In a world of smart phones and smart grids, the smart money is on companies that play it smart with consumers’ information. Consistent with its 40 years’ experience protecting consumer privacy, the FTC’s just-released Report — Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers — underscores that message and outlines a new privacy framework designed for the 21st Century.
The agency issued a preliminary report in December 2010 and received over 450 comments from businesses, privacy advocates, and consumers. The final Report retains the basic principles outlined previously, but with several important refinements:
Privacy by Design. Companies should build privacy protections into their everyday business practices. That includes limiting data collection and retention, securing the information they hold on to, safely disposing of what they no longer need, and implementing reasonable measures to ensure information is accurate.
Simplified Choice. Companies should give consumers a choice at a time and in a context that matters to people. The preliminary report noted that choice shouldn’t be necessary for certain “commonly accepted practices.” The final Report refines that approach and concludes that choice needn’t be provided for data practices that people would expect, given the context of the transaction, the company’s relationship with the consumer, or as required or specifically authorized by law. The Report also reaffirms the Commission’s strong support for Do Not Track.
Improved transparency. Companies should increase the transparency of their data practices. What does the FTC have in mind? For example, businesses could develop clearer, more standardized privacy disclosures and could give people reasonable access to their information. The final Report also proposes important consumer protections with regard to data brokers. The Report supports targeted legislation that would provide greater transparency about what they’re doing and calls on data brokers to explore creating a centralized website where data brokers could identify themselves and describe how they collect and use people’s information.
What about small businesses? To minimize the effect on smaller companies, the final framework doesn’t apply to them if they collect only non-sensitive data from fewer than 5,000 consumers a year, provided they don’t share the data with third parties.
The Report also calls on Congress to consider enacting baseline privacy legislation, while urging industry to speed up the pace of self-regulation.
Next: More on the Report. In the meantime, check out this new video from the FTC.