The FTC released its 122 page Privacy Report today. This Report has been anticipated for some time. The FTC Chairman, Jon Leibowitz, summed up the purpose behind the FTC’s involvment in data privacy and security with release of the Report stating:
Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well.
The Report is issued as "A Proposed Framework For Business and Policymakers." The Report is intended to "inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy." It is also intended to be a framework for how companies should address privacy.
The biggest news making aspect of the Report is the endorsement of a Do Not Track system that would permit consumers to limit or control the amount of information given to advertisers that track consumers’ online behavior. This would be similar to the Do Not Call registry.
For an excellent review of this far reaching Report, and its implications, read this post on the Privacy and Security Law Blog. For more information on the Do Not Track and online behavior tracking aspects of the Report, here is a post from Electronic Frontier Foundation. In the days ahead, there will be many more blog posts about the Report.
For now, if you are a company that collects data for online behavior tracking or stores personally identifiable information (PII such as name, address, ss#, date of birth, etc), this Report should be reviewed albeit with the understanding that it is a proposed framework and will not be a final report until sometime in 2011. The Report will be subject to much debate and critical comment, but might also serve as a best practices guide post.
My general take away points from the Report are that the FTC:
- Endorses a Do Not Track system
- Expects privacy policies to be based on notice and choice for consumers
- Opines that many companies "do not adequately address consumer privacy"
- States privacy policies should reflect the level of sensitivity of the data it seeks to protect
- Wants companies to promote consumer privacy throughout development of its services and products or adopt "privacy by design"
- Wants Companies to make it easier for consumers to understand privacy policies and data collection
- Wants consumers to have more choice on opt in or opt out for data collection
The FTC will take public comment on the Report (click here) until January 31, 2011.