E-merging Commerce Alert
December 2010
Authors:
+1.202.778.9032
FTC Proposes Broad New Privacy
Framework, and Asks “How It Might Apply in
the Real World”
Holly K. Towle
Comments can be made until January 31, 2011
Henry L. Judy
henry.judy@klgates.com
holly.towle@klgates.com
+1.206.370.8334
The Big Picture
Samuel Castic
A number of developments have recently occurred, and are scheduled or likely to
occur, that combine to have the potential to reshape privacy law and related
information security law both in the United States and internationally. These
include:
samuel.castic@klgates.com
+1.206.370.6576
Jonathan D. Jaffe
jonathan.jaffe@klgates.com
•
The recent staff report of the Federal Trade Commission (“FTC”) that is the
principal focus of this Alert.
•
The November 4, 2010 Communication from the European Commission
concerning “A comprehensive approach on personal data protection in the
European Union”1 (“Communication”). This Communication, which is briefly
discussed further below, is intended to set the strategy for revision of the EU’s
basic data protection Directive. Like the FTC staff report, it is subject to public
comment and is a proposal for comprehensive future changes to data protection
law.
•
The establishment of the Consumer Financial Protection Bureau as an
independent agency within the Board of Governors of the Federal Reserve
System by Title X of the Dodd-Frank Wall Street Reform and Consumer
Protection Act2. The Bureau has regulatory authority for consumer protection
issues over a broad range of entities in the financial sector, an authority that is in
addition to the authority of existing regulatory agencies. The Bureau is expected
to employ its authority to adopt and enforce its own approaches to consumer
privacy and information security issues.
•
The development and widespread use of technologies with capacities well
beyond the contemplation of current data protection laws. These technological
developments include (1) technologies for data gathering and analysis and
related business and governmental practices that enable the creation of “profiles”
that have the same effects for all practical purposes as gathering obviously
personal information; (2) the availability of technological countermeasures to
these technologies3; and (3) the development by the Federal government of
various standardized identification assurance technologies that themselves both
+1.415.249.1023
K&L Gates includes lawyers practicing out
of 36 offices located in North America,
Europe, Asia and the Middle East, and
represents numerous GLOBAL 500,
FORTUNE 100, and FTSE 100
corporations, in addition to growth and
middle market companies, entrepreneurs,
capital market participants and public
sector entities. For more information,
visit www.klgates.com.
1
2
3
The Communication is available here.
Pub. L. 111-203, H.R. 4173, signed into law on July 21, 2010.
See Microsoft’s extended discussion of the planned inclusion of anti-tracking features in the
forthcoming issuance of Internet Explorer 9 available here.
E-merging Commerce Alert
gather and protect personal information and are
intended for widespread deployment.
•
A major internet privacy report4 was issued by
the U.S. Department of Commerce’s Internet
Policy Task Force on December 16, 2010. The
report is a “Green Paper” entitled “ Commercial
Data Privacy and Innovation in the Internet
Economy: A Dynamic Policy Framework.” The
Green Paper, along with the FTC Proposal, will
inform policy decisions by a recently created
White House Privacy and Internet Policy
Subcommittee.5 Given the disparate policy
inputs and technological developments
described above, the Subcommittee is expected
to address and seek to coordinate the direction
of federal law on privacy regulation from the
standpoint of the Executive Branch. The
background and purpose of the White House's
Privacy and Internet Policy Subcommittee is
explained in some detail in recent Congressional
testimony by Daniel Weitzner, Associate
Administrator for policy at the National
Telecommunications and Information
Administration.6
who controls data and what information will freely
flow in the United States.
If implemented as suggested, the FTC Proposal:
•
imposes obligations on “online or offline
commercial entities” that collect or use
consumer data;
•
pertains not just to “personally identifying”
consumer data, but to all “consumer” data that
can be reasonably linked to a consumer or a
computer or another device;
•
replaces the distinction between personally
identifying data and “de-identified” or
“anonymized” data with the above “reasonably
linked” concept;8
•
assumes consumer ownership and control of
data;
•
requires consumer choices, which must be
informed and meaningful, for data collection
and use practices not viewed as “commonly
accepted.” Examples given are not surprising
(e.g., behavioral advertising, deep packet
inspection and data sales to data brokers), but
the list of “commonly accepted practices” is so
narrow and the choice concept so broadly
worded, that the examples may not fully
illustrate the scope of application of the choice
requirement;
•
the proposal does not require consumer choices
to cover “commonly accepted practices,” which
is a helpful and pragmatic approach, but
undermines that advance by continuing to
require in privacy policies statements of the
obvious, i.e., the “commonly accepted
practices”;9
•
assumes privacy policies will not be read by
consumers thus requiring businesses to make
additional frequent and abbreviated disclosures
The FTC Proposal
On December 1, 2010, the FTC released a
preliminary staff report entitled “Protecting
Consumer Privacy in an Era of Rapid Change”7
(“FTC Proposal”). It is the FTC’s contribution to
the big-picture process described above. The FTC
Proposal sets forth a broad new framework which, at
first glance, appears to replace existing FTC
approaches. However, a closer reading indicates
that it may retain them in large measure and then
complicate them significantly. Whether the policy
positions suggested in the FTC Proposal are good or
bad depends upon individual perspectives, but many
are game-changers that will ratchet up compliance
costs and risk of potential litigation. The FTC
Proposal poses important policy choices regarding
4
See Green Paper available here.
