Comments on Privacy Framework Due January 31, 2011

On December 1, 2010, the Federal Trade Commission released its much-anticipated staff report in which the FTC proposed a broad framework for regulating the commercial use of information gathered from consumers’ online activities. Specifically, the report called upon the FTC to develop rules that (1) provide additional privacy and data security protections for consumers; (2) allow consumers to choose whether or not they want companies to collect information about their online browsing habits (e.g., consumers should have access to a universal “Do Not Track” mechanism); and (3) grant individual consumers the right to access and review information about themselves collected by online companies and data aggregators.
In making its recommendations, the FTC noted that “industry efforts to address privacy through self-regulation have been too slow ... [and] have failed to provide adequate and meaningful protection.” To address this failure, the report offers a framework for regulating the commercial use of consumer data by building upon both common industry practices and the FTC’s own enforcement powers. The proposed framework would apply broadly to online and offline commercial entities that collect, maintain, or share consumer data, and focuses on three major areas:

• Improved Privacy Protections. Companies should design privacy protections into their everyday business practices. Such protections should include companies implementing reasonable security measures for protecting consumer data, collecting only data needed for a “specific business purpose,” and retaining that data only for as long as necessary.
• Consumer Notification and Approval. Companies should simplify consumer privacy choices and provide timely options for consumers to decide how their information will be used whenever the data being gathered falls outside of a relatively small number of “commonly accepted” categories where user consent is assumed. This would include the creation of a universal “Do Not Track” mechanism, which would allow individual Web users to decide whether Internet sites and advertisers could collect information about the individual’s browsing habits.
• Transparency and Consumer Access to Information. Companies should make their data practices more transparent to consumers and provide consumers with reasonable access to the data that companies maintain about them, including access to data maintained by companies that aggregate data but do not interact with consumers directly, such as data brokers.

The FTC will accept comments on the proposed framework until January 31, 2011. Based on the comments received, the Commission will issue a revised report in mid-to-late 2011. Some of the issues upon which the FTC has specifically sought comment include:

• Are there practical considerations that support excluding certain types of companies or businesses from the privacy framework?
• How should the FTC determine whether data is being retained for a “specific business purpose” and for how long should companies be allowed to retain such data?
• What data collection practices are so “commonly accepted” that companies should not be required to obtain consumer consent before engaging in them?
• How and to what extent should consumers be able to view data regarding their own online behavior that companies have collected?

A copy of the FTC’s preliminary report can be found here.
Please contact any of the attorneys in our Telecom Group for further information or for assistance in filing comments in these proceedings.