Jun 14, 2012 (6 years and 1 month ago)


This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not
constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South
Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.

DECEMBER 16, 2010


FTC Report Heralds Intensified Privacy Regulation
On December 1, 2010, the Federal Trade Commission (“FTC”) released “Protecting Consumer Privacy in an Era of
Rapid Change: A Proposed Framework for Businesses and Policymakers” (“the Report”),
a preliminary staff report
proposing a new conceptual framework for privacy protection. The FTC views were also elaborated by David Vladeck,
Director of the FTC Bureau of Consumer Protection (“BCP”), in testimony before a House Subcommittee on
Commerce, Trade and Consumer Protection hearing
on the feasibility of providing consumers with a universal
mechanism for opting out of online tracking of their Internet use by data-gathering and marketing firms. We believe
that many companies and trade associations may wish to consider submitting comments to the FTC in response to the
Report. The FTC’s list of specific questions on which the agency requests comment is attached. We also believe that
companies substantially engaged in the collection or use of customer information may benefit from evaluating their
current practices in light of the new paradigm elaborated by the FTC.
The FTC Report follows a series of FTC public roundtables on the topic and provides greater detail on the new FTC
vision for consumer privacy by outlining privacy options that would be more clear and effective for consumers. The
dominant message of the Report is that the FTC seeks to reduce privacy burdens on consumers while encouraging
thoughtful and transparent commercial privacy protocols. Specifically, the Report proposes that any commercial entity
that collects or uses data that can be reasonably linked to a specific consumer, computer or device adopt three
principles: “privacy by design,” “simplified choice,” and “greater transparency.”
Ultimately, the FTC aims to establish a set of “common assumptions and bedrock protections on which both
consumers and businesses can rely as they engage in commerce.” This policy framework would apply to an expansive
area including “all commercial entities that collect consumer data in both offline and online contexts, regardless of
whether such entities interact directly with consumers.” Moreover, the framework would apply to any data that can be
“reasonably linked to a specific consumer, computer, or other device.”
Significantly, the FTC is not recommending that Congress enact any new privacy legislation at this time, and is not now
seeking any new rulemaking or enforcement authority. The FTC, however, could well proceed to enforce its new
vision of privacy by enforcement actions premised on its expansive interpretation of its statutory authority to address
unfair or deceptive trade practices.

FTC, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010)
(hereinafter “Report”), available at

House Subcomm. on Commerce, Trade and Consumer Protection, Hearing on Do Not Track Legislation: Is Now the Right Time? (Dec.
2, 2010), prepared remarks available at

Page 2

The FTC seeks comments on the Report by January 31, 2011, and provides a series of specific questions for comment
in an appendix to the Report. Following the close of the comment period, the FTC plans further investigation into
industry adoption of the framework, and if industry-led efforts are not satisfactory, may ultimately consider
recommending Congressional action.

Executive Summary

The Report provides guidance on the direction the FTC may take with respect to consumer privacy, reflecting a
significant evolution of the Commission’s approach to privacy matters. In the Report, the FTC recommends:
• Incorporation of so-called “privacy-by-design” internal safeguards by commercial entities handling consumer data;
• Providing consumers with time- and context-appropriate “just in time” notice and choice for privacy decisions;
• Standardization of “commonly accepted practices” that do not require “just in time” consumer notice and choice;
• The creation of a national “Do Not Track” system to expand consumer choice with respect to targeted behavioral
• Simplification and clarification of industry privacy policies;
• Greater transparency by businesses, including providing consumers access to their personal data; and
• Requiring prominent notification and affirmative, express consent from consumers before a business entity uses
consumer data in a materially different manner than claimed at the time the data was collected.
An Expansion, But Not Rejection, of Prior Privacy Frameworks
As the Report observes, the FTC approach to online privacy rule-making and enforcement has evolved over time,
from a general focus on fair information practice principles, emphasizing notice and choice for consumers, to the
current harm-based model, which targets business practices likely to cause physical or economic harm, or unwarranted
intrusions to consumer privacy. The FTC currently uses both analytical frameworks to regulate consumer privacy
The Report, however, faults both of these approaches: the notice and choice model for being overly burdensome while
offering little meaningful choice, and the harm-based approach for failing to encompass the full range of harms
perceptible to consumers. Likewise, the Report concludes that both approaches have failed to keep pace with
emerging technology trends. While the Report does not explicitly reject either approach—the FTC explains that it
plans to retain elements of both in the new framework—it appears that the proposed new model will supplant both as
the FTC analytical framework for privacy matters. The Report does not, however, explain precisely how the proposed
framework would result in different enforcement approaches, but notes that commercial entities that fail to follow the
guidelines of the new model may be subject to liability under Section 5 of the FTC Act (which proscribes “unfair or
deceptive” business practices) and other pre-existing laws and regulations. Specifically, the FTC notes that it will
“continue to bring enforcement actions against companies engaging in deceptive or unfair practices under the FTC Act
– for example, those that make deceptive statements in their privacy policies or unfairly cause injury or reasonable
likelihood of injury. In this sense, both the notice-and-choice and harm-based models will continue to inform [FTC]
enforcement efforts.”
The Report is, in part, the FTC response to recent changes in technology and in consumer expectations of privacy.
The FTC notes that trends in consumer data collection and use may result in a continually-expanding ability of
businesses to identify and target potential consumers, and that even supposedly “de-identified” data may be “re-
identified” and used by marketers to target individual consumers. Notably, the Report suggests that intangible privacy
interests such as “reputational harm,” “the fear of being monitored,” or the fear of “simply having information ‘out
Page 3

