60
19
mine data for marketing purposes and that re-identification is a commercial enterprise.
90
周is adds to the
likelihood of data re-identification.
Some industry commenters also recognized consumers’ privacy interest in data that goes beyond what
is strictly labeled PII.
91
Drawing on the FTC’s roundtables as well as the preliminary staff report, one such
commenter noted the legitimate interest consumers have in controlling how companies collect and use
aggregated or de-identified data, browser fingerprints,
92
and other types of non-PII.
93
Another company
questioned the notion of distinguishing between PII and non-PII as a way to determine what data to
protect.
94
Supporting a scaled approach rather than a bright line distinction, this commenter noted that all
data derived from individuals deserves some level of protection.
95
Other commenters representing industry opposed the proposed framework’s application to non-PII
that can be reasonably linked to a consumer, computer, or device.
96
周ese commenters asserted that the
risks associated with the collection and use of data that does not contain PII are simply not the same as the
risks associated with PII. 周ey also claimed a lack of evidence demonstrating that consumers have the same
privacy interest in non-PII as they do with the collection and use of PII. Instead of applying the framework
to non-PII, these commenters recommended the Commission support efforts to de-identify data.
Overall, the comments reflect a general acknowledgment that the traditional distinction between PII and
non-PII has blurred and that it is appropriate to more comprehensively examine data to determine the data’s
privacy implications.
97
However, some commenters, including some of those cited above, argued that the
proposed framework’s “linkability” standard is potentially too open-ended to be practical.
98
One industry
organization asserted, for instance, that if given enough time and resources, any data may be linkable to an
90 Comment of Electronic Frontier Foundation, cmt. #00400, at 4 (citing Julia Angwin & Steve Stecklow, ‘Scrapers’ Dig Deep for
Data on Web, Wall St. J., Oct. 12, 2010, available at http://online.wsj.com/article/SB100014240527487033585045755443
81288117888.html); Sorrell v. IMS Health Inc., 131 S. Ct. 2653 (2011).
91 Comment of Mozilla, cmt. #00480, at 4-5; Comment of Google Inc., cmt. #00417, at 8.
92 周e term “browser fingerprints” refers to the specific combination of characteristics – such as system fonts, software, and
installed plugins – that are typically made available by a consumer’s browser to any website visited. 周ese characteristics can
be used to uniquely identify computers, cell phones, or other devices. Browser fingerprinting does not rely on cookies. See
Erik Larkin, Browser Fingerprinting Can ID You Without Cookies, PCWorld, Jan. 29, 2010, available at http://www.pcworld.
com/article/188161/browser_fingerprinting_can_id_you_without_cookies.html.
93 Comment of Mozilla, cmt. #00480, at 4-5 (citing FTC, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed
Framework for Businesses and Policymakers, Preliminary FTC Staff Report, at 36-37 (Dec. 2010), available at http://www.ftc.
gov/os/2010/12/101201privacyreport.pdf).
94 Comment of Google Inc., cmt. #00417, at 8.
95 Comment of Google Inc., cmt. #00417, at 8.
96 Comment of Direct Marketing Ass’n, Inc., cmt. #00449, at 13-14; Comment of National Cable & Telecommunications Ass’n, cmt.
#00432, at 13-17.
97 See Comment of AT&T Inc., cmt. #00420, at 13-15; Comment of Center for Democracy & Technology (Feb. 18, 2011), cmt.
#00469, at 3-4; Comment of CTIA - 周e Wireless Ass’n, cmt. #00375, at 3-4; Comment of Consumers Union, cmt. #00362, at
4-5; Comment of Electronic Frontier Foundation, cmt. #00400, at 1-4; Comment of Google Inc., cmt. #00417, at 7-8; Comment
of Mozilla, cmt. #00480, at 4-6; Comment of Phorm Inc., cmt. #00353, at 3-4.
