The Federal Trade Commission (FTC) has finalized its recommendations for protecting consumers’ online privacy, using public input and new developments to build upon its preliminary staff report of December.
The report is aimed at outlining how it thinks Internet companies should be protecting consumers’ privacy, mostly via self-regulation but legislative measures are also called for.
Importantly, the FTC sought to outline acceptable data practices where they apply to personally-identifiable information. It says companies should “take reasonable measures to ensure that the data is de-identified,” should publicly commit not to re-identify the data and build provisions into their contracts with downstream data recipients that forbids them from trying to re-identify the data.
“This creates a bubble of protection around data,” noted Peter Swire, a fellow of the Future of Privacy Forum think tank.”Companies know what’s in the regulated space and what isn’t.”
Framework Wouldn’t Apply To Small Businesses
Another important change, aimed at lessening the burden on small businesses, is that the FTC now says its framework should not apply to companies the collect non-sensitive data from fewer than 5,000 customers annually, so long as they do not share this data with third parties.
The commission, in its final report, has adopted a new approach to acceptable data collection practices. Companies would not need to provide choice before collecting and using consumers’ data when that collection and use is consistent with the context of the transaction or the company’s relationship with the consumer. For example, an ecommerce site would be OK collecting shipping and billing information, as that is needed for a purchase transaction.
Consumers’ Access To Data Collected About Them
On the legislative front, the agency suggests Congress pass something resembling the Fair Credit Reporting Act, or an update of that act. Under the FTC’s suggested legislation, people would have access to the information collected and stored about them, and, perhaps, be able to delete or edit it.
In the meantime, the FTC says the industry should continue its work on Do Not Track, and appropriate mobile privacy disclosures.
Unresolved is still the question of companies running ISPs, operating systems, browsers and social media — who seek “to comprehensively track consumers’ online activities” — and how the serious privacy concerns they raise should be dealt with. The commission plans to hold a workshop later this year to discuss these issues.
Additionally, the FTC says it will be working with the Department of Commerce and industry stakeholders to develop sector-specific codes of conduct.
Here’s the consumer-focused video produced by the FTC on these privacy issues: