Interactive marketing is everywhere, and the Federal Trade Commission has struggled mightily over the past several years to deal with complex privacy issues that grow out of sophisticated, data-intensive marketing practices. On March 26, the FTC released its long-promised final report on consumer privacy. Critically, we now have a sense of the FTC staff position on future legislation, best practices and the secondary market in customer data.

The FTC was clear that it wants additional legislation to address general privacy concerns, data security and breach notifications. This is a change from the staff’s prior position that self-regulation would be sufficient, and lends weight to current efforts before congress to do exactly that (although the fact that we are currently in a highly partisan election year does diminish the likelihood of immediate action).

The rest of the report flowed logically from the principles previously seen in the FTC’s enforcement actions against Facebook and Google. As the FTC noted, “practices that unexpectedly reveal previously private information even absent physical or financial harm, or unwarranted intrusion” may still be deemed harmful by regulators. In other words, the FTC is not working from a “no obvious harm/no foul” standard, but is instead thinking more deeply about the implications of a breach.

The other themes of the new report were, in many respects, exactly what everyone would have expected:
Privacy by Design – companies should build in consumers’ privacy protections at every stage in developing their products. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy;
Simplified Choice for Businesses and Consumers – companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.
Greater Transparency – companies should disclose details about their collection and use of consumers’ information, and provide consumers access to the data collected about them.
Again, this echoes what we have heard from the FTC for many years, but with greater specificity about the Commission’s expectations. To that end, the staff indicated that its primary focus over the next year will be on five action items: (1) Creating an “easy to use, persistent and effective” Do Not Track system, (2) increasing the use of privacy disclosures in the mobile context (a workshop will be held on May 30, 2012 to address industry concerns); (3) increasing the use of disclosures and other privacy protections among data brokers, a risk that most consumers remain blissfully unaware of at this point; (4) drilling down more deeply into the way that large platform providers (such as ISPs and, presumably, the largest social media platforms) comprehensively track the online activities of users across a variety of different behaviors; and (5) promoting self-regulatory codes of conduct, which could eventually transform themselves into de facto safe harbors from FTC action.

In short, there are many issues still very much in play (and a variety of hearings and workshops yet to come in 2012). That said, with each iteration of its privacy guidelines the FTC’s position on these issues becomes ever more clear. The FTC wants disclosure, it wants mechanisms to permit regulators to understand industry practices, it wants consumer choice and it wants the industry to adopt privacy adequate privacy practices for new technologies as they become increasingly dominant. In a world where mobile, geolocation and consumer promotion will intersect ever more aggressively, the FTC’s approach will undoubtedly become increasingly influential among other regulators (including the FDA and state attorneys general). While this report is “final” it should not be understood as the end of the road — it simply marks the end of the beginning. As deeper and more complex portfolios are built by third parties about our online behavior, the FTC’s gaze will only become more intense.

---