5
See announcement on the blog of the White House available
here.
6
7
See testimony available here.
The report is available here.
8
9
FTC Proposal at 35-38.
See id. at 54, footnote 133.
December 2010
2
E-merging Commerce Alert
at electronic and non-electronic points of sale
and data collection;10
•
•
tasks businesses with creating standardized
forms and terminology11 across industries
(regardless of the lack of a private sector
structure for doing so) and continues the
dilemma under current law by requiring both
full transparency and clear conciseness; and
creates a right of access to data maintained
about individual customers.12
The FTC has asked for comments on its proposal,
and it is well worth interrupting the holiday season
to at least check what compliance issues that may
present for your business.
What are the Nature and Purposes of
the FTC Proposal?
For over a decade the FTC has, without material
challenge, created a detailed data privacy and
security regime through private enforcement orders.
The FTC has acted primarily pursuant to its general
power under Section 5 of the FTC Act to preclude
unfair acts or deceptive practices. Companies may
not have paid close attention to the last decade of
FTC enforcement orders because they are private
actions often settled by consent. However, a recent
First Circuit case illustrates the strategic error of
assuming this accumulating body of enforcement
orders can be safely ignored.
In In re TJX Companies Retail Sec. Breach
Litigation, 564 F.3d 489 (1st Cir. 2009), the First
Circuit reviewed a district court refusal to view FTC
consent orders as a sufficient legal basis for
determining whether a lack of security was an unfair
act under Massachusetts’ “unfair acts” law.
Disagreeing with the district court, the First Circuit
observed that FTC complaints and consent decrees
may be instructive in interpreting ambiguous state
statutes that prohibit unfair acts and deceptive
practices. Although the precedential authority of
FTC enforcement orders remains an open question,
the FTC Proposal emerging from the current notice
and comment period stands to expand upon the
substantial FTC “body” of documented positions
that courts, lawmakers, or other actors such as state
attorney generals could decide to consider.
The stated purposes of the FTC Proposal include
codifying and building upon “longstanding FTC
law” which the FTC will continue to use to
“investigate privacy or data security practices”
under existing statutory authority. In addition, it is
intended to “inform” and guide lawmakers, to
“encourage” industries to self-regulate per the FTC
Proposal, and to serve as a guide for the FTC’s own
future enforcement actions.
What is the Basic Proposal?
The FTC Proposal is modeled on certain European13
and Canadian14 approaches to privacy and data
protection, and is composed of these basic building
blocks:
Scope: The framework applies to all
commercial entities that collect or use consumer
data that can be reasonably linked to a specific
consumer, computer, or other device.
Privacy by Design: Companies should promote
consumer privacy throughout their
organizations and at every stage of the
development of their products and services.
13
14
•
Companies should incorporate substantive
privacy protections into their practices,
such as data security, reasonable collection
limits, sound retention practices, and data
accuracy.
•
Companies should maintain comprehensive
data management procedures throughout
the life cycle of their products and
services.15
See, e.g., id. at 17-18.
See, e.g., id. at v, note 3.
15
10
11
12
Id. at 58.
Id. at 71.
Id. at 74.
“Privacy by Design” is an approach that has been
advocated by the Privacy Commissioner of Ontario, Canada.
See lengthy description and further citations available here.
Even though the FTC Proposal calls for Privacy by Design
“concepts” to be implemented “systematically,” those concepts
December 2010
3
E-merging Commerce Alert
Simplified Choice: Companies should simplify
consumer choice.
•
Companies do not need to provide choice
before collecting and using consumers’ data
for commonly accepted practices, such as
product fulfillment.
•
For practices requiring choice, companies
should offer the choice at a time and in a
context in which the consumer is making a
decision about his or her data.
