The Federal Trade Commission’s Privacy Report: Protecting Consumer Privacy in an Era of Rapid Change—Five Key Takeaways

On March 26, the Federal Trade Commission (FTC or Commission) published a landmark privacy report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Privacy Report). ¹Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (March 2012), available at http://www.ftc.gov/os/2012/03/120326privacyreport.pdf [hereinafter Privacy Report]. The Privacy Report finalizes a preliminary FTC staff report issued in December 2010 (Staff Report). ²Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers (Preliminary FTC Staff Report) (Dec. 2010), available at http://www.ftc.gov./os/2010/12/101201privacyreport.pdf.

The Privacy Report incorporates a privacy framework first articulated in the Staff Report. Under that framework, companies should adopt:

• Privacy by Design—building in privacy protections right at the inception of new products and services;

• Privacy Choices for Consumers—taking into account the opportunity for choice at a meaningful moment and in a meaningful context; and

• Greater Transparency—more robust, frequent and meaningful consumer privacy notices and disclosures. ³Privacy Report, supra note 1 at i, vii-viii. Note that the Privacy Report, unlike the Staff Report, would not apply the framework to entities which: (1) have a first party relationship with a consumer; (2) do not collect or use sensitive information about that consumer; (3) do not share any consumer information with third parties; and (4) collect data from under 5,000 consumers.Id. at 15-16.

For companies which collect, maintain, use and/or sell consumer data, the Privacy Report presents five critical takeaways:

• For the FTC, privacy will become an even more important priority;

• Notwithstanding FTC statements to the contrary, the Privacy Report’s “best practice” recommendations may be enforceable by the FTC;

• Entities that do not have a “first party” relationship with consumers (data brokers and, sometimes, large platform providers) face special privacy scrutiny;

• Do Not Track may be a proxy for do not collect; and

• Companies should conduct FTC-focused privacy risk assessments.

The Privacy Report Is a Statement by the Commission, Not the Staff, and, as Such, Companies Should Expect Even More Privacy Enforcement Activity From the FTC

FTC Chairman Jon Leibowitz recently called the FTC “the nation’s privacy protection agency.” ⁴Jon Leibowitz, Chairman, Fed. Trade Comm’n, Remarks at Fed. Trade Comm’n Press Conference (Mar. 26, 2012). He has also called this era “a decisive moment for consumer privacy.” ⁵Jon Leibowitz, Chairman, Fed. Trade Comm’n, Testimony Before the House Comm. on Energy & Commerce, Subcomm. on Commerce, Mfg. and Trade (Mar. 29, 2012) [hereinafter Leibowitz Testimony].

In implementing the privacy framework, the Privacy Report promises FTC implementation and enforcement priority in five areas:

• Do not track;

• Mobile devices;

• Data brokers;

• Large platform providers; and

• Enforceable, self-regulatory codes. ⁶Privacy Report, supra note 1, at v.

In addition to enforcement, the Privacy Report calls upon Congress to adopt baseline, comprehensive privacy legislation, as well as targeted legislation, including data security legislation and so-called “data broker” legislation. ⁷Id. at i, v.

The Privacy Report also identifies five categories of personally identifiable information, which the Commission characterizes as “sensitive” and which, they believe, therefore merits heightened privacy protections and heightened regulatory scrutiny:

• Information about children;

• Financial information;

• Health information;

• Social Security number information; and

• Geolocation information.

By adopting the Privacy Report by a vote of the commissioners (3-1 with Commissioner J. Thomas Rosch dissenting and one vacancy), the Commission is, in a very real way, “ringing the bell” on privacy. As a result, every business that collects, maintains, uses or sells personally identifiable information about consumers needs to make privacy a priority.

Expect Greater FTC Law Enforcement Activity
for All of the “Best Practice” Recommendations in the Privacy Report

The Privacy Report reassures readers that, “to the extent the framework goes beyond existing legal requirements, the framework is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.” ⁸Id. at 1. Don’t believe this. Commission Tom Rosch, in his dissent, makes clear that he doesn’t believe this. He cautions that the recommendations in the Privacy Report, “are supposed to be nothing more than ‘best practices,’ I am concerned that the language of the Report indicates otherwise, and broadly hints at the prospect of enforcement.” ⁹Id. at C-8.

It’s not that the FTC makes this statement in bad faith. It’s simply that the FTC already has the authority, directly and indirectly, to enforce what the Privacy Report calls “best practices.” The FTC staff will be sorely tempted to do so.

The FTC has the tools, for example, to enforce the Report’s entire privacy framework; enforce special protections on the use of sensitive information; enforce some of what the Privacy Report calls the more substantive parts of privacy by design, such as “reasonable collection limits,” “sound retention practices,” and “data accuracy;” ¹⁰Id. at 23. and even enforce special limitations on the collection and use of personally identifiable information obtained about consumers who are not customers or who are not in a “first party relationship” with the data collector.

