Federal Trade Commission Announces Adjusted HSR Thresholds for 2014

On January 17, 2014, the Federal Trade Commission announced the annual threshold adjustments for premerger filings under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (15 U.S.C. § 18a) (“HSR”). The new thresholds have increased the dollar amount required to trigger HSR notification for both the size-of-transaction and size-of-person tests.

Click here to read the issued client alert.

Third-Party Relationships: The OCC Gets Serious In Its New Bulletin

This post was written by Timothy J. Nagle.

Yesterday, the Office of the Comptroller of the Currency issued OCC Bulletin 2013-29 on Third-Party Relationships. The document rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, both of which had served as the basis for supplier management practices and inspections for many years. It is much more expansive than CFPB Bulletin 2012-03 (“Service Providers”), but the two should be read as complementary. With this new Bulletin, the OCC maintains the core elements of its guidance regarding the processes and risk-management principles by which banks contract with and supervise third parties, including merchant payment processing services, joint ventures, and services provided by affiliates or subsidiaries. However, the tone, level of prescription, and escalation of responsibility to the Board of Directors suggest a more active role by regulators.

As with prior guidance, this Bulletin describes an effective risk-management process and life cycle, specifies appropriate contract terms, and allocates oversight and accountability within the financial institution. But there are new requirements and admonitions, highlighted by the statement in the discussion of supervisory review of third-party relationships that a bank’s failure to have an effective third-party risk management process “…may be an unsafe and unsound banking practice.” Compliance and audit executives, start your engines. To ensure they don’t feel left out, the Bulletin has a special note for the boards and management of Community Banks, advising them to be certain that the bank has risk-management practices in place to manage the risks presented by the use of vendors for critical activities. This focus on third-party relationships who are involved in critical activities continues with the requirement that the board of directors approve the plan for managing the vendor and the negotiated contract with the third party.

Other items of interest in the guidance include the note that supervised banks that provide services to other supervised banks will be held to the standards described in the Bulletin, and an expectation that a bank will conduct a due diligence examination (possibly including a site visit) before entering into a contract. This review will include a business experience and reputation evaluation, part of which is a reference check with industry organizations, the Better Business Bureau, Federal Trade Commission, state attorneys general and consumer affairs offices, SEC filings, and similar foreign authorities. The third party will be required to conduct periodic background checks on its senior management and employees, and have adequate succession plans and employee training programs to ensure compliance with policies and procedures. The Bulletin goes into great detail regarding appropriate contract provisions, such as right to audit and require remediation, compliance with a broad range of laws and regulations, and whether the contract contains fees or incentives that could present undue risk to either party. It contemplates joint exercise of disaster recovery and incident management plans “involving unauthorized intrusions or other breaches in confidentiality and integrity.” As stated previously, senior management should obtain board approval of any contract involving critical activities. Finally, the default and termination provisions of the contract with a third party must allow the bank to terminate “in the event that the OCC formally directs the bank to terminate the relationship.”

With the issuance of this Bulletin, any financial institution that is regulated by the OCC will have to review its vendor management and third-party relationship processes, standard contract provisions, and senior management and board oversight responsibilities (including the possibility of appointing a senior manager to provide oversight of a third party involving critical activities). The Bulletin reflects a renewed focus by the OCC on joint ventures and other third-party relationships outside of the standard service provider context, risks of offshoring services, and the need for closer and ongoing management of third parties that support critical functions. It also emphasizes consideration of “concentration risk,” the impact on dual employees and assessment of the complexity of the arrangement. A bank should expect to be asked about “the robust analytical process” it uses to assess and manage third-party relationships during a supervisory review. Similarly, any third party that provides services to financial institutions regulated by the OCC, especially those involved in critical activities, should expect to be presented with more stringent and intrusive contract terms, and be prepared to undergo an audit by this regulator.

The Federal Trade Commission and Irish Data Protection Commissioner sign a memorandum of understanding

This post was written by Cynthia O'Donoghue.

In June 2013, the Federal Trade Commission (FTC) and Ireland's Office of the Data Protection Commissioner signed a memorandum of understanding establishing a mutual assistance and information exchange program to secure compliance with data protection and privacy laws on both sides of the Atlantic.