98 Comment of AT&T Inc., cmt. #00420, at 13; Comment of CTIA - 周e Wireless Ass’n, cmt. #00375 at 3-4; Comment of Google
Inc., cmt. #00417, at 8; Comment of Phorm Inc., cmt. #00353, at 4.
C# Excel - Excel Conversion & Rendering in C#.NET Excel documents in .NET class applications independently, without using other external third-party dependencies like Adobe Acrobat. Excel to PDF Conversion.
how to add text box to pdf; how to enter text in pdf file
58
20
individual.
99
In addition, commenters stated that requiring the same level of protection for all data would
undermine companies’ incentive to avoid collecting data that is more easily identified or to take steps to
de-identify the data they collect and use.
100
Other commenters argued that applying the framework to data
that is potentially linkable could conflict with the framework’s privacy by design concept, as companies
could be forced to collect more information about consumers than they otherwise would in order to be
able to provide those consumers with effective notice, choice, or access.
101
To address these concerns,
some commenters proposed limiting the framework to data that is actually linked to a specific consumer,
computer, or device.
102
One commenter recommended that the Commission clarify that the reasonably linkable standard means
non-public data that can be linked with reasonable effort.
103
周is commenter also stated that the framework
should exclude data that, through contract or by virtue of internal controls, will not be linked with a
particular consumer. Taking a similar approach, another commenter suggested that the framework should
apply to data that is reasonably likely to relate to an identifiable consumer.
104
周is commenter also noted
that a company could commit through its privacy policy that it would only maintain or use data in a de-
identified form and that such a commitment would be enforceable under Section 5 of the FTC Act.
105
周e Commission believes there is sufficient support from commenters representing an array of
perspectives – including consumer and privacy advocates as well as of industry representatives – for the
framework’s application to data that, while not yet linked to a particular consumer, computer, or device,
may reasonably become so. 周ere is significant evidence demonstrating that technological advances and the
ability to combine disparate pieces of data can lead to identification of a consumer, computer, or device even
if the individual pieces of data do not constitute PII.
106
Moreover, not only is it possible to re-identify non-
PII data through various means,
107
businesses have strong incentives to actually do so.
In response to the comments, to provide greater certainty for companies that collect and use consumer
data, the Commission provides additional clarification on the application of the reasonable linkability
standard to describe how companies can take appropriate steps to minimize such linkability. Under the final
99 Comment of GS1, cmt. #00439, at 2.
100 Comment of AT&T Inc., cmt. #00420, at 13-14; Comment of CTIA - 周e Wireless Ass’n, cmt. #00375, at 4; Comment of
Experian, cmt. #00398, at 11; Comment of National Cable & Telecommunications Ass’n, cmt. #00432, at 16.
101 Comment of United States Council for International Business, cmt. #00366, at 1; Comment of Phorm Inc., cmt. #00353, at 3.
102 Comment of Retail Industry Leaders Ass’n, cmt. #00352, at 4; Comment of Yahoo! Inc., cmt. #00444, at 3-4; Comment of GS1,
cmt. #00439, at 3.
103 Comment of AT&T Inc., cmt. #00420, at 13.
104 Comment of Intel Corp., cmt. #00246, at 9.
105 Comment of Intel Corp., cmt. #00246, at 9.
106 FTC, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,
Preliminary FTC Staff Report, 35-38 (Dec. 2010), available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf;
Comment of Center for Democracy & Technology, cmt. #00469, at 3; Comment of Statz, Inc., cmt. #00377, at 11-12. See supra
note 89.
107 See FTC, FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising, 21-24, 43-45 (Feb. 2009), available at
http://www.ftc.gov/os/2009/02/P0085400behavadreport.pdf; Paul M. Schwartz & Daniel J. Solove, 周e PII Problem: Privacy
and a New Concept of Personally Identifiable Information, 86 N.Y.U. L. Rev. 1814, 1836-1848 (2011).
45
21
framework, a company’s data would not be reasonably linkable to a particular consumer or device to the
extent that the company implements three significant protections for that data.
