On March 26, the Federal Trade Commission (FTC) released “Protecting Consumer Privacy in an Era of Rapid Change”, the agency’s much-anticipated report on consumer data privacy. The Report focuses on three broad principles:

  • Privacy by Design: Build in privacy at every stage of product development;
  • Simplified Choice for Businesses and Consumers: Give consumers the ability to make decisions about their data at a relevant time and context, including through a Do Not Track mechanism…; and
  • Greater Transparency: Make information collection and use practices transparent.

This Report follows on a similarly-titled report from the FTC staff in 2010 (on which MRA filed comments in February 2011). Echoing the White House’s Consumer Privacy Bill of Rights report, the Report calls for “baseline privacy legislation” from Congress, as well as data security and data broker legislation, despite clear evidence in the Report that the FTC already has extensive authority under Section 5 of the FTC Act to combat data privacy practices that are “unfair” or “deceptive”, such as the agency’s sweeping consent agreements with companies like Google and Facebook on privacy and data security.

According to the Report, “The final framework is intended to articulate best practices for companies that collect and use consumer data. These best practices can be useful to companies as they develop and maintain processes and systems to operationalize privacy and data security practices within their businesses. The final privacy framework contained in this Report is also intended to assist Congress as it considers privacy legislation.”

The FTC highlighted a couple of major changes from the original staff report:

  1. A small business exemption (except for researchers) and a safe harbor for de-identification: “The preliminary report proposed that the privacy framework apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device. To address concerns about undue burdens on small businesses, the final framework does not apply to companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided they do not share the data with third parties. Commenters also expressed concern that, with improvements in technology and the ubiquity of public information, more and more data could be “reasonably linked” to a consumer, computer or device, and that the proposed framework provided less incentive for a business to try to de-identify the data it maintains. To address this issue, the Report clarifies that data is not “reasonably linkable” to the extent that a company: (1) takes reasonable measures to ensure that the data is de-identified; (2) publicly commits not to try to re-identify the data; and (3) contractually prohibits downstream recipients from trying to re-identify the data.”
  2. Getting a little closer to a use-based approach to data privacy: Instead of the original staff report’s five “commonly accepted” information collection/use practices that require only simplified consumer consent, the Report “focuses on the context of the consumer’s interaction with the business. Under this approach, companies do not need to provide choice before collecting and using consumers’ data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.”

The Report also outlines what the FTC aims to work on this year in furtherance of the Report’s goals, including:

  • working with various groups to “complete implementation of an easy-to use, persistent, and effective Do Not Track system”;
  • hosting a mobile privacy workshop on May 30 that “will address, among other issues, mobile privacy disclosures and how these disclosures can be short, effective, and accessible to consumers on small screens”;
  • Calling “on data brokers that compile data for marketing purposes to explore creating a centralized website where data brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain”;
  • Hosting a public workshop on how “large platforms, such as Internet Service Providers, operating systems, browsers, and social media seek, to comprehensively track consumers’ online activities, it raises heightened privacy concerns”; and
  • Participating in the White House's “multistakeholder processes” to develop industry codes of conduct.

MRA will be digging into the details of the FTC Report and sharing nuggets of analysis in the coming days, but it is interesting first to examine the dissenting report filed as an appendix by FTC Commissioner J. Thomas Rosch.

Commissioner Rosch identified multiple problems with the Report that echo and reinforce some of MRA’s key concerns:

  • Prohibiting “take-it-or-leave-it choice” (in circumstances where the consumer has few alternatives), as a practical matter, “may chill information collection, and thus impact innovation, regardless whether one’s privacy policy is deceptive or not.”
  • Section 5 of the FTC Act empowers the agency to regulate “deceptive” and “unfair” practices. The Report focuses on the “unfair” side, but Commissioner Rosch thinks (and MRA agrees) that “unfairness” is too vague and open to interpretation: “What is “unfair” is in the eye of the beholder.” “Deceptive” privacy practices should be the FTC’s main concern. Commissioner Rosch even cites survey data to make the case that, despite activist groups opposing online behavioral tracking, “individual consumers by and large do not “opt out” from tracking when given the chance to do so.”
  • Absent a “limiting principle”, privacy “may be used as a weapon by firms that have monopoly or near-monopoly power to disadvantage rivals” in the context of the FTC’s anti-competition powers. Commissioner Rosch indicates that the Report’s recommendations on information collection practices are unlimited in scope, and could “install “Big Brother” as the watchdog over these practices not only in the online world but in the offline world.”
  • Commissioner Rosch identifies the ill-defined and unclearly-executed notion of “do not track” as a key stumbling block in the Report, since the FTC, the Commissioners, activist groups, the ad and marketing industry, the Internet browser companies, and the general public all have varying ideas of what it means, what information it should cover, how it should work, and how it actually does work.
  • Commissioner Rosch is further “concerned that “opt-in” will necessarily be selected as the de facto method of consumer choice for a wide swath of entities that have a first-party relationship with consumers but who can potentially track consumers’ activities across unrelated websites, under circumstances where it is unlikely, because of the “context” (which is undefined) for such tracking to be “consistent” (which is undefined) with that first-party relationship: 1) companies with multiple lines of business that allow data collection in different contexts (such as Google); 2) “social networks,” (such as Facebook and Twitter), which could potentially use “cookies,” “plug-ins,” applications, or other mechanisms to track a consumer’s activities across the Internet;31 and 3) “retargeters,” (such as Amazon or Pacers), which include a retailer who delivers an ad on a third-party website based on the consumer’s previous activity on the retailer’s website.”
  • Finally, Commissioner Rosch highlights one of MRA’s original complaints: that what the FTC, the Congressional sponsors of comprehensive privacy legislation, and the White House all refer to as “self-regulation” is nothing of the sort. “[E]ither these practices are to be adopted voluntarily by the firms involved or else there is a federal requirement that they be adopted, in which case there can be no pretense that they are “voluntary.” It makes no difference whether the federal requirement is in the form of enforceable codes of conduct or in the form of an act of Congress. Indeed, it is arguable that neither is needed if these firms feel obliged to comply with the “best practices” or face the wrath of “the Commission” or its staff.”

MRA will be part of the policy process with the FTC, as well as any “multistakeholder process” ultimately tried by the White House, because putting our heads in the sand like an ostrich will not immunize the survey and opinion research profession from harm. However, our original concerns about “self-regulation” as dictated by government agencies remain the same. Commissioner Rosch makes that case well. So does Adam Thierer of the Technology Policy Institute in a recent blog post, explaining that the FTC and the President seem to favor what Theirer terms a European-style “co-regulation” model: “The Administration seems to favor a “government steers, industry rows” model for privacy policy that assigns a broad oversight role to federal regulators allowing them to “nudge” the tech industry in certain directions with the stern but amorphous “do this or else” sword of Damocles hanging over industry “self-regulatory” decisions on this front.”

Look for more posts and articles from MRA digging into more of the granular points in the FTC Report in the coming days that are of particular interest to the research profession, such as what the FTC intends for data brokers, what could actually constitute deidentified data, what the FTC envisions to be "sensitive" data, and how the Report's consumer information collection contexts apply to the research process. We will also be attending a hearing on the Report by the House Subcommittee on Commerce and Manufacturing on March 28.