FTC releases data security best practices
The Federal Trade Commission (FTC) has issued a final report setting forth best practices for businesses to protect the privacy of U.S. consumers and give them greater control over the collection and use of their personal data.

In the report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers," the commission also recommended that Congress consider enacting general privacy legislation, data security and breach notification legislation, as well as data broker legislation.

“In today’s world of smartphones, smart grids and smart cars, companies are collecting, storing and sharing more information about consumers than ever before,” the report stated. “Although companies use this information to innovate and deliver better products and services to consumers, they should not do so at the expense of consumer privacy.”

The final privacy report expands on a preliminary staff report the FTC issued in December 2010. The final report called on companies handling consumer data to implement recommendations for protecting privacy, including:
  • Privacy by Design: Companies should build in consumer privacy protections at every stage in developing their products, including reasonable security for consumer data, limited collection and retention of such data and reasonable procedures to promote data accuracy;
  • Simplified Choice for Businesses and Consumers: Companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.
  • Greater Transparency: Companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them.

Based on technological advances and industry developments since the December 2010 staff report and in response to the comments, the agency is revising recommendations in three areas:
  • The final report changes the guidance's scope. The preliminary report recommended that the proposed framework apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer or other device. Recognizing the potential burden on small businesses, the report concluded that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year. The final report also concluded data are not "reasonably linked" if a company takes reasonable measures to de-identify the data, commits not to re-identify it and prohibits downstream recipients from re-identifying it.
  • The report refined the guidance for when companies should provide consumers with choice about how their data are used. It stated that whether a practice should include choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer's existing relationship with the business or is required or specifically authorized by law. These practices include product fulfillment and fraud prevention.
  • Regarding data brokers, the report noted that data brokers often buy, compile and sell highly personal information about consumers. Consumers are often unaware of their existence and the purposes for which they use the data. The report made two recommendations to increase the transparency of such practices: it reiterates the FTC’s prior support for legislation that would provide consumers with access to information held by data brokers and calls on data brokers who compile consumer data for marketing purposes to explore the creation of a centralized website where consumers could get information about their practices and their options for controlling data use.

Over the course of the next year, FTC stated it will work to encourage consumer privacy protections by focusing on five main action items:
  • Do-Not-Track: The commission will work with groups to complete implementation of an easy-to-use, persistent and effective Do-Not-Track system.
  • Mobile: The FTC urges companies offering mobile services to work toward improved privacy protections, including disclosures.
  • Data Brokers: The commission calls on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data.
  • Large Platform Providers: The report cited heightened privacy concerns about the extent to which platforms, such as internet service providers, operating systems, browsers and social media companies seek to track consumers' online activities. The FTC will host a public workshop in the second half of 2012 to explore issues related to tracking.
  • Promoting Enforceable Self-Regulatory Codes:The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.