there’” may constitute forms of harm that are inadequately addressed under current regulations. In fact, the Report
suggests that “[c]onsumers may feel harmed when their personal information . . . is collected, used, or shared without
their knowledge or consent or in a manner that is contrary to their expectations.” It is unclear whether the Report’s
discussion of intangible privacy harms reflects a shift in FTC enforcement priorities or a desire by the FTC to develop
additional avenues of liability for privacy violations, or whether this discussion merely illustrates the reasoning
underlying aspects of the proposed framework.
“Privacy by Design”
The Report emphasizes efforts by commercial entities to integrate privacy protections into regular business operations
at every stage. Specifically, the FTC seeks to reduce the overall amount of data aggregated by firms and the storage
time for that data, while maintaining or strengthening existing data security and accuracy programs. Examples from the
Report of ways in which firms may incorporate so-called “privacy by design” include: providing reasonable data
safeguards and security, adopting need-based limits on data collection, retaining data only for as long as necessary for
the purpose for which the data was collected (while properly disposing of it at the end of its use), and implementing
protocols for maintaining data accuracy similar to those required under the Fair Credit Reporting Act.
The Report stresses that companies should adopt appropriate internal mechanisms to advance these privacy
protections, including assigning personnel to monitor privacy issues, providing privacy training to employees, and
conducting periodic privacy-impact reviews of products and services. The Report suggests development of
comprehensive business privacy programs designating privacy training personnel and providing mechanisms for
internal accountability. These recommended programs would also, when appropriate, direct the companies to engage
in privacy risk assessments, to conduct periodic internal policy reviews, and to develop risk-mitigation strategies. The
Report stresses that the extent of a particular entity’s privacy program should depend on the degree to which that entity
interfaces with consumer information.
Simplified Choice: “Commonly Accepted Practices”
The FTC advocates that businesses be able to engage in certain “commonly accepted practices” without needing to
obtain consumer consent, while still providing clear and prominently disclosed privacy policies and choices for other
business practices. The Report identifies the following commonly accepted practices: product and service fulfillment,
internal operations, fraud or loss prevention, legal compliance, and first-party marketing with pre-existing customers.
The FTC suggests that this list should be narrowly construed. For instance, data sharing between an ISP and a third
party that relies on deep packet inspection to create marketing profiles of individual consumers is specifically cited as a
practice that would fall outside the scope of commonly accepted practices even if it seems tied to commonly accepted
practices. The Report does, however, contrast such uses with ISP use of deep packet inspection for purposes of
network management and security.
Simplified Choice: Other Practices and “Do Not Track”
Under the proposed framework, all commercial data collection or use that does not constitute a “commonly accepted
practice” would require informed and meaningful consumer choice. A company acquiring or using consumer data in a
manner that is not a commonly accepted practice should provide consumers with “just in time” notice and choice,
describing the consumer’s choices clearly and concisely, with easily-understood choice mechanisms, at the time and in
the context in which the consumer makes a decision regarding their data. For instance, the choice may be provided at
the point of sale for an offline retailer, on the information entry page for an online retailer, or at the point in time when
a consumer chooses to use a social media or mobile device application. The FTC cautions that “choices buried within
long privacy policies and pre-checked boxes” do not qualify as meaningful and informed consent. Accordingly, choice
based on written agreement before the collection and use of the data may not be adequate under this approach.
Page 4

