The Report, while a comprehensive review of hundreds of undoubtedly conflicting filings by the various extreme factions on privacy issues, ultimately just boils down to the FTC complaining that Congress has still not taken any action to normalize privacy rules. Let’s face it, privacy law is a mess – a hodge podge of state laws, some specific federal laws in the area of financial account, children, protected health information, and education areas, and a morass of case law and regulatory rules – rules that mostly derive from other laws (like the Lanham Act) not really intended to address privacy. For example, many of the actions the FTC has brought to enforce so called privacy, really involve false advertising – a company saying one thing to a consumer, and doing another, or offering some ability to control a privacy setting, and then ignoring the user setting.
The Report sets forth the FTC’s overview of its objectives and scope summarized here:
- does not apply to companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided they do not share the data with third parties
- “commonly accepted” information collection and use practices for which companies need not provide consumers with choice (product fulfillment, internal operations, fraud prevention, legal compliance and public purpose, and first-party marketing).
- recommended that companies provide consumers with reasonable access to the data the companies maintain about them, proportionate to the sensitivity of the data and the nature of its use.
- respect browser and consumer “do not track” election
- allowing consumers to have access to and to correct information held by so called “data brokers”
- industry self-regulation (“no lip service”)
In terms of the actual principles, they are:
- Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy
- Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services
- Companies should simplify consumer choice (Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law)
- For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data. Companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes
- Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices
- Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use
- All stakeholders should expand their efforts to educate consumers about commercial data privacy practices
From a lawyer for small to medium size businesses, it would be very helpful for some national, pre-emptive legislation that gave a lot of guidance and safe harbors for businesses so that they do not have top worry that they are violating some esoteric rule buried in some regulation, order or arcane state law. Unlikely to happen, though . . .
For more information, contact Mike Oliver.