First, the company must take reasonable measures to ensure that the data is de-identified. 周is means
that the company must achieve a reasonable level of justified confidence that the data cannot reasonably be
used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device.
Consistent with the Commission’s approach in its data security cases,
108
what qualifies as a reasonable level
of justified confidence depends upon the particular circumstances, including the available methods and
technologies. In addition, the nature of the data at issue and the purposes for which it will be used are also
relevant. 周us, for example, whether a company publishes data externally affects whether the steps it has
taken to de-identify data are considered reasonable. 周e standard is not an absolute one; rather, companies
must take reasonable steps to ensure that data is de-identified.
Depending on the circumstances, a variety of technical approaches to de-identification may be
reasonable, such as deletion or modification of data fields, the addition of sufficient “noise” to data,
statistical sampling, or the use of aggregate or synthetic data.
109
周e Commission encourages companies and
researchers to continue innovating in the development and evaluation of new and better approaches to de-
identification. FTC staff will continue to monitor and assess the state of the art in de-identification.
Second, a company must publicly commit to maintain and use the data in a de-identified fashion,
and not to attempt to re-identify the data. 周us, if a company does take steps to re-identify such data, its
conduct could be actionable under Section 5 of the FTC Act.
周ird, if a company makes such de-identified data available to other companies – whether service
providers or other third parties – it should contractually prohibit such entities from attempting to re-identify
the data. 周e company that transfers or otherwise makes the data available should exercise reasonable
oversight to monitor compliance with these contractual provisions and take appropriate steps to address
contractual violations.
110
FTC staff’s letter closing its investigation of Netflix, arising from the company’s plan to release
purportedly anonymous consumer data to improve its movie recommendation algorithm, provides a good
illustration of these concepts. In response to the privacy concerns that FTC staff and others raised, Netflix
revised its initial plan to publicly release the data. 周e company agreed to narrow any such release of data
to certain researchers. 周e letter details Netflix’s commitment to implement a number of “operational
108 周e Commission’s approach in data security cases is a flexible one. Where a company has offered assurances to consumers
that it has implemented reasonable security measures, the Commission assesses the reasonableness based, among other things,
on the sensitivity of the information collected, the measures the company has implemented to protect such information, and
whether the company has taken action to address and prevent well-known and easily addressable security vulnerabilities.
109 See, e.g., Cynthia Dwork, A Firm Foundation for Private Data Analysis, 54 Comm. of the ACM 86-95 (2011), available at
http://research.microsoft.com/pubs/116123/dwork_cacm.pdf, and references cited therein.
110 See In the Matter of Superior Mortg. Corp., FTC Docket No. C-4153 (Dec. 14, 2005), available at, http://www.ftc.gov/os/
caselist/0523136/0523136.shtm (alleging a violation of the GLB Safeguards Rule for, among other things, a failure to ensure
that service providers were providing appropriate security for customer information and addressing known security risks in a
timely manner).
44
22
safeguards to prevent the data from being used to re-identify consumers.”
111
If it chose to share such data
with third parties, Netflix stated that it would limit access “only to researchers who contractually agree to
specific limitations on its use.”
112
Accordingly, as long as (1) a given data set is not reasonably identifiable, (2) the company publicly
commits not to re-identify it, and (3) the company requires any downstream users of the data to keep it in
de-identified form, that data will fall outside the scope of the framework.
113
周is clarification of the framework’s reasonable linkability standard is designed to help address the
concern that the standard is overly broad. Further, the clarification gives companies an incentive to collect
and use data in a form that makes it less likely the data will be linked to a particular consumer or device,
thereby promoting privacy. Additionally, by calling for companies to publicly commit to the steps they take,
the framework promotes accountability.
114
Consistent with the discussion above, the Commission restates the framework’s scope as follows.
Final Scope: 周e framework applies to all commercial entities that collect or use consumer data that
can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects
only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with
third parties.
B. PRIVACY BY DESIGN
Baseline Principle: Companies should promote consumer privacy throughout their organizations
and at every stage of the development of their products and services.
周e preliminary staff report called on companies to promote consumer privacy throughout their
organizations and at every stage of the development of their products and services. Although many
companies already incorporate substantive and procedural privacy protections into their business practices,
industry should implement privacy by design more systematically. A number of commenters, including
those representing industry, supported staff’s call that companies “build in” privacy, with several of these
commenters citing to the broad international recognition and adoption of privacy by design.
115
周e
Commission is encouraged to see broad support for this concept, particularly in light of the increasingly
global nature of data transfers.
111 Letter from Maneesha Mithal, Assoc. Dir., Div. of Privacy & Identity Prot., FTC, to Reed Freeman, Morrison & Foerster
LLP, Counsel for Netflix, 2 (Mar. 12, 2010), available at http://www.ftc.gov/os/closings/100312netflixletter.pdf (closing
letter).
112 Id.
113 To the extent that a company maintains and uses both data that is identifiable and data that it has taken steps to de-identify as
outlined here, the company should silo the data separately.
114 A company that violates its policy against re-identifying data could be subject to liability under the FTC Act or other laws.
115 Comment of Office of the Information and Privacy Commissioner of Ontario, cmt. #00239, at 2-3; Comment of Intel Corp., cmt.
#00246, at 12-13; Comment of CNIL, cmt. #00298, at 2-3.
48
23
In calling for privacy by design, staff advocated for the implementation of substantive privacy protections
– such as data security, limitations on data collection and retention, and data accuracy – as well as procedural
safeguards aimed at integrating the substantive principles into a company’s everyday business operations.
By shifting burdens away from consumers and placing obligations on businesses to treat consumer data in
a responsible manner, these principles should afford consumers basic privacy protections without forcing
them to read long, incomprehensible privacy notices to learn and make choices about a company’s privacy
practices. Although the Commission has not changed the proposed “privacy by design” principles, it
responds to a number of comments, as discussed below.
1. THE SUBSTANTIVE PRINCIPLES: DATA SECURITY, REASONABLE COLLECTION LIMITS,
SOUND RETENTION PRACTICES, AND DATA ACCURACY.
Proposed Principle: Companies should incorporate substantive privacy protections into their
practices, such as data security, reasonable collection limits, sound retention practices, and data
accuracy.
a Should Additional Substantive Principles Be Identified?
Responding to a question about whether the final framework should identify additional substantive
protections, several commenters suggested incorporating the additional principles articulated in the 1980
OECD Privacy Guidelines.
116
One commenter also proposed adding the “right to be forgotten,” which
would allow consumers to withdraw data posted online about themselves at any point.
117
周is concept has
gained importance as people post more information about themselves online without fully appreciating the
implications of such data sharing or the persistence of online data over time.
118
In supporting an expansive
view of privacy by design, a consumer advocacy group noted that the individual elements and principles of
the proposed framework should work together holistically.
119
In response, the Commission notes that the framework already embodies all the concepts in the 1980
OECD privacy guidelines, although with some updates and changes in emphasis. For example, privacy by
design includes the collection limitation, data quality, and security principles. Additionally, the framework’s
simplified choice and transparency components, discussed below, encompass the OECD principles of
purpose specification, use limitation, individual participation, and openness. 周e framework also adopts the
116 Comment of CNIL, cmt. #00298, at 2; Comment of the Information Commissioner’s Office of the UK, cmt. #00249, at 2;
Comment of World Privacy Forum, cmt. #00369, at 7; Comment of Intel Corp., cmt. #00246, at 4; see also Organisation for
Economic Co-operation & Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal
Data (Sept. 1980), available at http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00&&en-
USS_01DBC.html (these principles include purpose specification, individual participation, accountability, and principles to
govern cross-border data transfers). Another commenter called for baseline legislation based on the Fair Information Practice
Principles and the principles outlined in the 1974 Privacy Act. Comment of Electronic Privacy Information Center, cmt.
