Yesterday the FTC released a report entitled, “Protecting Consumer Privacy in an Era of Rapid Change.” This is the final version of a preliminary report issued in December 2010. Industry leaders, consumer privacy advocates and private citizens responded to calls for comments and the FTC based its final privacy report on analysis of those comments. The report suggests best practices for data collection and online tracking.
The report is over 70 pages long, but dont worry if you didnt read it. We did, and heres everything you need to know.
To be clear, this is a set of guidelines, best practices and legislative recommendations. As of today, there is no new legislation.
These suggestions are not applicable to companies that do not collect any data that is “reasonably linkable to a specific consumer, computer, or other device. Data is not considered “reasonably linkable” if the company: “(1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to reidentify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data.”
The privacy guidelines are divided into three primary sections: privacy by design, simplified customer choice, and transparency.
Privacy by Design
Privacy protection should be incorporated into the everyday activity of companies. There are three primary issues companies must address while designing privacy-friendly policies:
- Companies should keep consumer data secure.
- Companies should not hold on to data if it is no longer being used, but retention periods can be flexible depending on the customer relationship and the type of data we’re talking about. For example, it makes sense for a car dealership to maintain records for years since the product lifespan is long, and they may use that data to send maintenance reminders and opportunities to purchase new models (both of which are appropriate examples of targeted marketing messages).
- Companies who keep data that could affect consumers’ well-being (e.g. could affect job eligibility) must make this data available for consumers to access and correct if it is false (note that this may actually fall under the jurisdiction of the Fair Credit Reporting Act). Companies using data solely for marketing purposes need not allow consumers access to that data, however they should make known the fact that they do collect data and explain what type of data they collect.
Simplified Consumer Choice
Companies do not need to give consumers the choice to decline before collecting and using data for product fulfillment, internal operations, fraud prevention, legal compliance and public purpose, and first-party marketing when they collect that data in a way thats consistent with the context of the transaction or the companys relationship with the consumer. The FTC specifically notes that they do not consider retargeting to be first party marketing.
For everything else, companies should offer consumers the choice whether or not to provide their data prior to collection or prior to the company’s actual use of that data. “Companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data.” Materially different could be first party data that is now being shared with a third party. Sensitive information is financial or health information, precise geolocation data, and information about children.
Privacy notices are long, opaque and convoluted, and should be shorter, clearer and more standardized across companies so that consumers can actually understand them. In addition, companies should work harder to educate consumers about data privacy.
Another issue received significant attention is do not track.
The FTC commends the industry for its efforts thus far on the implementation of do not track, and specifically calls out efforts by the Digital Advertising Alliance (responsible for the little blue icons in banner ads) and Mozilla for creating a do not track option for its Firefox browser. One specific requirement called for is that do not track should not be cookie-based, so that consumers will not be removed from do not track lists if they delete their cookies. Furthermore, do not track should mean do not collect data rather than do not serve ads.
The FTC also recommended that data brokers work together to create a central website where consumers can access their data, correct it if necessary and learn more about industry practices. Ad Age has more.
FTC Chairman John Leibowitz said yesterday that Im very hopeful that do-not-track can be done without legislation, but if it cant be, I think it will be done with legislation.
That seems to be the prevailing sentiment surround all privacy issues covered here. Although no new legislation was announced, the FTC is pushing for Congress to enact privacy legislation if the industry proves unable to self-regulate.