The Federal Trade Commission Publishes its Final Privacy Report (Part II)
This is the second part of a post about the recently published FTC Privacy Report.
Simplified Consumer Choice (Consent)
Some practices do not require choice
Under the Final Framework, companies would not have to provide consumers with a choice if they collect and use data for ‘commonly accepted practices’ (p.36). Instead of defining rigidly what would be considered as being commonly accepted practices, the FTC focus on the interaction between a business and the consumer (p.38). Is the practice “consistent with the context of the transaction or the consumer’s existing relationship with the business, or is [it] required or specifically authorized by law? ” (p. 39).
One may remember that the Telephone Consumer Protection Act has a similar “existing business relation” exception to consent.
However, the six practices originally identified in the preliminary staff report as those that companies may engage in without offering consumer choice (fulfillment, fraud prevention, internal operations, legal compliance, public purpose, and most first-party marketing) remain useful as guidance as to whether a practical practice would be indeed considered as being commonly accepted.
First party marketing occurs when a company collects customer data and uses it for its own marketing purposes, as opposed to third party marketing, where collected data is sold to third party for their own marketing purposes. Entities having a first–party relationship with a consumer would not be exempt from providing consumers with choices if it also collects consumer data not consistent with the first-party relationship, such as tracking the consumer across sites (p. 40-41).
The FTC’s final principle on choice is that companies do not need to provide choice before collecting consumer data for practices either consistent with their relationship with the customer or if required by law (p.48).
Companies should give a choice if the practice is inconsistent with the interaction with the consumer
Such choice should be given “at a time and in a context in which the consumer is making a decision about his or her data” (p. 48).
The FTC still advocates the implementation of a universal, one-stop mechanism for online behavioral tracking (Do Not Track) (p. 52).
A Do Not Track system should include five key principles (p. 53):
1. It should cover all parties tracking consumers
2. It should be easy to find, understand and use
3. The choices offered should be persistent and should not be overridden
4. It should be comprehensive, effective and enforceable
5. It should allow the consumer to opt out of receiving targeted advertisements , and also allow consumers to opt out of collection of behavioral data for all purposes other than those consistent with the context of the interaction
Express consent would, however, be required at the time and in the context in which the consumer is making its decision if the company is using data in a materially different manner then the one stated when collecting the data, and if it collects sensitive data, such as social security numbers, information about children, or financial and health data.
Large platform providers (ISPS, operating systems, browsers…)
Such entities have access to a very large spectrum of unencrypted consumer data, which would allow them to build very detailed consumer profiles. Indeed, an ISP has access to all of its customer online activity when using that particular connection, raising privacy concerns. The FTC will host a workshop in the second half of 2012 to discuss privacy issues raised by data collection by large platforms.
There are several ways companies could increase the transparency of their data practices.
Privacy notices should be:
- More Standardized
However, prescribing a rigid privacy statement format to be used in all sectors is “not appropriate” according to the FTC. Some elements should be standardized, such as format and terminology, in order for consumers to be able to easily compare privacy practices (p. 62).
Companies should provide reasonable access to the consumer data they maintain, and this access should be proportionate to the sensitivity of the data and the nature of its use (p. 64).
For entities maintaining data solely for marketing purposes, the FTC agrees that the costs of providing consumer a right to access and correct data would likely outweigh the benefits. However, entities should provide consumers with the lists of data categories they keep, and inform them of their right to state that they do not want their data to be used for marketing purposes (p. 65). However, such companies should provide more individualized access to data if possible, citing as an example Yahoo’s Ad Interest Manager, allowing users to opt out of certain advertising categories.
The FTC also noted that companies compiling consumer data to then sell it to other companies, who then use the data in order to make a decision about a particular person’s ability to be offered a job, an insurance rata, or a credit, are subjected to the FCRA. Consumers then have a right to access and correct their information under the FCRA, 15 U.S.C. §§ 1681g-1681h,even if the company compiling the data is not sure of the use it will be make of the data, but “has reason to believe” it will be used for making such decisions (p. 67).
Entities maintaining data for other, non-marketing purposes that fall outside the scope of the FCRA, such as fraud management risk companies, or social networking sites, should use a sliding scale approach. The consumer access to his data would depend on the use being made of it, and of its sensitive character (p. 67).
The FTC supports legislation, such as the Data Accountability and Trust Act, which would give consumers a right to access their data held by data brokers. It also supports the creation by the data broker industry of a centralized web site where data brokers would inform consumers about their data collection practices, and disclose the companies buying this data (p. 69).
The FTC also supports the idea of an “eraser button,” which would allow people to delete the content they have posted online, a right somewhat similar to the right to be forgotten stated by the recent EU Commission Proposal for a new privacy framework (p. 70).
Consumers should be better educated about commercial data privacy practices, and this should be done by all stakeholders.