FTC Privacy Framework

Background

In 2010, the FTC released a draft report containing a framework of recommendations to protect consumer privacy. Based on that draft, as well as feedback from stakeholders including businesses, privacy advocates, technology experts, and consumers, the FTC released their final privacy framework recommendations in 2012.

Principles

  1. Scope. The framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.
  2. Privacy By Design. (Inflection Principle 6) Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.
    1. Substantive Principles. Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.
    2. Procedural Protections to Implement Principles. Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.

  3. Simplified Consumer Choice. (Inflection Principle 4)
    Companies should simplify consumer choice.

    1. Practices That Do Not Require Choice. Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.
    2. Companies Should Provide Consumer Choice for Other Practices. For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data. Companies should obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected, or collecting sensitive data for certain purposes.

  4. Transparency. (Inflection Principle 1)
    Companies should increase the transparency of their data practices.

    1. Privacy Notices. Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices.
    2. Access. Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.
    3. Consumer Education. All stakeholders should expand their efforts to educate consumers about commercial data privacy practices. (Inflection Principle 7)

Further Reading

Link: FTC Issues Final Commission Report on Protecting Consumer Privacy
Link: Protecting Consumer Privacy in an Era of Rapid Change