The two events that drew the most attention in 2010, both of which occurred at year-end, were reports from the FTC and the Department of Commerce.  Below is a brief summary of those two reports and other issues drawing attention in the past year:

(1) FTC Issues Long-Awaited Consumer Privacy Policy Report

On December 1, the FTC published the Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers

The FTC’s press release provides a summary of the preliminary report.  The best practices framework recommended in the preliminary report for businesses that collect or use consumer data include:

  • simplifying choices for consumers, providing consumers with greater transparency, and following the Fair Information Practice Principles;
  • creating a “Do Not Track” mechanism to give consumers a choice to avoid online tracking;
  • extending protection to information collected offline;
  • dispensing with the distinction between PII and non-PII because technology allows data fragments to be pieced together; and
  • a “Privacy by Design” concept for businesses.

The preliminary report did not change the FTC’s continued focus on self-regulation.  Finally, the preliminary report contained an appendix with 64 questions on which it invited comment by January 31, 2011.  A final report will be issued later in 2011 based on the comments. 

 (2) Department of Commerce Calls for a “Privacy Bill of Rights”

On the heels of the FTC’s preliminary report, the Department of Commerce Internet Policy Task Force released a green paper titled: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  The press release contains a summary.

The Baker Hostetler Data Privacy Monitor covered this green paper here.  The four broad policy recommendations of the task force are:

  • Enhance consumer trust online through recognition of revitalized Fair Information Practice Principles.
  • Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through collaborative efforts of multi-stakeholder groups, the FTC, and a Privacy Policy Office within the Department of Commerce.
  • Encourage global interoperability.
  • Ensure nationally consistent security breach notification rules.

(3) Behavioral Advertising Opt-Out Icon

As reported by the Baker Hostetler Data Privacy Monitor, a behavioral advertising industry group proposed a Self-Regulatory Program for Online Behavioral Advertising, which features an “Advertising Option Icon” that can be placed near online ads that collect data used to conduct behavioral advertising.  Users who click on the icon will receive a disclosure statement about the data collection and use practices associated with the ad along with the ability to opt-out of being tracked.

(4) Social Media

  • Facebook faced several privacy issues, including an FTC complaint regarding its privacy policy, details of 100 million Facebook users were published online, and questions from U.S. Senators.
  • Google apologized for collecting about 600 gigabytes of data snippets captured from e-mails and browsing history from Wi-Fi networks in more than 30 countries.
  • In the first FTC action against a social network service, Twitter settled charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.

 (5)  HHS/HIPAA/HITECH

  • White House Forms New Subcommittee to Review Online Privacy Issues
  • HHS Withdraws Draft Of Final HIPAA Breach Notification Rule

(6) Massachusetts Data Security Regulations

Massachusetts’ aggressive new data security regulations (201 CMR 17.00 et seq.), which became effective on March 1, 2010, contain broad and imposing mandates that go further than any other state law or regulation.  Even companies that have no facilities or personnel in Massachusetts must comply with the strict mandates if they maintain personal information of any Massachusetts resident in connection with providing goods or services. 

All businesses covered by the statute must institute a written information security program.  That program must, among other things:

  • Designate an employee to maintain the security program;
  • Identify and evaluates internal and external security risks;
  • Impose disciplinary measures for violations of the program rules;
  • Oversee third-party service providers;
  • Require regular monitoring and updating of the program; and
  • Documents responsive actions taken in connection with any breach of security.

For many business, the most difficult compliance issues arises from the encryption mandates of 201 CMR 17.04, which requires the encryption of: (1) laptops containing personal information that leave the businesses premises; (2) personal information transmitted across the Internet or wirelessly; and (3) backup tapes on a prospective basis.