After two years of study, the Federal Trade Commission has issued their final report, Protecting Consumer Privacy in an Era of Rapid Change.
Here are the takeaways that I found most significant (particularly #13!):
- Companies can establish a “safe harbor” by taking reasonable measures to de-identify data, publicly commit to keep it that way, and contractually prohibit recipients from re-identifying it. (20-21) “De-identifies” means ensuring that data cannot be reasonably linked to a particular user, computer or device.
- The Google and Facebook consent decrees provide the roadmap for an internal privacy compliance program. (31)
- Choice is not required for “internal operations” such as website analytics, when consistent with the context of the user’s interactions with the service. (39) “Context” matters, not whether practices are “commonly accepted.”
- Do Not Track should apply when a website shares data with a third party, but need not apply to “security and frequency capping.” (71)
- Retargeting is “tracking” that requires notice and choice like other online behavioral advertising. (41)
- Affiliated companies are “tracking” when they share data across sites unless the affiliate relationship is explicit. (41-42) Choice is required unless common branding is used.
- Data enhancement through appending does not require prior consent, but does require disclosure, limitations on collection and retention and a facility to contact the source of enhanced data. (42-43) These requirements apply, for example, when a website buys profile data to match with its email database.
- Use of medical and other sensitive data for marketing requires consent, even for first-parties, unless it is incidental. (47-48) Amazon recommending a health-related book based on past purchases is “incidental.”
- Facebook’s and Google’s social plug-ins aren’t pervasive enough to warrant special consent requirements. (56) They don’t raise the same concerns as “deep packet” inspection by ISPs.
- Consumers need not be provided with access to their data when kept solely for marketing purposes, but should have access when kept for purposes of employment, credit, insurance or other sensitive areas. (65)
- Data brokers raise special privacy concerns that justify legislation and a centralized disclosure framework. (69-70) Consumers could visit one site to see what data is being brokered and exercise their choices.
- Privacy policies should be shorter, more iconic and standardized, and also be suitable for mobile devices. (61) We’re on it.
- “New tools like privacyscore.com may help consumers more readily compare websites’ data practices.” (62) Wow, we’re grateful to the FTC for the mention and charged up to make privacyscore even better for users and publishers!