«

»

Mar
26
2012

Initial Thoughts On The FTC’s Privacy Report and 5 Action Items

Saira Nayak
Director of Policy @ TRUSTe
@sairanayak

This morning the FTC held a conference call on their finalized report (released today), “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers“. We were happy to hear that FTC Chairman Jon Leibowitz mentioned TRUSTe in his opening remarks, citing key findings from our website privacy index released earlier this year. TRUSTe also submitted extensive public comments on the proposed report in early 2011 and I’m pleased to announce that we were cited on five separate occasions in the final FTC report.

The report largely reinforces the framework articulated by the FTC in their December 2010 proposed framework:  privacy by design, simplified choice and greater transparency. They’ve changed some things, however, such as the “scope” of the framework. The initial framework’s scope applied to *all* businesses collecting or using consumer data that could be “reasonably linked” to an individual. The final reports maintains this “reasonably linked” standard (with additional clarification), but it carves out an exception for companies that collect only non-sensitive data from less than 5,000 consumers a year, provided they do not pass the data on to third parties. Additionally, the FTC revised its parameters around consumer privacy choice requirements. Previously, they identified categories of “commonly accepted” practices that did not require consumer choice.  In this finalized report, however, they base “choice” exemptions around the context of data use or collection.  Now, when data collection or use activities are “consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or required or specifically authorized by law” companies are *not* obligated to provide consumer choice mechanisms.

During the call the FTC announced that they plan to engage the following five “action items” to support their framework:

1. Do Not Track
Recognizing ongoing industry efforts, Chairman Leibowitz stated that he was “confident” that industry would address DNT by the end of the year without the need for legislation. He noted, however, that directionally they would like to see the industry move beyond “data use” control to encompass “data collection” control. Most opt-out, cookie-based choice mechanisms around behavioral advertising control only “data use”: consumers who opt-out prevent companies from using their data to target them, but they do not prevent these companies from continuing to collect data about them. A successful DNT mechanism that controls actual data collection (as opposed to just use) will probably require the active participation of third party tracking companies.

2. Mobile
The FTC called on the mobile industry to develop improved privacy protections,  including “short, meaningful disclosures.” If you haven’t seen TRUSTe’s mobile-optimized privacy notice, I suggest you check it out here.  Chairman Leibowitz specifically mentioned just-in-time notice as being crucial to keeping consumers informed on mobile devices, apps and websites.  It would appear that the FTC is trying to stimulate industry self-regulation in the mobile space, much like we’ve seen in the traditional online advertising industry.  The FTC announced they will hold a workshop on May 30, 2012 to specifically address mobile privacy disclosures.

3. Data Brokers
The FTC recommended that data brokers create a centralized website to identify themselves and provide consumers with choice and data access. They also announced that they will be calling for legislation requiring data brokers to be more transparent about their practices.  At TRUSTe we’ve seen individual data brokers create mechanisms to provide consumers with insight into and control over their data profiles, but the creation of an industry-wide portal for consumers will require significant cooperation among these companies. It’s certainly possible that successful industry self-regulation in this area could obviate the need for legislation.

4. Large Platform Providers
The FTC remains concerned about the ability of large platforms to “comprehensively track” consumers’ online activities and announced that they will hold a workshop in the latter half of 2012 addressing these issues. Regarding this space Chairman Leibowitz said, ”It’s changing, it’s very dynamic, and we want to look at it a little more closely”. This means in the coming months that the FTC will undoubtedly increase its scrutiny of third-party platform code on publisher sites, such as social buttons and widgets.  Both publishers and third-party platforms should strongly consider how to make this process more transparent to consumers, especially where these pieces of third party code are capable of collecting data with or without a user’s engagement.

5. Self-Regulatory Codes
The FTC praised the Digital Advertising Alliance for its work in the past year, calling its efforts “extraordinary”. With over 900 billion compliant ad impressions each month we’d like to second that opinion: privacy self-regulation in the online advertising industry has come a long, long way in the past two years. That being said, the FTC noted that they will work with the Department of Commerce to facilitate the development of sector-specific codes of conduct for self-regulation.

Stay tuned – TRUSTe’s entire policy team is digesting the 112 page report and we will issue more a more detailed analysis shortly!

Comments