[Executive Summary pp.i–vii] In today’s digital economy, consumer information is more important than ever. Companies are using this information in innovative ways to provide consumers with new and better products and services. Although many of these companies manage consumer information responsibly, some appear to treat it in an irresponsible or even reckless manner. And while recent announcements of privacy innovations by a range of companies are encouraging, many companies — both online and offline — do not adequately address consumer privacy interests.
Industry must do better. For every business, privacy should be a basic consideration — similar to keeping track of costs and revenues, or strategic planning. To further this goal, this report proposes a normative framework for how companies should protect consumers’ privacy. This proposal is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines. The framework is designed to serve as a policy vehicle for approaching privacy, but it includes elements that reflect longstanding Federal Trade Commission (“FTC” or “Commission”) law.
Although privacy often has been said to mean “the right to be let alone,” [Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 193 (1890)] the application of this concept in modern times is by no means straightforward. Consumers live in a world where information about their purchasing behavior, online browsing habits, and other online and offline activity is collected, analyzed, combined, used, and shared, often instantaneously and invisibly. For example:
- if you browse for products and services online, advertisers might collect and share information about your activities, including your searches, the websites you visit, and the content you view;
- if you participate in a social networking site, third-party applications are likely to have access to the information you or your friends post on the site;
- if you use location-enabled smartphone applications, multiple entities might have access to your precise whereabouts;
- if you use loyalty cards at a grocery store or send in a product warranty card, your name, address, and information about your purchase may be shared with data brokers and combined with other data.
Some consumers are troubled by the collection and sharing of their information. Others have no idea that any of this information collection and sharing is taking place. Still others may be aware of this collection and use of their personal information but view it as a worthwhile trade-off for innovative products and services, convenience, and personalization. And some consumers — some teens for example — may be aware of the sharing that takes place, but may not appreciate the risks it poses. In addition, consumers’ level of comfort might depend on the context and amount of sharing that is occurring. For example, some consumers may be unconcerned about the collection and sharing of discrete pieces of information about them because that information, by itself, may seem innocuous. However, they may find the compilation of vast quantities of data about them surprising and disturbing. Because of these differences in consumer understanding, attitudes and behavior, as well as the rapid pace of change in technology, policymaking on privacy issues presents significant challenges.
The FTC’s efforts to protect consumer privacy date back to the 1970s, when it began enforcing one of the first federal privacy laws — the Fair Credit Reporting Act (“FCRA”). [15 U.S.C. § 1681 (2010). The Commission currently enforces a number of other sector-specific privacy laws, as well as the Federal Trade Commission Act’s broad prohibition on “unfair or deceptive” acts or practices. 15 U.S.C. § 45 (2010).] Since hen, the Commission has sought to protect consumer privacy through law enforcement, policy initiatives, and consumer and business education. Using these tools, the Commission’s goal in the privacy arena has remained constant: to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits of the ever-changing marketplace. In recent years, the FTC has sought to advance this objective using two primary models: the “notice-and-choice model,” which encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices, and the “harm-based model,” which focuses on protecting consumers from specific harms — physical security, economic injury, and unwanted intrusions into their daily lives. Each model has significantly advanced the goal of protecting consumer privacy; at the same time, each has been subject to certain criticisms.
Specifically, the notice-and-choice model, as implemented, has led to long, incomprehensible privacy policies that consumers typically do not read, let alone understand. Likewise, the harm-based model has been criticized for failing to recognize a wider range of privacy-related concerns, including reputational harm or the fear of being monitored. In addition, both models have struggled to keep pace with the rapid growth of technologies and business models that enable companies to collect and use consumers’ information in ways that often are invisible to consumers. Meanwhile, industry efforts to address privacy through self- regulation have been too slow, and up to now have failed to provide adequate and meaningful protection.
In light of these concerns, last year the Commission announced that it would host a series of roundtables to explore the privacy issues and challenges associated with 21st century technology and business practices — to determine how best to protect consumer privacy while supporting beneficial uses of information and technological innovation. Roundtable participants reflected a wide range of perspectives and included academics, technologists, privacy experts, consumer advocates, representatives from industry, and regulators.
Several major themes emerged from these discussions, including:
- the ubiquitous collection and use of consumer data;
- consumers’ lack of understanding and ability to make informed choices about the collection and use of their data;
- the importance of privacy to many consumers;
- the significant benefits enabled by the increasing flow of information; and
- the blurring of the distinction between personally identifiable information and supposedly anonymous or de-identified information.
