The US Federal Trade Commission (FTC) has completed an extensive review (FTC Review) of current commercial privacy practices and consumer privacy concerns. The FTC Review identified a number of significant shortcomings in the current approach to protecting the privacy of consumers.

Some of the current shortcomings cited are:

• Policies are designed to limit the liability of businesses and not to inform the consumer of his or her rights.
• The policies are increasingly complicated and the potential uses of a consumer’s data are very difficult to interpret.
• The policies do not give any viable choices to the consumer. The consumer’s privacy choice is often either to accept these onerous privacy terms or do not use the service at all.
• The traditional distinction between anonymous and personal, identifiable information is blurred, as it becomes easier to identify individuals using a combination of supposedly anonymous data.
• The current approaches of the FTC, in light of these complexities of current data collection practices, are too reactive and inconsistent to be effective.

The FTC’s proposed approach comprises three elements:

1. Businesses should adopt a “privacy-by-design” approach by building privacy protections into their everyday business practices. Acceptable protections and practices would be, to a large extent, outlined by the FTC to provide businesses with more guidance.
2. Businesses should provide consumers with simple and streamlined choices for the use of their personal information. Certain practices would no longer require consent of the consumer, where consent can be reasonably inferred or where required to comply with applicable laws. The consumer would be faced with simpler and more meaningful choices, preferably presented at the time the consumer provides the data to the business.
3. Privacy policies should be improved to present information clearly and to transparently describe a business’s practices.

The FTC seeks comments from interested parties by January 31, 2011.

In many respects the proposals represent a significant step forward and seem to have been influenced by Canadian privacy practices in at least one respect: the “privacy-by-design” aspect of the proposed framework builds on the approach advocated by the Ontario Information and Privacy Commissioner, Ann Cavoukian. In many other respects, the report identifies issues that align with the CSA Model Code, which formed the foundation for, and is incorporated into, Canada’s federal privacy legislation, PIPEDA. However, Canadian businesses doing business in the US or selling to US consumers may wish to adopt the FTC’s approach in addition to complying with Canadian privacy laws. And, in the future, Canadian privacy commissioners may choose to integrate the best aspects of the FTC’s approach into Canadian privacy enforcement practices.

Here are links to the FTC Review, to remarks by the Chair of the FTC, and to Ontario’s Information and Privacy Commissioner’s Privacy-by-Design web site.

Summary by: James Kosa