.adp?fedfid=18687594&vname=pvlrnotallissues&fn=18687594&jd=a0c5m7w8w0&split=0.

Building Protection in Everyday Practices

First, the Proposed Privacy Framework would require companies to build privacy protections into their everyday business practices and to promote privacy throughout their organizations, and at every stage of the development of their product and services. This would be achieved by limiting their collection and retention of personal information, providing adequate security for all categories of personal information, and by implementing a comprehensive privacy program.

Quality, Security, and Limitations on Collection and Use

The Framework would require at least the following restrictions or requirements:

  • Providing reasonable security for consumer data;
  • Collecting only the data needed for a specific business purpose;
  • Retaining data only as long as necessary to fulfill that purpose;
  • Safely disposing of data no longer being used; and
  • Implementing reasonable procedures to promote data accuracy.

The practices described above are well known “best practices” that are already incorporated in existing laws, such as the healthcare privacy laws and regulations (HIPAA Privacy and Security Rules, and HITECH Act and Regulations). Some of these practices are also part of the FTC Fair Information Practice Principles.

The adoption of these practices makes sense for many reasons, including increasing data quality, ensuring that data are not lost or altered, or preventing data leaks. Currently, however, many US companies do not abide by these principles.

For example, a quick survey of popular websites would show that a large majority of the forms that are used for registration on a website, signing-up for a seminar, or obtaining a copy of a white paper require the disclosure of much more personal details than is actually necessary for the service or product offered. As a result, most users provide false information in order to preserve their privacy or anonymity, or reduce the risk of identity theft. In turn, businesses obtain unreliable data.

Further, U.S. companies tend to retain information for much longer than necessary because data disposal is not a priority; the cost of storage has lowered significantly, thereby reducing the incentive for frugality; there are insufficient resources to address the issue; or the marketing team wants to hold on to the data in preparation for some unidentified project. The drawback of holding on to data for too long is that most of the time these data become useless, because they are obsolete or no longer relevant.

Those who dispose of information in paper or electronic form also often fail to use common sense measures such as shredding or performing simple procedures to erase disks or destroy tangible media. Press reports abound with tales of medical or tax files left in trash bins or spread on sidewalks, or second hand equipment sent to the purchaser, still loaded with the original data.

It has also been clear that reasonable security is lacking at many US companies. The tsunami of security breach disclosure in the past few years have provided devastating evidence of this shortcoming. In addition, while a significant number of US States laws require the use of adequate security measures, this protection is frequently provided only to a small category of “sensitive data,” such as Social Security numbers, drivers license or ID numbers, or financial information. Lack of appropriate security results in costly data leaks.

Companies and individuals would greatly benefit from better “data hygiene” and more discipline and care in the handling of personal data. Data quality would improve, risks and liability would decrease, and information systems would not be clogged with obsolete or unreliable data.

Comprehensive Enterprise Privacy Program

The Framework would also require companies to develop a reasonable privacy program and comprehensive data management procedures throughout the life cycle of their products and services. This program would include, for example:

  • Assigning personnel to oversee privacy issues;
  • Training employees on privacy issues; and
  • Conducting privacy impact assessments when developing new products and services.

Such concepts are not new, and they are consistent with prior guidelines that the FTC has provided in its consent orders, such as in its 2002 Final Consent Order in its case against Eli Lilly and Company. The FTC found that the company’s inadvertent disclosure of patients’ personal information was an evidence of poor data management, and, among other things, required the appointment of a privacy official, and the provision of adequate training for the personnel.

As indicated in prior FTC communications, implementation could be scaled to each company’s business operations. For example, a small amount of non-sensitive consumer data would require less stringent or comprehensive measures than vast amounts of consumer data. Companies that engage in the business of selling consumer data would be subject to higher scrutiny.