The privacy and data protection laws between Ireland and the United States differ significantly; however, the two agencies recognise that the global economy and the resultant increase in the cross-border flow of personal information merits close cooperation. The U.S. privacy framework is based on a number of legislative acts, that in the main apply to a specific sector or type of data, such as consumer data or health data, while Ireland’s Data Protection Acts of 1988 and 2003, which implement the EU Data Protection Directive (95/46/EC), apply to the processing of any personal data.

The MOU sets out broad objectives to ensure cooperation over the enforcement of privacy laws and to facilitate research and education in the area of data protection, including through the exchange of knowledge and expertise.

The FTC and the Irish data protection authority have agreed to use their best efforts to:

  • Share information, including complaints they receive
  • Provide each other with investigative assistance
  • Exchange data protection related information, including for purposes of consumer and business education
  • Explore opportunities for staff exchanges and joint training programs
  • Coordinate enforcement against cross-border violations
  • Regularly discuss continuing and prospective opportunities for cooperation

The memorandum also specifies the procedures and rules applying to requests for assistance. Such requests should be made only when they do not impose an excessive burden on the other agency. Any shared information, the existence of the investigations, and any requests made, are to be treated by the agencies as confidential.

FTC Tries The Carrot and The Stick: Releases Guidance on Mobile Privacy Best Practices; Enters Into $800K Consent Order with Path

This post was written by John P. Feldman, Paul Bond and Christine E. Nielsen.

Today, the Federal Trade Commission released detailed guidance on privacy in the mobile environment – at the same time it announced its largest-ever settlement with an app developer for alleged privacy violations. Combined with aggressive action on mobile privacy issues by the California attorney general’s office, Mobile Privacy Disclosures provides every company associated with a mobile app with an urgent reason to review all disclosures and practices. 

Please click here to continue reading this Client Alert

Federal Trade Commission Announces Adjusted HSR Thresholds for 2013

This post was written by Debra H. Dermody, P. Gavin Eastgate, Michelle A. Mantine and William J. Sheridan.

On January 10, 2013, the Federal Trade Commission announced the annual threshold adjustments for premerger filings under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (15 U.S.C. § 18a) (“HSR”). The new thresholds have increased the dollar amount required to trigger HSR notification with respect to both the size-of-transaction and size-of-person tests.

Please click here to read the issued Client Alert.

FTC Does Not Issue a Final COPPA Rule; Instead, Seeks Comment on Modifications to Rule Definitions

This post was written by John P. Feldman, Amy S. Mushahwar and Christine Nielsen.

This morning the FTC released a supplemental notice of proposed rulemaking on the Children's Online Privacy Protection Act (COPPA) Rule. This is not a final rule. The notice suggests further modifications to proposed definitions released in the September 2011 Notice of Proposed Rulemaking on the COPPA Rule. Specifically, the FTC now seeks comment on proposed modifications to the definitions of "operator," "personal information," and "website or online service directed to children." This notice must be read in conjunction with the 2011 notice to understand the full scope of the proposed changes. The FTC is seeking comments on these proposals. Comments must be received on or before September 10, 2012. Shortly, we will be providing a detailed analysis of this notice in context with the earlier release.

Obama Administration Finalizes Its Privacy Framework: DOC Steams Ahead with Privacy Regulatory Blueprint in the Absence of Federal Privacy Legislation

This post was written by Paul Bond, Judith L. Harris, John P. Feldman, Christopher G. Cwalina and Amy S. Mushahwar.

Today, in a ceremony with much fanfare, Secretary of Commerce John Bryson and Federal Trade Commission Chairman John Liebowitz outlined the Obama administration's privacy blueprint for a "consumer bill of rights." Shortly thereafter, the Department of Commerce released its long-awaited consumer privacy green paper entitled,"Consumer Data Privacy in a Networked World" (the "Final Report"), which follows up on a draft staff report issued well over a year ago [see our previous post, Privacy: A Washington Tale of Two Reports].

Like the previous draft, the Final Report calls for a comprehensive privacy framework for all data, instead of the current sector-specific approach to data protection that leaves some personal data (outside of the communications, health care, education, financial services and children's-online sectors) largely unregulated. The Final Report calls for federal legislation to create such a "privacy bill of rights" that would supplement and fill in the gaps of existing federal privacy policy. However, scores of privacy bills have been introduced in 2010, 2011 and 2012, and few expect a comprehensive privacy bill to pass during a bitter election year.