Stakeholders emphasized the need to improve transparency, simplify the ability of consumers to exercise choices about how their information is collected and used, and ensure that businesses take privacy-protective measures as they develop and implement systems. At the same time, commenters and participants urged regulators to be cautious about restricting the exchange and use of consumer data in order to preserve the substantial consumer benefits made possible through the flow of information. Participants noted, for example, that the acquisition, exchange, and use of consumer data not only helps to fund a variety of personalized content and services, but also allows businesses to innovate and develop new products and services that offer consumers convenience and cost savings.
Based upon the major themes and concepts developed through the roundtables, Commission staff is proposing a new framework for addressing the commercial use of consumer data. This framework builds upon the notice-and-choice and harm-based models, the FTC’s law enforcement experience, and the record from the roundtables. Commission staff encourages all interested parties to submit written comments to help guide further development and refinement of the proposal.
The proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share, or otherwise use consumer data that can be reasonably linked to a specific consumer, computer or device. It contains three main components.
First, companies should adopt a “privacy by design” [Privacy By Design is an approach that Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario, has advocated. See Privacy by Design, Information & Privacy Commissioner of Ontario, http://www.privacybydesign.ca.] approach by building privacy protections into their everyday business practices. Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfill that purpose, safely disposing of data no longer being used, and implementing reasonable procedures to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including, for instance, assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services. Such concepts are not new, but the time has come for industry to implement them systematically. Implementation can be scaled to each company’s business operations. Companies that collect and use small amounts of non-sensitive consumer data should not have to devote the same level of resources to implementing privacy programs as companies that collect vast amounts of consumer data, collect data of a sensitive nature, or engage in the business of selling consumer data.
Second, Commission staff proposes that companies provide choices to consumers about their data practices in a simpler, more streamlined way than has been used in the past. Under this approach, consumer choice would not be necessary for a limited set of “commonly accepted” data practices, thus allowing clearer, more meaningful choice with respect to practices of greater concern. This component of the proposed framework reflects the concept that it is reasonable for companies to engage in certain commonly accepted practices — namely, product and service fulfillment, internal operations such as improving services offered, fraud prevention, legal compliance, and first-party marketing. Some of these practices, such as where a retailer collects a consumer’s address solely to deliver a product the consumer ordered, are obvious from the context of the transaction, and therefore, consent for them is inferred. Others are sufficiently accepted — or necessary for public policy reasons — that companies need not request consent to engage in them. By clarifying those practices for which consumer consent is unnecessary, companies will be able to streamline their communications with consumers, reducing the burden and confusion on consumers and businesses alike.
For data practices that are not “commonly accepted,” consumers should be able to make informed and meaningful choices. To be most effective, choices should be clearly and concisely described and offered when — and in a context in which — the consumer is making a decision about his or her data. Depending upon the particular business model, this may entail a “just-in- time” approach, in which the company provides the consumer with a choice at the point the consumer enters his personal data or before he accepts a product or service.
One way to facilitate consumer choice is to provide it in a uniform and comprehensive way. Such an approach has been proposed for behavioral advertising, whereby consumers vi would be able to choose whether to allow the collection and use of data regarding their online searching and browsing activities. The most practical method of providing such universal choice would likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads. Commission staff supports this approach, sometimes referred to as “Do Not Track.”
Third, staff proposes a number of measures that companies should take to make their data practices more transparent to consumers. For instance, although privacy policies may not be a good tool for communicating with most consumers, they still could play an important role in promoting transparency, accountability, and competition among companies on privacy issues — but only if the policies are clear, concise, and easy-to-read. Thus, companies should improve their privacy policies so that interested parties can compare data practices and choices across companies.
Staff also proposes providing consumers with reasonable access to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers. Because of the significant costs associated with access, staff believes that the extent of access should be proportional to both the sensitivity of the data and its intended use. In addition, all entities must provide robust notice and obtain affirmative consent for material, retroactive changes to data policies.
Finally, staff proposes that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. Increasing consumer understanding of the commercial collection and use of their information is important to facilitating competition on privacy across companies.
Commission staff seeks comment by January 31, 2011, on each component of the vii proposed framework and how it might apply in the real world. Interested parties are encouraged to raise, and comment upon, related issues. Based on comments received, the Commission will issue a final report in 2011. In the meantime, the Commission plans to continue its vigorous law enforcement in the privacy area, using its existing authority under Section 5 of the Federal Trade Commission Act and the other consumer privacy laws it enforces.