To date, most regulated companies, such as financial or healthcare institutions and their service providers, as well as global companies that comply with foreign data protection laws have already appointed a chief privacy official to oversee privacy matters, or have otherwise designated one or several individuals to focus on privacy issues. However, the remainder of US businesses is likely not to have taken such steps.

Putting in place an appropriate privacy program is likely to require significant expenses for companies that have not yet taken any steps to adequately protect the personal information of employees, customers and others who contribute to the wealth of the business, through their work, their purchases, or otherwise. Posting a privacy policy on the company’s website is insufficient (as well as a deceptive practice that may be deemed to violate Section 5 of the FTC Act and similar state laws) if there are no internal practices to ensure that the company acts in accordance with the promises it made publicly.

New Approach to Choices

The Framework would require companies to make it easier for consumer to understand their privacy practices and exercise choices, if any. The FTC Privacy Framework suggests a two-prong approach:

  • Collection of data for “commonly accepted” purposes would not require prior consent of the data subject;
  • For data practices that are not “commonly accepted,” consumers should be able to make informed and meaningful choices.

Commonly Accepted Purposes

What the FTC defines as “commonly accepted” purpose includes: product and services fulfillment; internal operations, fraud prevention, legal compliance and public purpose, and first party marketing. The view is that these practices are obvious from the nature of the transaction (e.g. delivery of a product) or sufficiently accepted or necessary for public policy reasons; and therefore, it would be unreasonable and cumbersome to require individuals’ content to the collection or use of their data in order to accomplish these purposes.

One item on this list is notable. The FTC Privacy Framework would allow the collection and processing of personal information without the prior consent of the data subject for “first party marketing”, i.e. to allow a merchant from whom a purchase has been made to continue the relationship with the customer using the information that was provided by the consumer, such as a home address that would have been provided for the delivery of the goods or a personal phone number that would have been provided for receiving notice of the time and date of delivery.

It will be interesting and challenging to compare the rules that would apply to this “first party marketing” with those that already apply to different forms of marketing and solicitation, such as telephone sales, mobile marketing, or unsolicited commercial communications (or spam).

Other Purposes

For data practices that are not “commonly accepted,” the FTC Framework would require that privacy choices be clearly and concisely described and offered to consumers at the time when the consumers are making decisions about their data, such as when entering personal data or before accepting a product or service.

The Proposed Framework raises the issue of the collection and processing of sensitive information. There is currently no official or well-accepted definition of “sensitive information.” Existing US laws pertaining to security breach disclosures have primarily focused on identity theft, and have provided heightened protection to financial information and identity information, for instance. On the other hand, the rest of the world generally identifies as “sensitive,” information that pertains to our most intimate activities or thoughts, such as sexual preference, medical condition, or religious or philosophical beliefs.

It will be interesting to follow how this issue evolves, and what items will be included in the definition of “sensitive information.”

Transparency of Data Handling Practices

Finally, the FTC Privacy Framework would focus on increasing the transparency of companies’ data handling practice. This would be achieved though several vehicles:

  • Clearer, shorter, and more standardized privacy notices;
  • Reasonable access to data maintained by the business;
  • Prominent disclosures and affirmative express consent required when making material changes; and
  • Consumer education.

Shorter, More Standardized Privacy Notices

According to the FTC Report, privacy policies could play an important role in promoting transparency, accountability, and competition among companies if the policies are clear, concise, and easy-to-read. Among other things, companies would be required to improve their privacy policies in order to allow a comparison of the data practices and choices across companies.

Indeed, privacy notices have become lengthy, complex documents, that the average customer has trouble deciphering. The opacity of most privacy policies makes it difficult for individuals to be aware of their rights and to give informed consent. Any efforts to improve these documents, such as using clear and plain language, would allow individuals to be better informed, in a transparent way, of the data handling practices that are used.