Knowing that privacy legislation will be difficult to pass this year, the administration also laid out a set of voluntary privacy standards in the Final Report that could be adopted by industry in the absence of legislation. The Commerce Department indicated today that it is confident industry will adopt this cooperative approach for a privacy public-private partnership. Secretary Bryson also indicated that his office already conducted extensive outreach with Internet companies, data collection companies, retailers, ad networks, privacy advocates, academics and consumer groups to encourage the voluntary adoption of seven data-handling principles:

1. Individual Consumer Control of Data Through Choice Mechanisms
2. Greater Consumer Transparency
3. Respect for Data Context
4. Secure Handling of Data
5. Consumer Data Access & Correction Rights (Data Hygiene)
6. Focused Collection (Data Minimization)
7. Accountability (through audit controls and vendor contractual obligations)

Such a voluntary code, however, comes with a carrot and an eventual stick. The carrot: FTC enforcement actions regarding online privacy matters are ongoing. As indicated in the Final Report, if the industry adopts any voluntary code that is developed, then in any investigation or enforcement action based on an FTC Section 5 unfair and deceptive trade practices action, the FTC would consider a company's adherence to the voluntary codes favorably. The stick comes in a few weeks. The Federal Trade Commission is expected to release its Final Staff Report on Consumer Privacy that will be in sync with the administration's blueprint. Non-adherence to a Final FTC Staff Report could be used as evidence of a Section 5 violation, even in the absence of any general privacy federal legislation.

In the coming weeks we will be releasing more granular guidance on how companies should begin evaluating their respective privacy practices, as well as other elements of the staff report (i.e., international harmonization, the role of U.S. state attorneys general, and DOC support of national data breach standard legislation).

 Please click here to view additional information from the Reed Smith Teleseminar "The Department of Commerce Steams Ahead with Privacy Regulatory Blueprint: What you Need to Know." 



FCC Approves Order to Tighten Regulatory Treatment of Robocalls Under the Telephone Consumer Protection Act

This post was written by Judith L. Harris and Amy S. Mushahwar.

The Federal Communications Commission (FCC) acted today to tighten its rules under the Telephone Consumer Protection Act (TCPA) and conform them, to the extent possible, with the more stringent rules already in place at the Federal Trade Commission (FTC) under the Telephone Sales Rule (TSR). This change will hit hardest entities such as banks which are not subject to FTC jurisdiction, and do not have more stringent compliance programs already in place. Although the FCC’s order has not been released and no information is available yet as to the details of how the revised rules will operate and exactly to what calls they will apply, the following four points are clear:

1. Prior express WRITTEN consent will now be required before making any telemarketing robocall (using an autodialer or a prerecorded message) to a consumer; electronic signatures will be acceptable as evidence of written consent and this change will not apply to purely informational calls (“such as those related to school closings and flight changes.”);

2. The “established business relationship” will be eliminated as an exception to the prior written consent requirement that currently applies in the case of wireline calls;

3. An automated opt-out mechanism will have to be included in each robocall to facilitate a consumer’s ability to withdraw prior consent; and

4. The rules governing abandoned or “dead air” calls will be tightened, including through stricter time limits and by changing those limits to apply to each separate marketing campaign, rather than allowing the limits to be averaged over different calling campaigns, as is currently the case.

We are awaiting further details on exactly how these rules will be applied and when they will become effective. In the interim, please contact the authors of this article or the Reed Smith attorney with whom you normally work.

Federal Trade Commission Announces Adjusted HSR Thresholds for 2012

This post was written by Debra H. Dermody, Gavin P. Eastgate and Michelle Mantine.

On January 24, 2012, the Federal Trade Commission announced the annual threshold adjustments for premerger filings under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (15 U.S.C. § 18a) (“HSR”). The new thresholds have increased the dollar amount required to trigger HSR notification with respect to both the size-of-transaction and size-of-person tests.

The revised HSR thresholds will apply to all transactions that close on or after the effective date, which is 30 calendar days following publication of the adjusted thresholds in the Federal Register. Publication will occur shortly, and the effective date will be in late February.  Click here to learn more about the Adjusted HSR Thresholds for 2012.

Barnes & Noble's Acquisition of Borders' Database On The Shelf?

This post was written by Mark S. Melodia, Paul J. Jaskot, and Frederick Lah.

On September 15, Barnes & Noble ("B&N") acquired several of Borders’ intellectual property assets, including a database of customer information, as part of Borders' bankruptcy auction.  The sale of those assets hit a potential roadblock on Thursday, though, when a New York bankruptcy judge refused to approve the transaction, saying that he needed more time to think about the potential privacy concerns. This decision came on the heels of a Report issued by a court-appointed ombudsman who recommended certain privacy restrictions to be taken with respect to the customer information.

