The report is a 'two steps forward one step backwards' document. It is based on the December 2010 report noted here, resiling from the stronger privacy protection recommended at that time. It essentially hands the problem to Congress, with a suggestion that the legislature consider enacting -
- general privacy legislation,
- data security and breach notification legislation, and
- data broker legislation.
- Privacy by Design - enterprises should build in consumers' privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy;
- Simplified Choice for Businesses and Consumers - enterprises should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.
- Greater Transparency - enterprises should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them.
That document recommended that the proposed framework apply to every commercial entity that collects or uses consumer data that could be linked to a specific consumer, computer, or other device. The new report, "recognizing the potential burden on small businesses", recommends that the framework should not apply to "companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year".
Just as importantly, the FTC notes that -
The report also responds to comments filed by organizations and individuals that, with technological advances, more and more data could be "reasonably linked" to consumers, computers, or devices. The final report concludes that data is not "reasonably linked" if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.The report makes two recommendations regarding data brokers, commenting that "data brokers often buy, compile, and sell highly personal information about consumers" and that the transparency of such activity should be increased. It reiterates FTC support for legislation that would provide consumers with access to information held by data brokers and calls on brokers compiling consumer data for marketing purposes to explore creation of a centralised website where consumers could get information about their practices and their options for controlling data use.
The Commission indicates that it will concentrate on "five main action items" -
Do-Not-Track - The Commission commends the progress made in this area: browser vendors have developed tools to allow consumers to limit data collection about them, the Digital Advertising Alliance has developed its own icon-based system and also committed to honor the browser tools, and the World Wide Web Consortium standards-setting body is developing standards. "The Commission will work with these groups to complete implementation of an easy-to-use, persistent, and effective Do Not Track system".
Mobile - enterprises offering mobile services are encouraged "to work toward improved privacy protections, including disclosures", with the FTC hosing a workshop in May "to address how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens".
Data Brokers- brokers should make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data. In addition, the website should detail the choices that data brokers provide consumers about their own information.
Large Platform Providers - the report cited heightened privacy concerns about the extent to which platforms, such as Internet Service Providers, operating systems, browsers and social media companies, seek to comprehensively track consumers' online activities. The FTC will host a workshop in the second half of 2012 regarding comprehensive tracking.
Promoting Enforceable Self-Regulatory Codes - The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.