How can the FTC do this? The FTC, of course, has enforcement powers under the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA), the Children’s Online Privacy Protection Act (COPPA) and certain other privacy related statutes. ¹¹Fair Credit Reporting Act, 15 U.S.C. §1681s; Gramm-Leach-Bliley Act, 15 U.S.C. §6805; Children’s Online Privacy Protection Act, 15 U.S.C. §§6501-6508. But, more importantly, the FTC has enforcement authority over practices which are deemed to be unfair or deceptive. ¹²15 U.S.C. §1681s; Section 5 of the Federal Trade Commission Act, 15 U.S.C. §45(a).

The “deception” prong of this authority extends not merely to representations that are affirmatively misleading or deceptive; ¹³In re Facebook, Inc., FTC, File No. 092 3184, consent order proposed 11/29/11, available at http://www.ftc.gov/os/caselist/0923184/111129facebookagree.pdf. this prong also includes instances where a company’s failure to make a material disclosure creates a deception. ¹⁴See Consent Decree, United States v. Asset Acceptance, LLC, No. 8:12-cv-00182-JDW-EAJ (M.D. Fla. Jan. 31, 2012), available at http://www.ftc.gov/os/caselist/0523133/120131assetconsent.pdf. Could it be deceptive, for example, for an entity to fail to disclose that they are collecting and using sensitive information; fail to disclose that they collect information about a consumer, even though they have no business relationship with the consumer; fail to disclose that an entity tracks consumers across the internet, even in situations where the consumer does not have a “first party relationship” with that entity? The answer is at least “maybe” and, perhaps, “yes.”

Not only can the FTC use its authority aggressively to prohibit deceptive practices and misrepresentations (and, just as importantly, mandate disclosures where, in the FTC’s view, silence would constitute a deceptive practice), but the FTC can prohibit “unfair” practices. Indeed, Commissioner Rosch’s dissent warns that the Privacy Report is rooted in its insistence that the unfairness prong, rather than the deception prong, governs information gathering and privacy practices. ¹⁵Privacy Report, supra note 1, at C-3. Commissioner Rosch goes on to warn that unfairness is an elastic and elusive concept and that the FTC, both as a matter of history and prudent policy, should be exceedingly careful in its use of unfairness. ¹⁶For the last thirty years, the FTC has acknowledged that it will not use its unfairness power except in cases where the consumer injury is “substantial”; where there are no or few offsetting benefits; and where the consumer cannot use self-help to reasonably avoid the injury. This has not always been the FTC’s approach, however. Encouraged by the Supreme Court’s opinion in FTC v. Sperry Hutchinson, 405 U.S. 233 (1972), the Commission, in the 1970s, took the view that public policy violations, including unethical, oppressive and unscrupulous behavior, could provide a basis for the exercise of its unfairness authority. Does the Privacy Report signal an intention by a majority of the current commissioners to return to the day when public policy failings, such as a company’s failure, for example, to adopt a comprehensive, meaningful information privacy policy, could be an unfair practice? ¹⁷In the Google consent order, the Commission required Google to implement and, thereafter, maintain a “comprehensive privacy program.” In re Google, Inc., FTC, File No. 102 3136, final consent agreement approved 10/13/11, available at http://ftc.gov/os/caselist/1023136/111024googlebuzzdo.pdf.

For businesses, this means that it will be doubly important to examine all disclosures and representations about your company’s collection, maintenance, use and dissemination of personally identifiable information ¹⁸It is important to note that, in the Privacy Report, the Commission walks back a bit from the “linkability” proposal in the Staff Report. In the Privacy Report’s framework, information is not “reasonably linkable ”to a particular consumer or device and, thus, not personally identifiable information, if a company does three things: (1) takes reasonable measures to ensure that the data are de-identified; (2) commits publicly to maintain and use the data in a de-identified fashion; and (3) disseminates the de-identified data only after obtaining a contractual promise from third party recipients that they will not attempt to re-identify the information. Privacy Report, supra note 1, at 20-12. (particularly, sensitive personally identifiable information) to assure that the disclosure is complete and accurate. Furthermore, to the extent that a reasonable consumer could, by your company’s silence, infer an information practice which is privacy protective when, in fact, there is no such practice, your company should strongly consider making a full and complete disclosure. Finally, the FTC’s publication of the Privacy Report creates a timely moment to reexamine and rewrite your company’s privacy policy to assure that it is comprehensive and consistent with the Privacy Report’s recommendations.

Large Platform Providers and Data Brokers Are Targeted for Enhanced Privacy Scrutiny

The Privacy Report calls for regulating personally identifiable information obtained by entities that do not have a business relationship with the consumer whose information they are collecting (so-called “information brokers”) and recommends special scrutiny for so-called “large platform providers,” such as internet service providers or social media sites, which may continue to collect information about the consumer outside the context of whatever relationship they may have had—by, for example, tracking that consumer’s activities across the internet.