#00386, at 17-20.
117 Comment of CNIL, cmt. #00298, at 3.
118 周e concept of the “right to be forgotten,” and its importance to young consumers, is discussed in more detail below in the
Transparency Section, infra at Section IV.D.2.b
.
119 Comment of Consumers Union, cmt. #00362, at 1-2, 5-9, 18-19.
39
24
OECD principle that companies must be accountable for their privacy practices. Specifically, the framework
calls on companies to implement procedures – such as designating a person responsible for privacy, training
employees, and ensuring adequate oversight of third parties – to help ensure that they are implementing
appropriate substantive privacy protections. 周e framework also calls on industry to increase efforts to
educate consumers about the commercial collection and use of their data and the available privacy tools.
In addition, there are aspects of the proposed “right to be forgotten” in the final framework, which calls on
companies to (1) delete consumer data that they no longer need and (2) allow consumers to access their data
and in appropriate cases suppress or delete it.
120
All of the principles articulated in the preliminary staff report are intended to work together to shift
the burden for protecting privacy away from consumers and to encourage companies to make strong
privacy protections the default. Reasonable collection limits and data disposal policies work in tandem
with streamlined notices and improved consumer choice mechanisms. Together, they function to provide
substantive protections by placing reasonable limits on the collection, use, and retention of consumer data to
more closely align with consumer expectations, while also raising consumer awareness about the nature and
extent of data collection, use, and third-party sharing, and the choices available to them.
b Data Security: Companies Must Provide Reasonable Security for Consumer Data
It is well settled that companies must provide reasonable security for consumer data. 周e Commission
has a long history of enforcing data security obligations under Section 5 of the FTC Act, the FCRA and
the GLBA. Since 2001, the FTC has brought 36 cases under these laws, charging that businesses failed
to appropriately protect consumers’ personal information. Since issuance of the preliminary staff report
alone, the Commission has resolved seven data security actions against resellers of sensitive consumer
report information, service providers that process employee data, a college savings program, and a social
media service.
121
In addition to the federal laws the FTC enforces, companies are subject to a variety of
120 See In the Matter of Facebook, Inc., FTC File No. 092 3184 (Nov. 29, 2011) (proposed consent order), available at http://
www.ftc.gov/os/caselist/0923184/index.shtm (requiring Facebook to make inaccessible within thirty days data that a user
deletes); see also Do Not Track Kids Act of 2011, H.R. 1895, 112th Cong. (2011).
121 In the Matter of Upromise, Inc., FTC File No. 102 3116 (Jan. 18, 2012) (proposed consent order), available at http://www.
ftc.gov/os/caselist/1023116/index.shtm; In the Matter of ACRAnet, Inc., FTC Docket No. C-4331(Aug. 17, 2011) (consent
order), available at http://ftc.gov/os/caselist/0923088/index.shtm; In the Matter of Fajilan & Assocs., Inc., FTC Docket
No. C-4332 (Aug. 17, 2011) (consent order), available at http://ftc.gov/os/caselist/0923089/index.shtm; In the Matter
of SettlementOne Credit Corp., FTC Docket No. C-4330 (Aug. 17, 2011) (consent order), available at http://ftc.gov/os/
caselist/0823208/index.shtm; In the Matter of Lookout Servs., Inc., FTC Docket No. C-4326 (June 15, 2011) (consent order),
available at http://www.ftc.gov/os/caselist/102376/index.shtm; In the Matter of Ceridian Corp., FTC Docket No. C-4325
(June 8, 2011) (consent order), available at http://www.ftc.gov/os/caselist/1023160/index.shtm; In the Matter of Twitter, Inc.,
FTC Docket No. C-4316 (Mar. 11, 2011) (consent order), available at http://www.ftc.gov/os/caselist/0923093/index.shtm.
Documents you may be interested
Documents you may be interested