Greater Transparency: Companies should
increase the transparency of their data practices.
•
Privacy notices should be clearer, shorter,
and more standardized, to enable better
comprehension and comparison of privacy
practices.
•
Companies should provide consumers with
reasonable access to data about themselves;
the extent of access should depend on the
sensitivity of the data and the nature of its
use.
•
Companies must provide prominent
disclosures and obtain affirmative express
consent before using consumer data in a
materially different manner than claimed
when the data was collected.
•
All stakeholders should expand their efforts
to educate consumers about commercial
data privacy practices.16
Although there are a number of differences between
the FTC Proposal and the EU Commission’s
Communication, it is the commonalities that are the
most striking. The differences appear either to
reflect particular aspects of the EU context (such the
absence of a general data breach notification
requirement) or differences in emphasis. Otherwise,
the two proposals deal with nearly all the same
essential topics and do so in ways that tend in the
same policy direction. Examples include standard
form privacy information notices, and prior consent
and profiling, clearer and shorter retention
requirements (including a “right to be forgotten”),
stronger remedies for violations of privacy and
privacy impact assessments. An exception is cloud
computing on which the FTC report is very general,
whereas the EU data protection authorities regard
cloud computing as a challenge to their jurisdiction.
On the specific subject of profiling, it is notable that
on November 24, 2010, the Committee of Ministers
of the Council of Europe added a powerful
European voice in the direction of opt-in controls on
profiling. It adopted a recommendation to all
members states (including the U.S.) that profiling be
permitted, subject to certain exceptions, only if “the
data subject or her or his legal representative has
given her or his free, specific and informed
consent.”17
The significant integration of the U.S. and EU
economies, the presence of multiple corporate
offices in each other’s jurisdictions and the
significant personal data flows between the two
economies suggest that there may be an inevitable
tendency toward increasing convergence in the U.S.
and EU legal regimes for data protection. Although
more global uniformity would provide obvious
compliance benefits, U.S. companies operate in a
significantly different legal climate and from
different legal or operational perspectives, at least
historically. For example, in the U.S., class actions
including claims for consequential damages can be
brought under rules where attorneys’ fees are not
paid by the loser. The opposite tends to be true for
the European Union. This and other differences
between the U.S. and foreign countries in legal
rights and enforcement regimes create a need for
closer attention.
What are Potential Impacts and What
Can You Do Now?
Much of the news coverage regarding the FTC
Proposal has focused on an aspect of the proposal
suggesting creation of a “Do-Not-Track”
mechanism to implement a behavioral advertising
17
suffer from being cast in terms of high-sounding generalities
that are not easily converted into detailed practical application.
16
Id. at 40-41.
The recommendation contains detailed text that
implements its recommendation in the form of amendments to
the basic EU Data Protection Directive. See recommendation
available here.
December 2010
4
E-merging Commerce Alert
“opt-out” and on the ubiquitous collection of data by
data brokers. Although these aspects are important,
their current prominence should not obscure that the
FTC is primarily proposing a set of standards, duties
and rules that will significantly change the privacy
and data security practices of all online and offline
companies.
•
The FTC introduces a “commonly accepted
practices” concept, i.e., no consumer choice is
required for a data “act” when that act is simply
a commonly accepted practice. This might be a
positive breakthrough in data protection law
since it has the potential to limit the compliance
burden on an identified set of commercial data
practices. The FTC notes that “[s]ome of these
practices, such as where a retailer collects a
consumer’s address solely to deliver a product
the consumer ordered, are obvious from the
context of the transaction, and therefore, the
consumer’s consent to them can be inferred.”
By recognizing that some things are obvious,
the FTC clears the way for focusing on what is
not obvious and ought to be said without being
surrounded by unnecessary text.
The FTC will be finalizing its privacy framework in
upcoming months, and the FTC implies that it will
act to enforce its framework under the FTC’s
existing enforcement powers.18 As it determines
what the final framework will contain, the FTC is
accepting written comments until the end of January
2011. Comments can address the numerous
questions that the FTC Proposal expressly presents,
or any other aspect of the proposal. These questions
or aspects include the following:
•
Are there practical considerations that support
excluding certain types of companies or
businesses from the compliance requirements of
the framework – for example, businesses that
collect, maintain, or use a limited amount of
non-sensitive consumer data?19
Unfortunately, the breakthrough may be of
limited effect because it is made only with
respect to the concept of consumer “choice”
and not what has to be in the privacy policy.21
The FTC still expects a “transparent” privacy
policy and extensive disclosures that will be
required to be provided in a variety of contexts,
such as online screens and offline points of sale.
