The Commission’s Report, like the White House Report before it, is at heart a set of recommendations. Its publication does not change the state of the law, or impose any new obligations on companies with respect to privacy. While the Commission does urge Congress to pass targeted legislation requiring greater transparency in the data broker industry, its approach is primarily focused on encouraging industry self-regulation. The advantages of this approach for industry sectors are obvious: by acting affirmatively in an area of public concern, industries can have a hand in shaping the rules so that they appropriately reflect the realities of a particular sector. An adequate system of self-regulation could eliminate the perceived need for further regulatory or legislative action. Companies should keep in mind, however, that once they adopt a voluntary code of conduct, they must abide by it, or they may open themselves up to an FTC enforcement action. The practical lesson is simple: companies should only make promises they intend to keep.
The Commission outlines a privacy framework that it believes should be the basis for the voluntary codes of conduct it hopes companies will develop and adopt. The four key areas of focus are:
Scope: The Commission applies its privacy framework to all companies that handle personal data, with a limited exception for companies that handle personal data for fewer than 5,000 individuals a year, and who do not share that data with any third parties. The framework applies to data that is “Reasonably linkable to a specific consumer, computer, or device.” This definition is an expansion of the traditional definition of “Personally Identifiable Information,” and reflects, in part, the Commission’s concern that data which has been removed of personally-identifiable characteristics, or “de-identified,” can often be re-identified.
Privacy By Design: The Commission urges companies to adopt privacy practices consistent with the “Privacy by Design” model. This means implementing practices that reflect the substantive principles of Data Security, Reasonable Collection Limits, Sound Retention Practices, and Data Accuracy. These principles recognize that there is often both a business need and a consumer benefit associated with the collection and use of personal data, but requires that the scope of data collection and retention be reasonably related to the purpose for which it is collected.
Simplified Consumer Choice: The Commission believes that consumers should be given meaningful and understandable choices about the way their personal data is collected and used by companies. One of the important features of the Framework is its emphasis on context in determining the appropriate level of choice required for a particular data practice. Thus, companies who collect personal data directly from consumers may use that data without offering a consumer any choice, when they engage in certain “commonly accepted” practices, including 1) product and service fulfillment; 2) internal operations; 3) fraud prevention; 4) legal compliance and public purpose; and 5) most first-party marketing. For other types of data uses, including tracking across websites for behavior-based advertising, the Commission calls for companies to offer consumers clear choices, provided at a relevant time. This includes respecting consumers’ use of a “do not track” option on web browsers.
Increased Transparency: Consistent with its focus on the context in which personal data is collected and used, the Commission calls for increased transparency regarding consumer privacy practices. It is particularly concerned with practices that take place without consumer awareness, including the practice of “data enhancement,” in which companies take personal data they have collected in the context of a relationship with a consumer, and combine it with data obtained by third party data brokers to create detailed consumer profiles. Because data brokers – who collect and sell personal information about consumers directly to other businesses for marketing or other purposes – are largely invisible to consumers, it is difficult for consumers to exercise choices about the way their personal data is collected and used by these brokers. The Commission supports targeted legislation to increase the transparency of the data broker industry, and suggests the creation of a centralized data broker portal, that consumers could visit to learn more about what information data brokers have collected about them, to verify the accuracy of that data, and to exercise appropriate choice.
The Commission’s emphasis on context reflects a new way of thinking about privacy in the internet era. In a world of social media, consumers are accustomed to sharing some personal data and to making trade-offs relating to privacy, but they are concerned when a company’s collection or use of personal data is surprising or inappropriate to the service being provided. Google and Facebook, for example, provide free services to consumers in exchange for using consumer-provided personal data to target those consumers for advertising. Both companies ran afoul of the FTC, however, when they unilaterally made public certain information that consumers had previously assumed to be private. The Commission deemed these actions to be unfair and deceptive trade practices and brought enforcement actions. As a result of settlements with the Commission, both Google and Facebook have agreed to obtain affirmative, express consent from consumers before materially altering their privacy policies, and to submitting to 20 years of privacy audits.For retailers, the Commission’s Report, and its record of enforcement in the Consumer Privacy area, illustrates an important truth about privacy: the practices that will receive the greatest scrutiny, and provoke the strongest reaction – be it public outcry, regulatory enforcement or legislative action – are those practices which are generally unknown to consumers, and which, when they come to light, strike consumers as surprising and inappropriate. One way to guard against this kind of outcry is to take steps to better explain the ways that personal data is collected and used. On the other hand, a sure way to provoke outcry and invite regulatory attention is to take a public position on privacy and then unilaterally fail to abide by it.
Regulators generally recognize that the collection and use of personal information is essential to the growth of the internet economy. With their focus on encouraging self-regulation, the White House and the Commission hope to strike a balance that allows for continued innovation, while giving consumers greater comfort and more control regarding the ways their information is collected and used. By cooperating with the Commission in developing sector-specific codes of conduct, retailers and other companies who collect and use personal data in the course of business have an opportunity to shape the rules pertaining to acceptable data practices. The Commission does view these proposed self-regulatory codes of conduct as enforceable, however, and it will investigate companies found to be violating their own commitments. Companies should thus be cautious in developing their privacy policies, and should only make commitments they are confident they can honor.
Co-authored by Nat Bessey