The Report recommended, among other restrictions, that B&N obtain the affirmative consent of affected consumers before transferring the personal data and that it treat consumer information pursuant to Borders' privacy policy in effect at the time of its collection. Borders' first privacy policy, published in 2006, provided that it will "only disclose [customer] email address or other personal information to third parties if you expressly consent to such disclosure." (emphasis in original text)

The Report also cited to letters the ombudsman received from 25 State Attorney Generals and the FTC expressing concern over the transfer of personal information in connection with the sale. The FTC's letter recommended than any transfer of personal information take place only with the consent of Borders' customers or with significant restrictions on the transfer and use of the information. Those recommended restrictions included: (i) Borders agreeing not to sell the customer information as a standalone asset; (ii) the buyer's line of business be substantially similar to that of the old owner; (iii) the buyer expressly agreeing to be bound by the terms of Borders' privacy policy; and (iii) the buyer agreeing to obtain affirmative consent from consumers for any material changes to the policy. The FTC further stated that any transfer of customer information could contravene Borders' express promise not to disclose such information and could constitute a deceptive or unfair practice.

B&N responded to the Report by filing a statement with the bankruptcy court. In the statement, B&N denied knowing that the ombudsman was planning to make recommendations or that he had corresponded with the FTC and the Attorney Generals. B&N characterized the Report's restrictions as "overreaching and unnecessary" and said that implementation of the restrictions "would materially reduce the value of the customer list." While B&N did agreed with some of the restrictions, it rejected others, particularly that Borders obtain opt-in consent for the transfer of personal data and that B&N treat consumer information pursuant to the Borders' privacy policy in effect at the time of its collection. According to B&N, it would be completely unrealistic to expect customers to affirmatively respond to a request from Borders since Borders "has gone out of business." Further, to treat consumer data pursuant to Borders' privacy policies at the time of its collection would be, according to B&N, "administratively difficult, if not impossible, and would likely have the perverse effect of harming consumers through confusion and lack of a straightforward method for them to understand how their information is being used." B&N said the transaction is "at risk."

This is certainly not the first time that would-be buyers of information-based assets have faced FTC or judicial scrutiny and concerns about the privacy implications of such a transfer. For example, last year, a former publisher of a magazine and dating website for gay youth had declared bankruptcy, which resulted in the dispute over ownership of various business assets, including the subscriber database. The FTC warned that any transfer or use of the database could potentially result in a violation of the FTC Act. The New Jersey Bankruptcy Court eventually ordered the buyer to destroy the subscriber database.

Similarly, in 2000, the FTC brought an action against Toysmart, in which the Commission sued an online toy retailer which had filed for bankruptcy and sought to auction the personal information it collected from customers. The Commission eventually entered into a settlement with Toysmart allowing the transfer so long as the buyer adhered to certain restrictions, many of which were similar to the ones recommended in the FTC's letter to Borders.

In today’s information age, consumer information is essential to business efficiency and can be a very valuable asset for those companies who are forced to liquidate their assets to mitigate debt (as evidenced by the $13.9 million dollar price tag B&N agreed to pay for the IP assets). While databases containing consumer information can be valuable, transferring such databases can be a risky process, subject to judicial and regulatory scrutiny. This case teaches us that companies looking to perform these transfers need to be mindful of the privacy implications involved in the process. Reed Smith can help companies that are contemplating such transactions, whether in a bankruptcy proceeding or a negotiated transaction, with evaluating the transferability of those assets and identifying and analyzing associated risks — before the government or another third party does.

Commissioner Brill Introduces Competition Analysis to Privacy Debate

This post was written by Paul Bond and Chris Cwalina.

In her new article, "The Intersection of Consumer Protection and Competition in the New World of Privacy," Federal Trade Commissioner Julie Brill cautions that the pursuit of privacy may conflict with the pursuit of a competitive market. Commissioner Brill's article, published in the Spring Edition of Competition Policy International, notes that the Federal Trade Commission's role is to protect consumers from many types of market failures. The FTC strives to protect consumers from unfair and deceptive information collection and use practices. But, at the same time, the FTC protects consumers from collusive and other anti-competitive behaviors. Commissioner Brill identifies a potentially problematic range of privacy enhancements which could, paradoxically, harm consumers by stifling competition. In this position, Commissioner Brill goes further than the FTC's preliminary white paper, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (2010 Privacy Report).

