FTC Staff Report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Draft) (Dec. 1, 2010) (full-text).
This report proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services. The proposed report also suggests implementation of a "Do-Not-Track" mechanism — likely a persistent setting on consumers' browsers — so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities.
It states that industry efforts to address privacy through self-regulation "have been too slow, and up to now have failed to provide adequate and meaningful protection." The framework outlined in the report is designed to reduce the burdens on consumers and businesses.
"This proposal is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines," according to the report.
The FTC staff developed the proposed framework in recognition of increasing advances in technology that allow for rapid data collection and sharing that is often invisible to consumers. Although many companies use privacy policies to explain their information practices, the policies have become long, legalistic disclosures that consumers usually do not read and do not understand if they do. Current privacy policies force consumers to bear too much burden in protecting their privacy.
To reduce the burden on consumers and ensure basic privacy protections, the report first recommends that "companies should adopt a 'privacy by design' approach by building privacy protections into their everyday business practices." Such protections include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including assigning personnel to oversee privacy issues, training employees, and conducting privacy reviews for new products and services.
Second, the report states, consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions — not after having to read long, complicated disclosures that they often cannot find. The report adds that, to simplify choice for both consumers and businesses, companies should not have to seek consent for certain commonly accepted practices. It is "reasonable for companies to engage in certain practices — namely, product and service fulfillment, internal operations such as improving services offered, fraud prevention, legal compliance, and first-party marketing," the report states. "By clarifying those practices for which consumer consent is unnecessary, companies will be able to streamline their communications with consumers, reducing the burden and confusion on consumers and businesses alike.”