The FTC defines data brokers as “companies that collect information, including personal information, about consumers, from a wide variety of sources for the purpose of reselling the information for a variety of purposes, including verifying an individuals’ identity, differentiating one consumer’s records from another, marketing products and preventing financial fraud.” ¹⁹Leibowitz Testimony, supra note 5, at 10.

This definition is exceedingly broad. Indeed, the Privacy Report notes that these businesses may encompass a “diverse range of industry sectors,” and the Report even notes that this diverse range may include “general search engines, media publications or social networking sites.” ²⁰Privacy Report, supra note 1, at 67. Does this mean that the FTC sees Google as an information broker? Facebook as an information broker? According to the FTC, information brokers should be required to provide consumers with access and correction rights, as well as a robust notice informing consumers about the types of information that these companies collect and maintain about them and the sources of that information.

The Privacy Report defines a large platform provider as including ISPs, operating systems, browsers, and social media sites. ²¹Id. at 55. These types of entities are able to collect information about consumer behavior across the internet and do so without the benefit of consumer knowledge or consent. As a result, the FTC sees large platform providers as presenting special privacy threats.

Large platform providers share with data brokers a particular challenge. Frequently, they collect personally identifiable information, either without a direct, first party relationship with consumers or, at least, collect this information outside the bounds of that relationship. This means that consumers’ ability to be informed about and participate in the data relationship is limited. In turn, this means that these companies collecting personally identifiable information outside of a first party relationship are now likely to be subject to heightened FTC scrutiny and enforcement risk.

Is Do Not Track a Proxy for Do Not Collect?

The Privacy Report’s Do Not Track recommendation urges that companies operating on the internet should implement and/or comply with easy-to-use, persistent and effective do-not-track systems. The Privacy Report’s discussion of do-not-track mechanisms ²²Id. at 52-55. makes clear that Do Not Track does not mean do not maintain, do not use or do not disseminate. Do Not Track means do not collect (absent consumer notice and consent).

The Privacy Report’s recommendations apply both online and offline. Thus, in the absence of an appropriate context for tracking (such as fulfillment of a transaction; or another type of routine data exchange that is anticipated by the consumer; or legal and specific authorization; or consumer consent), it is the Commission’s view that it is inappropriate to track.

Is this recommendation, on examination, the beginning of an effort by the Commission to insist that commercial entities not collect personally identifiable information, online or offline, without appropriate context; legal authorization; or consumer consent? A do not collect recommendation would represent a truly material change with far reaching consequences, both intended and, in all likelihood, unintended.

It may turn out, of course, that the FTC does not intend to go this far—does not intend to support this type of an EU data privacy approach. In the meantime, companies should take a new and hard look at the personally identifiable information that they collect, particularly when it is sensitive information and particularly when it is information about consumers with whom they do not have a commercial relationship. In these instances, companies should be able to answer the question whether the information collection is authorized explicitly by law or, at least, is necessary for their business model.

Conducting an FTC-Focused Privacy Risk Assessment

What all of this suggests, and what the Privacy Report really stands for, is a self-consciousness on the part of companies about their privacy practices. This is not new. Privacy risk assessments, privacy audits and privacy reviews have been with us for many years. The FTC Privacy Report, however, makes the regular conduct of such assessments more important than ever before and changes some of the focus of these assessments.

In the wake of the Privacy Report the FTC should certainly be an important focus of any privacy assessment. An FTC-oriented privacy risk assessment would:

• Look at all of the recent and relevant FTC consent orders and stipulated orders;

• Look at FTC privacy reports and workshop transcripts;

• Review recent statements by the FTC commissioners and senior staff, including testimony;

• Identify company practices that resonate in the Privacy Report, particularly collection of sensitive personally identifiable information and information about consumers with whom the company does not have a relationship;
• Analyze—in comprehensive and thorough detail—the representations that the company makes (and fails to make) about its privacy and information practices;
• Identify uses that could result in consumer harm—not just tangible harm but intangible harm, including stigma and adverse surprise; ²³The Privacy Report states that, “the range of privacy-related harm is more expansive than economic or physical harms or unwarranted intrusion and that any privacy framework should recognize additional harms…” such as “unexpected revelation of previously private information…” Privacy Report, supra note 1, at 8. and
• Review all of the company’s existing privacy policies and practices.

Taking a hard-nosed look at your company’s disclosures and representations, including what is not disclosed, will be especially important from an FTC standpoint.

This kind of review takes time and costs money and is still no guarantee that the FTC Staff will not knock on your door. It is a guarantee, however, that when you open the door, you will have something positive and, hopefully, persuasive to say to the FTC.

In the end, don’t blame the FTC. It’s an agency full of remarkable, smart and dedicated professionals doing their job. It’s just that their job, after all, is being the nation’s privacy protection agency.