This poses a unique challenge for businesses, as
the privacy policy will still need to contain
complete lists and more nuances, i.e., will still
need to be long in order to meet the
“transparency” requirement. In addition, the
boundaries of the concept are not entirely clear.
“Commonly accepted practices” relates to a set
of data collection and use activities. Does
“use” include the company’s information
security practices?
This question raises a number of issues:
18
19
(i)
Do covered companies include nonprofit
entities within the concept of
“commercial entities”?
(ii)
How will “consumer” be defined? Is a
“consumer” an individual acting
primarily for personal, family or
household purposes, or simply a natural
person? If the latter, should the FTC
clarify that this proposal does not cover
employee data, given that it is not
written with such data in mind.
(iii)
In addition to excluding companies
using only a limited amount of certain
data, is it appropriate also to exclude
companies from at least some
obligations (e.g., the need to present a
privacy policy) if they merely engage in
the “commonly accepted practices”?
Id. at viii.
Id. at 43.
Is the FTC list of proposed “commonly
accepted practices” appropriate?20
20
Id. at 56.
21
Id. at 54, Note 133 (“Although the framework does not
contemplate choice for these accepted practices, companies
should still disclose these practices in their privacy policies in
order to promote transparency and accountability. As
discussed below, however, companies should conduct
research and take other steps to ensure that such privacy
policies clearly and effectively communicate information to
consumers and are not overly complex and likely to
confuse.”).
December 2010
5
E-merging Commerce Alert
Regardless, the concept that not stating the
obvious is a good one if applied to privacy
policies. The FTC’s Proposal would also
benefit from comments that add to the list of
“commonly accepted practices” to better define
the types of regular practices that should not
require consent.
•
The FTC Proposal makes this statement: “The
proposed ‘commonly accepted practices’
category is limited to a narrow set of data
collection and use activities. With respect to all
other commercial data collection and use, the
framework would require companies to give
consumers the ability to make informed and
meaningful choices.”22
This statement seems to create a binary world in
which the largest proportion of business
practices will be conditioned on receipt of
consumer “informed and meaningful” choice
under a proposal that asks whether the
consumer’s ability to “take or leave” a product
or service can be a meaningful choice. Note
that whatever line is drawn will not actually
define the edge if cautious companies try to
avoid litigation or enforcement actions by
avoiding the edge. Regardless, it will also be
important to determine what appropriately
should constitute “informed and meaningful”
and whether, in real life, companies can meet
any definition.
•
data practices – it is in that policy that required
transparency and nuances are addressed. The
FTC introduced a version of the above rule in
its private enforcement order against Sears in a
situation involving egregious facts.23 A
question is whether and to what extent that
order should be extended and whether there is a
way to do so without creating unintended harm.
As businesses struggle to pull concepts out of
their privacy policies and present the short text
at decision points, there will be an inevitable
bias towards pulling more text to avoid claims
that decision-point text is deceptively short.
There may also be a bias toward increasing the
number of pop-ups and similar techniques,
which can serve more to frustrate and annoy
than to disclose. Absent resolution of these
Catch-22s, realistic implementation of the new
rule may have the unfortunate result of doing
more to hinder than promote FTC goals.
•
An emerging premise is that all data (personally
identifying or not) can, given technology and
computing power, be linked to a specific
person. Hence, the FTC is asking whether there
is a line that can be drawn and the answer may
come down to the meaning of “reasonably” and
may include technology. For example, if
company X uses robust technology and
company Y uses less robust technology, will
data be viewed as reasonably “linkable” for X
but not Y, or will there be a “reasonable
technology” assumption made? If so, what is
that reasonable technology?
For practices requiring choice, companies
should offer the choice at a time and in a context
in which the consumer is making a decision
about his or her data.
This statement is part of the “Simplified
Choice” principle and embodies an unfair acts
or deceptive practices concept that information
material to a decision should be supplied at the
point of decision even if a contract or additional
information is supplied later. Applying the
concept in the data protection arena poses
significant challenges. The majority of FTC
orders created the dominant and current
business practice of collecting in one place (the
privacy policy) a company’s explanation of its
Is it feasible for the framework to apply to data
that can be “reasonably linked to a specific
consumer, computer, or other device”?24
Another issue is whether and what exceptions
will be made for the fact that a tie to a
consumer, computer or device clearly must be
made for some legitimate purposes. For
example, some identity theft prevention
measures use such ties to meet simultaneous
obligations to authenticate customers.
23
In re Sears Holdings Mgmt. Corp., No. C-4264 (Aug. 31,
2009), available here.
22
Id. at 57.
24
Id. at 43.