For example, Commissioner Brill asserts that self-regulation to date has been "slow and inadequate". This mirrors criticisms in the 2010 Privacy Report. But Commissioner Brill goes on to posit that dominant companies can misuse privacy self-regulation to stifle market entry by new competitors. The Commissioner does not describe in any detail the manner in which such an anti-competitive plan would be carried out. Presumably, the cost in money or time of complying with the industry's self-regulation would prove prohibitive for fledgling businesses, while just a "cost of doing business" for better capitalized industry leaders. There may also be a concern that existing businesses, which already hold stockpiles of consumer information, would erect barriers to data collection which would affect new enterprises disproportionately.

Commissioner Brill also raises the competitive concern that privacy regulation not unfairly benefit new entrants. "Indeed," she recognizes, "some more established data brokers and other information firms believe it is much easier for their newer competitors to design privacy protections into their new business models and new forms of communications than it is to retrofit old systems to meet the realities of today's privacy concerns."

Until now, a strategic analysis of the competitive impact of privacy regulation has not been an FTC priority. Indeed, in her Article, Commissioner Brill notes that she writes only for herself, and is not reflecting the views of the Commission or the other Commissioners. Still, taken in conjunction with Commissioner Roach's recent opinion that the Google Buzz settlement may have been a strategic ploy by Google to create insurmountable regulatory barriers to entry, it is safe to say the FTC is increasingly wary of privacy regulation being misused for private ends. Advocates of self-regulation, as well as those seeking to advance or defeat governmental regulation, must be prepared to explain why their privacy regulation or self-regulation proposals are consistent with a vigorous free market. Advocates of industry self-regulation already know that the FTC has criticized efforts to date and here is another hurdle that must be addressed before self-regulation is deemed by the FTC to be robust enough and workable.

Given how extremely easy it is to transfer information as an asset between corporate forms, and from one area of the world to another, the prospect for strategic resistance to or abuse of privacy regulation by companies around the world is substantial. Commissioner Brill performs a service by injecting a note of economic realism into the ongoing debate about how information can and should be regulated in the 21st century.

Reed Smith Attorney Talks McCain-Kerry Bill

Reed Smith Attorney Amy Mushahwar was recently interviewed by IT Business Edge on the McCain-Kerry Bill. According to Amy, "if enacted, the bill would expand the Federal Trade Commission’s jurisdiction to include telecommunications companies for privacy matters. Typically, telecom companies would not be within the FTC’s jurisdiction." To see the complete interview, please click here.

Privacy: A Washington Tale of Two Reports

This post was written by Mark Melodia, Judy Harris, Chris Cwalina, Paul Bond, and Amy Mushahwar.

We've been busy here in Washington with two seminal privacy reports released within a span of two weeks.  At Reed Smith, our interdisciplinary team of former government officials, former in-house attorneys, class action litigators and engineers (in the US and internationally) are reviewing the releases and providing prompt insights for your review.  Below, please find a link to the reports, our most recent digests and our aptly timed teleseminar that occurred on the very day that the Department of Commerce released its privacy green paper.

On December 1, 2010, the Federal Trade Commission issued its long-awaited 123-page preliminary report on privacy, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. The report is the most important and comprehensive guidance the FTC has ever issued in the privacy arena, and it has the potential to dramatically overhaul the way businesses think about privacy. More importantly, the document sets the stage, potentially, for a very different regulatory framework in Washington. For more detailed information on the FTC Report click here.  Comments are due on this report by January 31, 2011.

On December 16, 2010, the U.S. Department of Commerce issued its initial policy recommendation in a green paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework .  The Commerce green paper issued by the specially established Internet Task Force at the Department of Commerce lends another voice to the privacy debate and attempts to create a universal privacy baseline. While the report makes no recommendations to cover specific industry sectors that are addressed by existing privacy regulations, such as, healthcare, financial services and education, it is clear that the Department of Commerce would like to lead the regulatory agenda in the online privacy overhaul that is expected in 2011.  Check back here over the next few days for a more detailed look into the report.  Comments are due on this report by January 28, 2011. 