This requirement for simplicity and clarity has long been an important theme in FTC communications. For example, it was the focus of the FTC’s recent action against Sears (see, http://www.ftc.gov/os/caselist/0823099/index.shtm). In its complaint against Sears (see, http://www.ftc.gov/os/caselist/0823099/090604searscmpt.pdf), the FTC stated that Sears failed to adequately disclose the actual use of the software application that it was offering to its subscribers, and this missing information would have been material in consumers’ decision to install the software. The FTC deemed Sears’ failure to disclose these facts clear and conspicuously to be a deceptive practice.

The FTC Report also observes that consumers should be able to easily compare the privacy policies of different organizations. For this purpose, the FTC suggests that a short form might be used, similar to that which has been recently adopted by the agencies that regulate financial institutions. Currently only few financial institutions have adopted the format proposed by financial institutions regulators. Thus, it is difficult to appreciate the efficacy of this format.

Access to Data

The FTC report also proposes providing consumers with reasonable access to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers. Because of the significant costs associated with access, however, the report suggests that the extent of access might be proportional to both the sensitivity of the data and its intended use.

Granting data subjects access to their data is one of the FTC’s Fair Information Privacy Principles (http://www.ftc.gov/reports/privacy3/fairinfo.shtm), which were drafted almost 15 years ago. However, for many years, the right of access and correction has been absent from most company privacy policies, with the exception of those issued under HIPAA or those that comply with the US Safe Harbor Principles. Today, most US websites do not offer a right of access and modification. For those that do, in general, access is limited to the data that are published in the “my account” section of a website. It is usually impossible for an individual to have access to the dossiers or profiles that companies have created by compiling information gathered direct, or through purchases from data brokers.

According to the FTC Report, providing capabilities for access and correction could be very costly. The Report questions whether an administrative fee should be charged. There are indeed significant technical issues associated with the retrieval of data, such as when data are commingled with other data, gathered in huge databases, or held in back-up, storage, or archival media. On the other hand, companies that have implemented appropriate measure to address the requirements of the amendments to the Federal Rules of Civil Procedures may already have in place adequate technologies and methods in place that would allow for the retrieval of such information.

Consent to Material Changes

In addition, under the Privacy Framework, all entities would be required to provide prominent disclosures and obtain affirmative consent for material, retroactive changes to data policies. This requirement is not new. For several years, the Federal Trade Commission has insisted that consumers should have the right to object to new uses of their information for purposes that had not been originally disclosed. For example, this requirement was expressed in the enforcement action against Gateway Learning, in 2004 (see, http://www.ftc.gov/opa/2004/09/fyi0454.shtm), and restated in several FTC documents (see, e.g., Behavioral Principles, http://www.ftc.gov/opa/2009/02/behavad.shtm).

Privacy Awareness

Finally, the Proposed Framework would require that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. Increasing consumer understanding of the commercial collection and use of their information is important to facilitating competition on privacy across companies.

Numerous segments of the US population are vulnerable and need to be educated about the benefits and traps of information technologies, social media, mobile commerce, and other recent developments, and their effect on the disclosure and sharing of personal information.

Numerous organizations, such as the Federal Trade Commission, state agencies such as the California Office of Privacy, or non-profit organizations are already making extensive efforts to educate the public. As always budgets are needed, and it is hoped that grants and other allocations would be available to accomplish these goals.

Conclusion

The Proposed Privacy Framework presented by the Federal Trade Commission provides a valuable outline for issues to be explored and refined, and actions to be taken. The current draft of the FTC Report, however, is only another step in the development of tools for improving the manner in which entities collect and use personal information. More work and efforts are ahead. A final draft is expected in 2011; after that, these principles should be formally implemented, but there is currently no indication of how the implementation would be made.

Technologies and ways of doing business, such as social media, cloud computing, mobile commerce, or behavioral targeting are presenting numerous opportunities, but also great challenges. As new products and services are created, new issues with arise. It is important to continue seeking ways to striking a balance between improving the way personal data are collected, used, shared, and protected so that privacy rights and expectations of individuals are fulfilled, and companies that rely on personal data for their activities continue to have the ability to keep growing and prospering.