Last week in Washington, DC, officials from the U.S. Federal Trade Commission, the Department of Commerce, major trade associations and key stakeholders from around the world gathered at a global privacy summit convened by the International Association of Privacy Professionals. During the two day conference, panels covered a broad range of topics from mobile device privacy to the outlook for federal legislation to global corporate compliance programs. Several themes emerged, including:
- Rapid technological change is prompting an evolution in traditional notions of privacy. While the law – state, federal, EU – is evolving much more slowly, changes are underway and regulators and legislators need (and want) to hear from stakeholders;
- No one wants to stifle technology and the new economy jobs it creates, but many current privacy disclosures and practices (or the lack thereof) risk making the “privacy bargain” (personal information in return for free content/services) so one-sided that prescriptive regulation becomes inevitable;
- Companies lacking a robust compliance program governing collection, protection and use of personal information (be they customers, employees, vendors, or others) may face significant risk of a data breach or legal violation, resulting litigation, and a hit to their bottom lines.
The huge attendance at this year’s summit by a wide range of companies, technical professionals, and inside and outside counsel from all over the world reflects the growing importance of these issues. Following are highlights from some of the conference panels I attended featuring the FTC:
Collection Versus Use
Regulation of data collection versus data usage was a central theme at a panel that had hoped to discuss the FTC’s final version of its 2010 framework for protecting consumer privacy (still no word on when the final report will be issued). Disagreeing with a fellow panelist from George Washington University who said the FTC should simply focus on how collected consumer data is used, FTC Commissioner Julie Brill expressed serious concerns about the “unmitigated collection” of consumer data for all manner of purposes that then exists in perpetuity. Referencing a recent New York Times article about the ability to predict whether someone is pregnant out of “relatively innocuous information,” Brill said she is most concerned about vast amounts of information being collected and then used to compile profiles of consumers. Brill urged companies not to think about privacy just in terms of compliance but to think about it as “risk management” at the corporate executive level, pointing out that the more information a company collects the greater the potential liability if it is breached. Brill also emphasized the collection versus usage theme in the context of “do-not-track” proposals being developed by industry, saying it is very important that do-not-track address both the collection and use of consumer information; to ignore the collection element would only yield a “do-not-target” mechanism, which is not what the FTC called for in its preliminary framework.
Liability and Proactivity
Brill also said that failure to have a “privacy by design” program in place would not be automatic grounds for a violation of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices.” Brill said that the FTC looks at companies’ practices and processes when evaluating a potential privacy-related enforcement action, insisting over her co-panelist that such actions are not subject to strict liability. Nonetheless, Brill encouraged companies to be forward-thinking, saying that standards in the realm of privacy and data security have evolved and the reasonable steps a company is expected to take will become more comprehensive in the future. Similarly, Brill encouraged privacy professionals to help their clients realize that privacy and data security issues are not going away; ignore a problem and you’ll end up sitting across from the FTC in an enforcement action. Finally, Brill also warned that many data brokers do not even realize that they come under the Fair Credit Reporting Act.
COPPA and Mobile Privacy
The FTC is continuing to review its rules with respect to children’s growing use of mobile devices and online services. Referring to the “long tail” in the app industry and the fact that so many apps lack privacy policies as found in FTC’s February report, Commissioner Brill said she wanted to get the message out that the Children’s Online Privacy Protection Act applies to mobile device applications. Brill described COPPA, which requires parental consent for collection and use of children’s personal information, as an appropriate “speed bump” for particular types of users, while private sector panelists characterized COPPA as more of an obstacle to the possibilities created by new online and mobile platforms that requires fine tuning. The issue of how to treat teens, currently not covered by COPPA, was also discussed. Brill could not comment on specifics due to the review underway, but thinks that teens require some sort of special protection and said some commenters believe COPPA should be extended up to age 18.
In a separate panel, Christopher Olsen, assistant director of privacy and identity protection in the FTC’s Bureau of Consumer Protection, similarly warned that companies need to do a better job providing information about their mobile apps’ data collection; that the same privacy and security principles apply in the mobile and non-mobile environments. The FTC undertakes its own inspections of mobile apps, testing developers’ claims, in addition to considering consumer and NGO complaints and congressional concerns. With all the different players involved in the mobile device space – from app developers to telecom carriers to add networks to device manufacturers – contract provisions play a large role in how information is collected and used. Olsen stressed that compliance with such provisions – making sure someone is actually monitoring – will be an important issue going forward.
Finally, the FTC will hold a mobile payments workshop on April 26 and a “Public Workshop to Explore Advertising Disclosures in Online and Mobile Media” on May 30. The latter will inform FTC’s thinking on updating guidance to businesses about disclosures in online advertising.