December 2010
6
E-merging Commerce Alert
•
which may be oral or written (including
electronic methods) meeting formatting
requirements, including presentation
“separately from any other authorizations in the
document or oral presentation.”29 The FTC
Proposal will benefit from comments
addressing what forms of “affirmative express
consent” are appropriate and practical.
The FTC Proposal makes this statement:
“Regardless of the specific context, where the
consumer elects not to have her information
collected, used, or shared, that decision should
be durable and not subject to repeated
additional requests from the particular
merchant.”25
The FTC Proposal will benefit from receiving
comments that address the flip side of the above
point, i.e., whether a consumer’s consent should
also be durable and not subject to repeated
additional requests by the merchant, absent
withdrawal of the consent.
•
This question also relates to the FTC Proposal’s
suggestion that teenagers be deemed to be
sensitive users, for whom businesses should
also create enhanced consent procedures prior
to collecting or using any personal
information.30 Inclusion of special data
protection rules for teens may merit comment
by businesses accustomed to believing that
special rules only pertain to children under 13
(such as in COPPA).
How should the scope of sensitive information
and sensitive users be defined and what is the
most effective means of achieving affirmative
consent in these contexts?26
A premise of the proposal is that “both sensitive
information and sensitive users may require
additional protection through enhanced
consent.”27 The FTC notes that it has supported
“affirmative express consent” for online
behavioral advertising and continues to believe
that certain types of sensitive information
warrant special protection, such as information
about children, financial and medical
information, and precise geolocation data. Thus,
before any of this data is collected, used, or
shared, staff believes that companies should
seek affirmative express consent.”28
This alert illustrates only a few of many significant
issues raised by the FTC Proposal, both in itself and
as part of a more general international process. If
your business could be adversely affected by the
FTC’s final privacy framework, now is the time to
register your business’s concerns with the FTC.
When finalized, the privacy framework that the FTC
announces will unquestionably inform future
legislative and FTC enforcement efforts. Please
contact any of the K&L Gates attorneys listed as
authors if you would like assistance in responding to
the FTC Proposal or receiving analysis and advice
on how it might affect your business.
If the receipt of “affirmative express consent”
becomes mandatory, it will be important that it
be clearly defined. At present, it is not clear
whether commercial entities and the FTC share
a common understanding of the term. For
example, under the FTC’s rule requiring consent
to receive mobile service commercial emails, a
sender must obtain “express prior
authorization.” Although not explicit in that
phrase, it means a signed consent (including esignatures) preceded by detailed disclosures
25
26
27
28
Id. at 59.
Id. at 61.
Id.
Id.
29
30
See 47 C.F.R. § 64.3100.
FTC Proposal at 62.
December 2010
7
E-merging Commerce Alert
Anchorage Austin Beijing Berlin Boston Charlotte Chicago Dallas Dubai Fort Worth Frankfurt Harrisburg Hong Kong London
Los Angeles Miami Moscow Newark New York Orange County Palo Alto Paris Pittsburgh Portland Raleigh Research Triangle Park
San Diego San Francisco Seattle Shanghai Singapore Spokane/Coeur d’Alene Taipei Tokyo Warsaw
Washington, D.C.
K&L Gates includes lawyers practicing out of 36 offices located in North America, Europe, Asia and the Middle East, and represents numerous
GLOBAL 500, FORTUNE 100, and FTSE 100 corporations, in addition to growth and middle market companies, entrepreneurs, capital market
participants and public sector entities. For more information, visit www.klgates.com.
K&L Gates comprises multiple affiliated entities: a limited liability partnership with the full name K&L Gates LLP qualified in Delaware and
maintaining offices throughout the United States, in Berlin and Frankfurt, Germany, in Beijing (K&L Gates LLP Beijing Representative Office), in
Dubai, U.A.E., in Shanghai (K&L Gates LLP Shanghai Representative Office), in Tokyo, and in Singapore; a limited liability partnership (also named
K&L Gates LLP) incorporated in England and maintaining offices in London and Paris; a Taiwan general partnership (K&L Gates) maintaining an
office in Taipei; a Hong Kong general partnership (K&L Gates, Solicitors) maintaining an office in Hong Kong; a Polish limited partnership (K&L
Gates Jamka sp.k.) maintaining an office in Warsaw; and a Delaware limited liability company (K&L Gates Holdings, LLC) maintaining an office in
Moscow. K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners or members in each
entity is available for inspection at any K&L Gates office.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon
in regard to any particular facts or circumstances without first consulting a lawyer.
©2010 K&L Gates LLP. All Rights Reserved.
December 2010
8