We addressed both reports in yesterday's teleseminar by privacy counsel Mark Melodia, Chris Cwalina, Paul Bond and Amy Mushahwar,  even though our team was still digesting the Commerce item that was released only hours before the teleseminar.  Our team described how the reports may apply to your business and provided a view from Washington regarding the complex regulatory and legislative road that may lie ahead for data privacy and cyber security issues. Feel free to listen to an audio recording of the event while watching the slide show.

FTC Releases Privacy Report

This post was written by Paul Bond, Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

On December 1, 2010 the FTC released its long-awaited Protecting Consumer Privacy in an Era of Rapid Change. This 123-page preliminary staff report proposes a sea change in US privacy law. The FTC is accepting comments on this report until January 31, 2011.

In the report, the FTC proposes a major change in the framework of US privacy law, stating bluntly that, "Industry must do better."

  • Notice-and-consent does not work, the FTC says. People do not read or understand privacy notices as now written. The Commission's view is that privacy policies have become "long" and "incomprehensible".
  • The report says that waiting for harm to come to consumers is also not an effective way to enforce privacy norms. Harm has traditionally meant economic or physical harm. Per the report, privacy harms include reputational harms and even the emotional harm of having one's information "out there," and/or "fear of being monitored". The FTC says the new framework must address and allay these anxieties; however, there is some disagreement among the Commissioners. Commissioner J. Thomas Rosch expressed in his concurrence that "the Commission could overstep its bounds" if it were to begin analyzing these more intangible harms when assessing consumer injury.
  • Industry self-regulation, per the report, is too little, too late and has failed to provide adequate and meaningful protection.

The report also challenges a number of assumptions in how we view data privacy and security.

  • The FTC casts severe doubt on claims that de-identified information need not be protected, citing to multiple instances and methods by which personally-identifiable information (“PII”) can be culled from data that does not include names (i.e., IP Addresses or other unique identifiers). The distinction between PII and non-PII, the FTC concludes, is "of decreasing relevance". Consequently, the scope of the report is very broad and applies to "all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device."
  • The report purports to apply in the online and offline world and not just to companies that work directly with consumers.
  • The FTC suggests that consumers must be made aware of and consent to onward transfers of information to non-affiliates, regardless of the industry, universalizing consumer notice requirements that hitherto only applied as to certain highly regulated industries (i.e., telecommunications, education, healthcare, financial services) or certain types of highly sensitive data (i.e., credit report information, bank account information).
  • The report distinguished between "commonly accepted data practices" and all other data practices. Borrowing from GLBA and HIPAA, commonly accepted practices, like using data to aid law enforcement or in response to judicial process or to prevent fraud, would not require notice to or consent of consumers. All other data practices would require notice and consent, in a form easy to read and understand, ideally provided to the consumer at the point the consumer enters his or her personal data. Behavioral advertising and deep packet inspection are explicitly named as not "commonly accepted data practices". Also, the FTC suggests that opt-in consent be obtained prior to implementing any material changes to a company's privacy policy that would apply to data collected under a prior policy.
  • The report suggests that to promote a free and competitive market, the privacy practices of companies need to be more transparent to consumers and that companies provide consumers with "reasonable access" to their data.
  • Per the report, appropriate data retention periods should be a legal requirement. The report sites geolocation data as especially important to phase out.
  • The report also endorses a "Do Not Track" mechanism, understanding that such a mechanism would be far more complex than the National Do Not Call registry. The FTC supports either legislation or self regulatory efforts to develop a system whereby a consumer could opt not to be "tracked." The FTC has expressed a distinction between "tracking" and "interest-based" advertising. And, in later discussions regarding the report, the FTC has stated that it will treat first-party advertising more favorably than third-party ad servers. The FTC has not decided on the technical mechanism for creating such a registry, but has proposed that a browser-level solution that could be similar to the privacy plug-in on the Firefox browser or incognito mode in Google Chrome. The FTC has not expressed whether opt-in or opt-out would be the default browser setting for any browser privacy plug-ins/modes developed.

So what should businesses do?

First, companies should carefully review the report and the 50+ questions open for public comment posed in Appendix A (there are also additional questions posed in the Commissioner dissent statements).

Second, companies should strongly consider commenting on the report. In our experience, the FTC will listen to and often address business concerns, but they must be heard. Trade associations may be a good place to start but also consider unique issues that your company may face that should be addressed.

Third, now is a good time for companies to pull back and consider their privacy programs and the extent to which they incorporate privacy into their everyday business practices. The report suggests that every company should adopt "privacy by design," "building privacy protections into everyday business practices," "assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services".

The FTC's full report is available here