The FTC Privacy Report Charts a New Regulatory Course But Could Harm Free-Content Websites
The staff of the Federal Trade Commission (FTC), on December 1, 2010, released its long-anticipated draft proposal for "Protecting Consumer Privacy in an Era of Rapid Change." Culminating over a year of workshops and study, the 122-page report "proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services."
The report is a draft, and by itself imposes no new obligations. The FTC has requested comments on the report by January 31, 2011, and will adopt a final report later in the year. This report is expected to frame the national debate about privacy and preview the agency's future enforcement actions. Such "soft legislating" has already spurred industry to provide consumers with more notice of online advertising and opportunities to opt-out.
However, the FTC's proposed greater privacy protections may come at a price. If finalized as now written, the FTC report could directly affect the ability of firms to earn revenue from Internet-based products and services (e.g., websites, mobile platforms, social networks and apps), as well as undermine the business models of those entities that serve them. Businesses that use, or plan to use, consumer information for marketing and revenue-generation purposes in new media platforms should give serious thought to how the FTC proposals could affect them and express any concerns to the agency.
In commenting on its release, FTC Chairman Jon Leibowitz called the report "not a template for enforcement, but an invitation to better practices." The FTC staff strongly believes that consumers currently do not understand how information about them is collected and used by businesses for marketing purposes, especially by businesses with which they do not deal directly. Notably, the report does not call for comprehensive privacy legislation. Instead, it proposes a "normative framework" to improve consumer privacy. Many aspects of the framework would be implemented by individual companies or through self-regulation.
The proposed framework would apply to all commercial entities that collect or use consumer data "that can be reasonably linked to a specific consumer, computer, or other device." This phrasing means that the FTC staff believes that the concepts of "personally identifiable information" (PII) and "non-personally identifiable information"-long prevalent in privacy regulation-are declining in usefulness as technology and the availability of information makes "re-identifying" supposedly anonymized personal data much easier.
Abandoning the PII/non-PII distinction could affect a wide range of business practices that to date have treated personally identifiable and non-personally identifiable information differently. Businesses should consider carefully what types of information they may want to collect and use, and how they plan to handle, use and retain consumer information in the future. The implications of this are unclear, because many privacy laws now on the books in the United States rely on the PII/non-PII distinction. These laws will not be repealed overnight, so the dichotomy will likely influence business practices in the U.S. for quite a while.
The FTC's draft report can best be understood as recommending a fundamental change in the approach taken by American businesses towards information. In many respects, the FTC staff appears to be moving more towards the European model of privacy protection, which generally is perceived as being more protective of consumer privacy interests than U.S. law.
The report advances three major principles:
1. "Privacy by Design." The FTC staff urges businesses to consider and promote consumer privacy within their organizations and in the development of their products and services. David Vladeck, the director of the FTC's Bureau of Consumer Protection, stated that this "means thinking about ways to practice good data hygiene from the very beginning, such as providing reasonable security for consumer data, limiting data collection and retention to the least amount necessary, and implementing reasonable procedures to promote data accuracy." However, the FTC is unclear about whether "privacy by design" can be a legal requirement or is merely hortatory.
2. Simplified Consumer Choice. A second major emphasis of the FTC staff report is on "simplified" consumer choice. The report concludes that privacy policies today are legalistic and seldom read. While not proposing to eliminate privacy policies, the staff recommends that companies skip offering choice before collecting and using consumers' data for commonly accepted practices, such as product fulfillment. In contrast, where the consumer needs to choose, the businesses should offer "just-in-time" notice and choice.
- "Just-In-Time" Notice. "Just-in-time" notification and consent would provide users with succinct privacy notices and choices at the moment data is collected. This would occur at a time and place, and in a context, in which the consumer is actually making a choice about his or her data. In the case of consumer-facing websites, this commonly would be a registration page, but could occur elsewhere as well. In the case of social networks, a critical point might be that at which third-party applications seek to collect consumer data. "Enhanced consent" may be required in the case of sensitive information, such as information about children, financial and medical information, and "precise geolocation data." For example, the FTC staff asks whether companies should be required to obtain express consent before geolocation data is collected, used or shared.
- Do Not Track. In perhaps its most controversial recommendation, the FTC staff endorsed a "Do Not Track" mechanism that would enable consumers easily to opt-out of behavioral tracking as well as behavioral advertising. This could, for example, take the form of a persistent browser-based feature that a consumer could activate. A "Do Not Track" system could be implemented through "more robust" self-regulation or via federal legislation.
Do Not Track could have serious implications for an advertising-dependent business model. Online advertising networks present on many broadcasters' websites use tracking tools (such as cookies) to build profiles of users' ages, genders, incomes and interests. Online ad networks use these user profiles as the basis for determining in real time which ads to display to particular consumers-a practice known as "behavioral targeting." Behaviorally targeted ads-because they are selected based on an individual user's profile-are more valuable for advertisers, allowing online publishers to charge a premium for that ad space.
If a substantial number of consumers "opted-out" from tracking and targeting, website and network advertising revenues could erode, undermining the ad-based funding that allows websites to provide free or affordable online services that consumers want. Likewise, requiring third-party marketing networks to "enhance" privacy could block customized ads on sites that individuals find convenient, without materially improving on the notice and choice that such networks often already provide.
- Mobile Platforms. Standard privacy policies do not work well on mobile devices due to the small size of the screens. The FTC wants more user-friendly privacy notices for mobile apps. However, the report pays little attention to the difficulties and costs of implementing different consent mechanisms for the mobile environment.
- Extend COPPA to Teens? The FTC staff also asks whether the increased use of smartphones warrants an update to its regulations under the Children's Online Privacy Protection Act requiring online providers to give notice to, and receive explicit consent from, the parents of any child under age 13 before they can collect, use or disclose such children's personal information on websites or online services. It also asks whether the regulation should be expanded to include children between the ages of 13 and 17, particularly in the social media context.
3. Transparency and Access. The FTC staff advocates greater access by consumers to information about them held by companies, while noting that access implicates a number of complex issues. The report expresses a preference for a "sliding scale" in which the information that a consumer may access may vary depending upon the nature of the information and the purpose for which it is used. Also, the FTC reiterated its well-established position that companies must provide prominent disclosures and obtain opt-in consent before using consumer data in a materially different manner than claimed when the data was collected, posted or obtained. See Gateway Learning Corp, No.C-4120 (F.T.C. Sept. 10, 2004).
The concepts advocated by the draft FTC staff report would fundamentally change the way U.S. businesses approach consumer privacy. The FTC has invited comment on the draft report and has specified some 60 specific questions concerning which the FTC is particularly interested in receiving input. Businesses affected, or potentially affected, by the changes urged by the FTC staff should consider weighing in by the January 31, 2011 due date for comments.