Moreover, consumer elections to opt-out of data use or collection would be given lasting effect under the framework,
and companies would not be permitted to make additional requests for the use or collection of the data. The Report
does not specify whether an opt-in or opt-out mechanism is preferable, but hints that the FTC may ultimately suggest
an opt-in standard.
The most publicized aspect of the Report is its endorsement of a universal “Do Not Track” mechanism allowing
consumers to opt out of online tracking. “Do Not Track” would, as outlined in the Report, provide a uniform method
for consumers to exercise choice with respect to online behavioral marketing not merely by opting out of ad networks,
but by prohibiting collection of data. The FTC describes Do Not Track as a replacement for the incomplete and
under-utilized private sector alternatives already in existence and would consist of a persistent electronic cookie on a
consumer’s browser that alerts websites and service providers to that consumer’s choices regarding tracking and
targeted advertising. The Do Not Track program, unlike the Do Not Call program, would not involve a centralized
registry of participating consumers, and may be developed in a way that provides consumers with granular choices
regarding particular uses of their data. The Report leaves open the option of developing this system through private
sector self-regulation, and the FTC notes that it would need new legislative authority if it aimed to implement the
system itself and stops short of proposing to develop or implement such a system in the Report.
Indeed, implementing the Do Not Track system would require the FTC to address potential pitfalls of eliminating
certain benefits of targeted advertising, altering the economics of Internet advertising, the development of an interface
understandable to consumers, and the formulation of a workable mechanism that would provide value to all
stakeholders. In the press conference announcing the publication of the Report, FTC Chairman Jon Liebowitz noted
that many consumers—himself included—find value in personalized advertising on the web and may refrain from
participating in the Do Not Track system. The Report emphasizes this sentiment in noting that the Do Not Track
system should not substantially interfere with consumer choice or, indeed, with the primary mechanism for funding
many otherwise “free” online content and services. The FTC notes in the Report that it is “cognizant of the need to
protect consumer privacy interests effectively, while also encouraging the development of innovative new products and
services that consumers want.” The Report explicitly acknowledges the highly significant benefits of online collection
of data and advertising, noting that new technologies and business models aimed at “capturing consumer data at a
specific and individual level and over time, including online behavioral advertising, social media services, and location-
based mobile services . . . can provide enormous benefits to consumers, including instant, around-the-clock access to
products and services, more choices, lower prices, personalized content, and the ability to communicate and interact
with family, friends, and colleagues located around the globe.”
The Report also lists certain transparency mechanisms aimed at allowing consumers to compare company privacy
policies and encourage competition between businesses that would result in advances in industry-level privacy
protection. Included in these mechanisms is an effort to encourage businesses to shorten, clarify, or standardize their
privacy policies and notices to increase transparency for consumers, allowing them to better understand the policies.
The Report encourages businesses to compete on the basis of the privacy policies and options they offer to consumers.
The Report describes privacy notices delivered over mobile devices and pre-Model Privacy Form disclosure forms
from financial institutions as lengthy and unintelligible to the average consumer, and encourages industry-level efforts
to standardize methods of privacy disclosure.
Similarly, the Report calls for companies to provide consumers with reasonable and appropriate access to their own
data. The FTC discusses the cost trade-offs associated with granting greater consumer access—including costs
associated with identity authentication and risks associated with greater information retention—and supports a sliding
scale approach that would provide access in proportion to the sensitivity of the data and the nature of its use.
Page 5

Businesses would also be required to provide prominent disclosures and obtain affirmative express consent prior to
using consumer data in a materially different manner than claimed when the data was collected. This proposal reflects
existing FTC cases and policy, but the Report seeks comments on what changes may be construed as material, and
what degree of transparency is appropriate for particular changes in data use. Finally, the Report calls for all
stakeholders to engage in efforts to educate consumers about commercial privacy practices as a component of
improving transparency between commercial entities and consumers.
It is worth noting that Commissioners William Kovacic and Thomas Rosch issued concurring statements supporting
release of the Report for purposes of discussion on the one hand, yet raising a number of questions and concerns
about the embedded analysis and recommendations on the other. Though Commissioner Kovacic approved issuance
of the preliminary staff report seeking comments, he formally dissented from the Commission’s approval of the
congressional testimony delivered by Consumer Protection Bureau Chief David Vladeck. Accordingly, it remains to be
seen whether this Report presages a substantial change in enforcement, but the Report certainly signifies FTC interest
in promoting a new privacy paradigm.
The following questions come from Appendix A of the FTC Report and are copied here by Sidley Austin LLP for informational purposes.
Appendix A to FTC Report
– “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework
for Businesses and Policymakers”
• Are there practical considerations that support excluding certain types of companies or businesses from the
framework – for example, businesses that collect, maintain, or use a limited amount of non-sensitive consumer
• Is it feasible for the framework to apply to data that can be “reasonably linked to a specific consumer, computer,
or other device”?
• How should the framework apply to data that, while not currently considered “linkable,” may become so in the
• If it is not feasible for the framework to apply to data that can be “reasonably linked to a specific consumer,
computer, or other device,” what alternatives exist?
• Are there reliable methods for determining whether a particular data set is “linkable” or may become “linkable”?
• What technical measures exist to “anonymize” data and are any industry norms emerging in this area?
Companies Should Promote Consumer Privacy Throughout Their Organizations and at Every Stage of the
Development of Their Products and Services
Incorporate Substantive Privacy Protections
• Are there substantive protections, in addition to those set forth in Section V(B)(1) of the report, that companies
should provide and how should the costs and benefits of such protections be balanced?

