Earlier this month, the Federal Trade Commission (FTC) released a preliminary staff report entitled “Protecting Consumer Privacy in an Era of Rapid Change.” The report advocates a regulatory framework that, if adopted, would modify the FTC’s previous approach toward the privacy issues over which it has jurisdiction. If the FTC were to adopt the new privacy framework, employers would need to focus new and greater attention on training their workforce about privacy and instilling attention to privacy into the business process that their workforce is required to execute.

The FTC is empowered to take action against deceptive or unfair acts or practices. It also has authority to regulate privacy issues through enforcement of statutes regarding specific business sectors, including certain financial institutions, children’s online activities, e-mail marketing, and telemarketing. The Commission’s primary role in workplace privacy arises from the Fair Credit Reporting Act (FCRA), which protects consumers’ sensitive credit, insurance and employment information and, for example, requires an employer to obtain written authorizations from job applicants and employees before obtaining background information about them through third parties and to provide notice to applicants if they decline to hire because of that information.
 

To address privacy issues, the FTC has focused on two regulatory models:

• The notice-and-choice mode “encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices.” (Report at iii.)
• The harm-based model “focuses on protecting consumers from specific harms – physical security, economic injury, and unwanted intrusions into their daily lives.” (Id.)

Rather than advocating abandonment of these approaches, the report notes the drawbacks of each one: the notice-and-choice model has led to lengthy privacy policies that are neither read nor understood by consumers; the harm-based model has failed to adequately protect privacy interests that cannot be easily measured in monetary terms, such as reputational harm and the fear of being subjected to unwanted tracking in cyberspace. (Id.) Further, technological advancements have challenged both models:

• Companies can collect, store, manipulate and share consumer data at minimal cost.
• Companies can collect and use consumers’ information in ways that often are invisible to consumers.
• The distinctions between personally identifiable information and non-personally identifiable information has become blurred. Customers are very interested in strong privacy protections. At the same time, however, the free flow of information is critical to providing the goods and services.
   

The report proposes an alternative, three-part framework for future privacy regulation by the FTC:

1. Privacy by Design, an approach in which companies would promote consumer privacy throughout their organizations and at every stage of the development of their products and services. They would build into their everyday practices privacy protections, such as reasonable security for consumer data, collection of only the data needed for a specific business purpose, retention of data only as long as necessary to fulfill that purpose, safe disposal of data no longer being used, and implementation of reasonable procedures to promote data accuracy. (Report at v.) This approach also would include the assignment of privacy officers, privacy training, and internal privacy reviews when new products and services are developed.
2. Simplified Consumer Choices. Companies would not need to provide choices to consumers before collecting and using their data for commonly accepted practices such as purchase order fulfillment. But for practices that would result in a material change from a customer’s expected use of personal data, companies would offer the choice at a time and in a context in which the consumer made a decision about providing and authorizing the use of his or her data.
3. Greater Transparency in Data Practices. Companies would clarify, shorten and standardize privacy notices, provide reasonable access to the personal data they maintain about a person based on the sensitivity of the kind of data and the nature of its use; provide prominent disclosures; and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
    

Whether the FTC will adopt the framework outlined in the preliminary staff report after the public comment period ends on January 31, 2011, is unclear. But if the report is adopted, it likely will be over objection. Two of the five Commissioners issued concurring written statements to the report in which they questioned whether a new or modified model is necessary or desirable.

If the report is adopted, employers would need to consider the following implications:

• Increased Need for Privacy Training for All Employees. “Privacy by design” entails efforts at every level of a business to protect the private information of consumers during the entire data life cycle, from collection to use to transfer to storage to destruction. The population of employees who should receive privacy training likely will expand materially.
• Institution of Privacy Reviews During Product and Service Development. Another implication of “privacy by design” is the need to scrutinize privacy issues during the service- or product-development process. That would necessarily require a broader group of employees with expertise in the area of privacy than most organizations currently have.
• Increased Need for Employee Sensitivity to Private Customer Information at Key Points in Business Transactions. The FTC’s new framework would require a business to give customers “just in time” choices about whether and how to use sensitive data. Automated notices and prompts would help solve some of these issues in online transactions. But with respect to phone or face-to-face transactions, employees would have to be vigilant to both identify those key decision points in business transactions and then respond appropriately.

This entry was written by Christopher M. Leh.