FTC and Commerce Privacy Reports Point to Obama Administration Promoting Privacy Legislation

The Obama administration continues to focus on privacy issues, and this year’s agenda will include continued enforcement efforts by the Federal Trade Commission (FTC), regulatory efforts led by the FTC and the Department of Commerce and a push for legislation.  This alert focuses on this last point and briefly summarizes the policy highpoints driving these efforts as detailed in extensive reports issued in late 2010 by the FTC and the Department of Commerce. 

FTC and Department of Commerce Make Headlines

The administration, through two key agencies—the FTC and the Department of Commerce—is attempting to shape the legislative debate over privacy issues.  In December 2010, each issued a comprehensive report on its views and approaches to key privacy issues.  

The FTC report, issued by its staff, is the latest in a series of privacy reports—some equally comprehensive, others industry- or issue- (identity theft, technologies, laws) specific.  The FTC report, titled “Protecting Consumer Privacy in an Era of Rapid Change,” is a preliminary report—meaning that the FTC is continuing to seek comments and reactions to the report and will likely issue a follow-on report.  The Commerce report is called “Commercial Data Privacy and Innovation in the Internet Economy:  A Dynamic Framework.”  Both reports at a basic level advocate a more comprehensive and more legislative approach to privacy issues.

The FTC report is organized around three key principles based on what it terms a “privacy framework.”  This framework is not really a set of concrete proposals—a key exception is a proposal for a “do-not-track” law—but, for the most part, a set of basic aspirational goals.

The first goal is termed “privacy by design”—essentially, the recommendation that companies make privacy part of their “everyday business practices.” 

The second, “simplified choice,” is the FTC’s recognition that the “notice-and-choice” approach may not really be effective if consumers, as seems often to be the case, do not pay attention to the content of privacy notices.  The FTC, not surprisingly, wants more effective choice. 

Finally, the FTC urges “greater transparency,” which seems to be a shorter version of the Fair Information Practices Principles (FIPP), i.e., there should be notice, access, disclosure and affirmative consent for changes in data use. 

However, the FTC staff is careful to suggest that these concepts may have to be modified or applied through a sliding scale conditioned by the type of data or level of acceptance of the business practices at issue.  Within these broad concepts, there are discussions of more-controversial issues such as the use and regulation of depersonalized data, self-regulation versus government enforcement, exclusions for less-sensitive data, consistency with existing privacy laws and correction of consumer data being held by companies. 

The Commerce report is very similar in certain ways to the FTC report.  The Commerce report advocates a generalized privacy approach it terms a “Dynamic Privacy Framework.”   This approach is basically a generalized privacy “bill of rights” based on an FIPP approach. 

The report stresses that the focus of a baseline set of privacy principles would include transparency, i.e., better and more effective notice with effective limitations on purpose and specification uses as set forth in notices.  It also would stress auditing and accountability. 

These principles likely would be backed up by industry codes of conduct that may be enforceable through FTC actions.  However, companies that followed the industry codes would be protected from regulatory actions by safe harbors. 

Why the Different Approaches?

Different agencies do different things in different ways, and there are some key differences between the two reports. 

First, Commerce is an executive agency—that is, it is run by its political appointees and, by extension, the administration.  As a result, it can speak with one voice.  The FTC, on the other hand, is an independent agency operated through the consensus of its five commissioners, two of whom, by law, have to be Democrats, two Republicans and one independent. 

As a result, the Commerce report is simply more consistent in its overall approach.  The FTC report is not, and, in fact, the Republican commissioners both filed concurring statements indicating that the proposals in the FTC staff’s report are “flawed” or insufficiently based in empirical evidence.  Consequently, the on-the-one-hand/on-the-other-hand quality of the FTC staff’s report is most likely a reaction to countervailing practical, philosophical or even political concerns.

Further, Commerce is known as a business-friendly agency.   Not surprisingly, the Commerce report, both in substance and, to a certain extent, in form, provides some industry-friendly recommendations, e.g., a national breach notification law that preempts state laws.

The Commerce report also recommends the creation within its hierarchy of a Privacy Planning Office.  While the Commerce report is careful to acknowledge the role of the FTC and other parts of the U.S. government in developing privacy policy, the administration is clearly pushing for a more hands-on role through an executive agency.   

Next Steps

The reports will be drivers for continued focus.  Even as congressional committees will likely hold hearings on one or both of these reports to drive the dialogue and solicit feedback from stakeholders in advance of moving any legislation, each agency will try to use its report as a means of affecting legislative activity and expanding its power and authority.

Contact Information

If you have any questions regarding this alert, please contact— 

Daniel F. McInnis 

Washington, D.C.

James R. Tucker, Jr.

Washington, D.C.

Jo-Ellyn Sakowitz Klein

Washington, D.C.