by Kevin Mills
The Bill of Rights has defined our basic rights as Americans for over 220 years. However, the Bill of Rights doesn’t afford us the right of privacy. In 1965, the Supreme Court held that the right of privacy was to be found in the “penumbras” and “emanations” of other constitutional protections. At the time, not everyone agreed such a right existed. That fight continues to the present.
In today’s supercharged, computer-powered, information age, privacy, and the right to it, takes on an even more important and pervasive meaning. In December 2010, the Federal Trade Commission (“FTC”) issued a preliminary report on privacy issues. On March 26, 2012, the FTC issued a final, updated version of this report, entitled “Protecting Consumer Privacy in an Era of Rapid Change.”
The FTC’s report makes two basic recommendations: (1) The establishment of a privacy framework that sets forth best practices for companies that collect or use consumer data (discussed herein) and (2) that Congress enact baseline privacy legislation that is flexible and technologically neutral. This second recommendation reflects the FTC’s view that self-regulation has not proven effective enough to protect consumer privacy. The report also sets out the FTC’s privacy priorities for the coming year (with regard to ongoing efforts, see the Obama Administration’s report issued on February 13, 2012 entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” which calls for a “Consumer Privacy Bill of Rights” among other things).
The FTC’s report recommends that companies incorporate the concept of “privacy by design” into their practices. A company adopting the “privacy by design” approach will promote consumer privacy throughout its organization and at every stage of the development and life of its products and services. To accomplish this, companies should incorporate the following protections into their standard, every day practices:
(a) LIMITATIONS ON COLLECTION. Reasonable limits are those that are consistent with the context of the particular transaction or the consumer’s relationship with the company, or as required by law or regulation.
(b) DISPOSAL AND RETENTION. Companies should implement reasonable restrictions on the retention of consumer data and should dispose of it once the data has outlived the legitimate purpose for which it was collected. The reasonableness of the practice depends on the type of relationship, nature and use of the data. The FTC invites trade associations and self-regulatory groups to contribute guidance to companies regarding data retention and destruction.
(c) ACCURACY. Companies should maintain the accuracy of the data they collect and hold. The FTC posits that a flexible approach that is scaled to the intended use and to the sensitivity of the data is the best method to achieving accuracy.
(d) SECURITY. Security is a critical factor and companies need to take their obligations seriously. FTC enforcement is only one consequence of failing to reasonably protect consumer data. In addition to the requirement to protect consumer data, there is the requirement of notification to the consumer in the event of a breach. The cost of such a breach can be significant. For example, the 2011 Sony PlayStation breach could well have a cost of $150 million and might have put the kibosh on Sony’s plan to network across entertainment devises and content.
(e) SIMPLIFICATION. The Report calls on companies to simplify consumer choice regarding privacy issues and to implement measures so that making the choice is meaningful. Where choice is required or desirable, it should be requested at a time and in a context in which the consumer is making a decision about the data. And in particular, special attention needs to be paid where data use and disclosure are inconsistent with the context of the transaction or the company’s relationship with the consumer. Furthermore, where sensitive information is being collected (e.g., information regarding children, health, or finances), clear and conspicuous notice and an opportunity to opt-out should be given.
(f) TRANSPARENCY. Companies need to increase the transparency of their data practices. Privacy notices should be clear, short and more standardized. Companies should provide reasonable access to data they retain and an opportunity in appropriate cases to permit the suppression of categories the consumer would like to restrict the use of in targeting. Furthermore, companies should increase the transparency of their data enhancement practices. For example, this could include an explanation to consumers of how data enhancement works and how the consumer can contact data enhancement sources directly.
(g) EDUCATION. The FTC encourages companies to engage in consumer education efforts to elevate overall consumer sophistication.
Ultimately, the FTC’s report is an invitation for industry and government to work together to address the challenge of data collection, use, and management in the modern, technologically-changing world. But it is far from the final word.
Kevin Mills is an owner of the law firm of Kaye & Mills where his practice focuses on advising clients with transactions across a full range of issues in entertainment, media, technology, Internet and general business. His practice encompasses copyright; trademark; trade dress; trade secret; brand protection; content creation, protection and distribution; and general corporate, organizational and business matters.