FTC, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Dec. 1, 2010),
available at

Page 6

• Should the concept of “specific business purpose” or “need” be defined further and, if so, how?
• Is there a way to prescribe a reasonable retention period?
• Should the retention period depend upon the type or the sensitivity of the data at issue? For example, does the
value of information used for behavioral advertising decrease so quickly that retention periods for such data can be
quite short?
• How should the substantive principles set forth in Section V(B)(1) of the report apply to companies with legacy
data systems?
• When it is not feasible to update legacy data systems, what administrative or technical procedures should
companies follow to mitigate the risks posed by such systems?
• Can companies minimize or otherwise modify the data maintained in legacy data systems to protect consumer
privacy interests?
Maintain Comprehensive Data Management Procedures
• How can the full range of stakeholders be given an incentive to develop and deploy privacy-enhancing
• What roles should different industry participants – e.g., browser vendors, website operators, advertising companies
– play in addressing privacy concerns with more effective technologies for consumer control?
Companies Should Simplify Consumer Choice
Commonly Accepted Practices
• Is the list of proposed “commonly accepted practices” set forth in Section V(C)(1) of the report too broad or too
• Are there practices that should be considered “commonly accepted” in some business contexts but not in others?
• What types of first-party marketing should be considered “commonly accepted practices”?
• Even if first-party marketing in general may be a commonly accepted practice, should consumers be given a choice
before sensitive data is used for such marketing?
• Should first-party marketing be limited to the context in which the data is collected from the consumer?
o For instance, in the online behavioral advertising context, Commission staff has stated that where a website
provides recommendations or offers to a consumer based on his or her prior purchases at that website, such
practice constitutes first party marketing. An analogous offline example would include a retailer offering a
coupon to a consumer at the cash register based upon the consumer’s prior purchases in the store. Is there a
distinction, however, if the owner of the website or the offline retailer sends offers to the consumer in another
context – for example, via postal mail, email, or text message? Should consumers have an opportunity to
decline solicitations delivered through such means, as provided by existing sectoral laws?
• Should marketing to consumers by commonly-branded affiliates be considered first-party marketing?
• How should the proposed framework handle the practice of data “enhancement,” whereby a company obtains
data about its customers from other sources, both online and offline, to enrich its databases? Should companies
provide choice about this practice?
Page 7

Practices That Require Meaningful Choice
• What is the most appropriate way to obtain consent for practices that do not fall within the “commonly accepted”
• Should the method of consent be different for different contexts?
o For example, what are effective ways to seek informed consent in the mobile context, given the multiple
parties involved in data collection and the challenges presented by the small screen?
o Would a uniform icon or graphic for presenting options be feasible and effective in this and other contexts?
o Is there market research or are there academic studies focusing on the effectiveness of different choice
mechanisms in different contexts that could assist FTC staff as it continues to explore this issue?
• Under what circumstances (if any) is it appropriate to offer choice as a “take it or leave it” proposition, whereby a
consumer’s use of a website, product, or service constitutes consent to the company’s information practices?
• What types of disclosures and consent mechanisms would be most effective to inform consumers about the trade-
offs they make when they share their data in exchange for services?
o In particular, how should companies communicate the “take it or leave it” nature of a transaction to
o Are there any circumstances in which a “take it or leave it” proposition would be inappropriate?
• How should the scope of sensitive information and sensitive users be defined and what is the most effective means
of achieving affirmative consent in these contexts?
• What additional consumer protection measures, such as enhanced consent or heightened restrictions, are
appropriate for the use of deep packet inspection?
• What (if any) special issues does the collection or the use of information about teens raise?
o Are teens sensitive users, warranting enhanced consent procedures?
o Should additional protections be explored in the context of social media services? For example, one social
media service has stated that it limits default settings such that teens are not allowed to share certain
information with the category “Everyone.” What are the benefits and drawbacks of such an approach?
• What choice mechanisms regarding the collection and use of consumer information should companies that do not
directly interact with consumers provide?
• Is it feasible for data brokers to provide a standardized consumer choice mechanism and what would be the
benefits of such a mechanism?
Special Choice for Online Behavioral Advertising: Do Not Track
• How should a universal choice mechanism be designed for consumers to control online behavioral advertising?
• How can such a mechanism be offered to consumers and publicized?
• How can such a mechanism be designed to be clear, easy-to-find, usable, and understandable to consumers?
Page 8

