The Federal Trade Commission (“Commission” or “FTC”) released the much-anticipated final version of its report entitled “Protecting Consumer Privacy in an Era of Rapid Change” (“Final Report”), which sets forth legislative recommendations for policymakers concerning privacy and data security and best practices for business for addressing online and offline privacy concerns.  While not intended to serve as a template for law enforcement actions or a proxy for agency regulation, the FTC’s framework will impact the privacy debate and business practices in the coming years.  The Final Report follows the Commission’s 2010 initial privacy report (“Initial Report”) of the same title.

The Final Report incorporates feedback from industry, academics, privacy advocates, consumers, law enforcement, and government agencies received in more than 450 public comments made in response to the Initial Report. The Final Report is largely consistent with the Initial Report but does not modify several key principles.

In the Final Report, the Commission renews it call for companies to:

  • incorporate “privacy by design” in its data practices,
  • offer consumers choice regarding how data is collected and used, and
  • provide greater transparency with respect to their data practices.

However, the Commission has revised three key recommendations made in the Initial Report.  The Final Report makes changes to:

  • The framework’s scope: The Final Report excludes from the framework companies that collect only non-sensitive consumer data from under 5,000 consumers provided they do not share the data with third parties.  The Final Report also clarifies that data that meets certain de-identification process requirements would be excluded from the framework.
  •  Guidance for when companies should provide consumers with choice about how data will be used.  In the Final Report, the Commission states that whether a company should provide consumers with choice with respect to the collection and use of data turns on the context (i.e., the transaction, relationship between parties, etc.) of the consumer’s interaction with a company.  The Commission explains choice may not be necessary in all contexts.
  • Recommendations for data brokers. The Final Report recommends the enactment of federal legislation that would give individuals access rights to information held about them by data brokers.  The Commission also calls for data brokers that compile marketing information to explore creating a centralized website at which consumers can learn about their practices and access available choice mechanisms.   

What to expect in the coming year

The Final Report sets forth areas of focus for the Commission over the next year.  The Commission states it will focus on:

  1. Do-Not-Track. The Commission will work with industry to complete implementation of an easy-to-use, persistent, and effective uniform choice mechanism.
  2. Mobile. The Commission will focus on mobile app disclosures and will host a workshop on May 30, 2012 to explore advertising disclosures in online and mobile environments.
  3. Large platform providers.  In the report, the Commission states that large platforms such as leading Internet service providers, social media companies, and other entities raise heightened privacy sensitivities, and announces that it plans to hold a workshop in 2012 on privacy issues that arise from such large platforms.
  4. Promoting enforceable self-regulatory codes. The FTC has announced it will work with the Department of Commerce and industry stakeholders to develop industry-specific codes of conduct.