13 Takeaways from the Federal Trade Commission’s final privacy report

Posted on March 27, 2012 by Jim Brock

After two years of study, the Federal Trade Commission has issued their final report, Protecting Consumer Privacy in an Era of Rapid Change.

Here are the takeaways that I found most significant (particularly #13!):

  1. Companies can establish a “safe harbor” by taking reasonable measures to de-identify data, publicly commit to keep it that way, and contractually prohibit recipients from re-identifying it. (20-21) “De-identifies” means ensuring that data cannot be reasonably linked to a particular user, computer or device.
  2. The Google and Facebook consent decrees provide the roadmap for an internal privacy compliance program. (31)
  3. Choice is not required for “internal operations” such as website analytics, when consistent with the context of the user’s interactions with the service. (39) “Context” matters, not whether practices are “commonly accepted.”
  4. Do Not Track should apply when a website shares data with a third party, but need not apply to “security and frequency capping.” (71)
  5. Retargeting is “tracking” that requires notice and choice like other online behavioral advertising. (41)
  6. Affiliated companies are “tracking” when they share data across sites unless the affiliate relationship is explicit. (41-42) Choice is required unless common branding is used.
  7. Data enhancement through appending does not require prior consent, but does require disclosure, limitations on collection and retention and a facility to contact the source of enhanced data. (42-43) These requirements apply, for example, when a website buys profile data to match with its email database.
  8. Use of medical and other sensitive data for marketing requires consent, even for first-parties, unless it is incidental. (47-48) Amazon recommending a health-related book based on past purchases is “incidental.”
  9. Facebook’s and Google’s social plug-ins aren’t pervasive enough to warrant special consent requirements. (56) They don’t raise the same concerns as “deep packet” inspection by ISPs.
  10. Consumers need not be provided with access to their data when kept solely for marketing purposes, but should have access when kept for purposes of employment, credit, insurance or other sensitive areas. (65)
  11. Data brokers raise special privacy concerns that justify legislation and a centralized disclosure framework. (69-70) Consumers could visit one site to see what data is being brokered and exercise their choices.
  12. Privacy policies should be shorter, more iconic and standardized, and also be suitable for mobile devices. (61) We’re on it.
  13. “New tools like privacyscore.com may help consumers more readily compare websites’ data practices.” (62) Wow, we’re grateful to the FTC for the mention and charged up to make privacyscore even better for users and publishers!
This entry was posted in Best Practices, Do Not Track, Legislation, mobile, Privacy Policies, privacyscore, Pros, Self-Regulation, Website Disclosure. Bookmark the permalink.

One Response to 13 Takeaways from the Federal Trade Commission’s final privacy report

  1. Des Cahill says:
    March 28, 2012 at 4:43 pm

    Jim – thanks for the great synopsis of the FTC report and congrats on the mention of privacyscore.com. Adoption of these best practices recommendations by interactive industry is going to have major impact on business models for brands, ad networks, tech vendors – look out re-targeters and affiliates. Great to have clarity than non-cross-site data collection (e.g., web analytics, recommendation engines) are safe harbor.
    Des

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>