• How can such a mechanism be designed so that it is clear to consumers what they are choosing and what the
limitations of the choice are?
• What are the potential costs and benefits of offering a standardized uniform choice mechanism to control online
behavioral advertising?
• How many consumers would likely choose to avoid receiving targeted advertising?
• How many consumers, on an absolute and percentage basis, have utilized the opt-out tools currently provided?
• What is the likely impact if large numbers of consumers elect to opt out? How would it affect online publishers
and advertisers, and how would it affect consumers?
• In addition to providing the option to opt out of receiving ads completely, should a universal choice mechanism
for online behavioral advertising include an option that allows consumers more granular control over the types of
advertising they want to receive and the type of data they are willing to have collected about them?
• Should the concept of a universal choice mechanism be extended beyond online behavioral advertising and
include, for example, behavioral advertising for mobile applications?
• If the private sector does not implement an effective uniform choice mechanism voluntarily, should the FTC
recommend legislation requiring such a mechanism?
Companies Should Increase the Transparency of Their Data Practices
Improved Privacy Notices
• What is the feasibility of standardizing the format and terminology for describing data practices across industries,
particularly given ongoing changes in technology?
• How can companies present these notices effectively in the offline world or on mobile and similar devices?
• Should companies increase their use of machine-readable policies to allow consumers to more easily compare
privacy practices across companies?
Reasonable Access to Consumer Data
• Should companies be able to charge a reasonable cost for certain types of access?
• Should companies inform consumers of the identity of those with whom the company has shared data about the
consumer, as well as the source of the data?
• Where companies do provide access, how should access apply to information maintained about teens? Should
parents be able to access such data?
• Should access to data differ for consumer-facing and non-consumer-facing entities?
• For non-consumer-facing companies, how can consumers best discover which entities possess information about
them and how to seek access to their data?
• Is it feasible for industry to develop a standardized means for providing consumer access to data maintained by
non-consumer-facing entities?
• Should consumers receive notice when data about them has been used to deny them benefits? How should such
notice be provided? What are the costs and benefits of providing such notice?
Page 9

Material Changes
• What types of changes do companies make to their policies and practices and what types of changes do they regard
as material?
• What is the appropriate level of transparency and consent for prospective changes to data-handling practices?
Consumer Education
• How can individual businesses, industry associations, consumer groups, and government do a better job of
informing consumers about privacy?
• What role should government and industry associations have in educating businesses?
If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work.
The Privacy, Data Security & Information Law Practice of Sidley Austin LLP
We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data
protection and cyber law. The group includes regulatory compliance lawyers, litigators, financial institution practitioners, healthcare lawyers,
EU specialists, IT licensing and marketing counsel, intellectual property, and white collar lawyers. Sidley provides services in the following
 Privacy and Internet Litigation and Regulatory Advice
 Data Breach, Incident Response, and Cybercrime Advice
 Global Data Protection and Information Security
 International Data Transfer Solutions
 Outsourcing and Cross-Border Issues
 Gramm-Leach-Bliley and Financial Privacy
 HIPAA and Healthcare Privacy
 Workplace Privacy and Employee Monitoring
 Cyberlaw, E-Commerce, and Internet Issues
 Unfair Competition and Consumer Protection
 Trademark and Copyright Litigation and Counseling
 Website Policies and Domain Name Protection
 Records Retention and Electronic Discovery
To receive future copies of this and other Sidley updates via email, please sign up at
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices
other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other
partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley
Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a
separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general
partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign
lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law
Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley
Austin, Sidley, or the firm.