Consumers are becoming increasingly concerned about the privacy of their personal information shared with businesses. By “privacy,” I mean the collection, use, and sharing of consumer personal information (as opposed to “security,” which is protecting this information from unauthorized access).
In the US, the primary regulatory agency for consumer privacy is the Federal Trade Commission (FTC), which derives this authority under the FTC Act. The FTC Act prohibits “unfair or deceptive acts or practices in or effecting commerce.” While the statute doesn’t specifically state what privacy practices are considered unfair or deceptive, and the FTC hasn’t set forth specific privacy regulations, the FTC makes this determination on a case-by-case basis.
Through its enforcement actions and published guidance (including a report, Protecting Consumer Privacy in an Era of Rapid Change), the FTC has made clear that businesses should honestly, transparently, and with full disclosure inform consumers about their data privacy practices.
More specifically, the FTC has made clear that it expects businesses to adhere to the following privacy principles:
Privacy by design: Businesses should promote and incorporate consumer privacy protection into every aspect of their products and services. This includes:
- Limit data collection. Businesses should limit data collection to the minimum needed for business purposes (if you don’t collect it, you don’t have to secure it), consistent with the context of the customer’s transaction or relationship with the business.
- Limit data retention. Businesses should limit the retention of data and dispose of it once it no longer serves the legitimate business purpose for which it was collected.
- Secure data disposal. Businesses should securely dispose of data– render digital files unreadable, undecipherable, and unrecoverable, and shred paper files.
- Data accuracy. Businesses should take reasonable steps to ensure data is accurate, taking into consideration the business’s use, and sensitivity, of the data. For example, businesses using consumer data to make decisions about a consumer’s eligibility for credit should take robust measures to ensure data accuracy. On the other hand, such steps would not necessarily be required for data used for marketing purposes.
- Data security. Businesses should keep data secure with reasonable technical, administrative, and physical safeguards. For more insight about how to do this, see my previous article.
Simplified consumer choice: Businesses should give consumers clear choices regarding the collection, use, and sharing of their personal data. And, the mechanisms for consumers to make these choices should be simple.
- Under what circumstances should businesses provide consumers with choices? For businesses that collect, use, or share consumer data in a manner consistent with the context of the transaction or the relationship with the consumer (for example, to complete the consumer’s transaction, to facilitate delivery of products/services, fraud prevention, etc.), providing consumer choice may not be required. Conversely, practices that could be inconsistent with the context of the transaction or consumer relationship (for example, selling consumer data to third parties, tracking consumer activity across websites or platforms, etc.) would likely require consumer choice.
- Timing of providing choices. When businesses do provide consumers with choices about their data, it should be done at a time and in a context that is relevant to the consumer’s decision. This often means that the choices should be made available at or just before the time that the business collects the consumer’s data.
Access: Consumers should have reasonable access to the data that businesses maintain about them. “Access” means, in this context, the ability of consumers to review their own data. According to the FTC, this access should be “proportional to the sensitivity and the intended use of the data at issue.” For example, for businesses that maintain data merely for marketing purposes, the cost of providing individual consumers access to this data would likely outweigh the benefits. However, even in those circumstances, consumers should at least be given access to a list of the categories of data, and the ability to opt-out of this data being used for marketing. On the other hand, businesses that maintain consumer data for purposes that go beyond marketing (for example, using the data to make decisions about a consumer’s eligibility for credit or other benefits), should, at a minimum, also provide consumers with access to the source of the data so the consumer may try to correct inaccurate data.
Businesses that adhere to these privacy principles are not only more likely to stay off the FTC’s radar, but will also be making a sound business decision. While consumer data can be valuable to your business, it is also valued by consumers. And, with today’s constant news of privacy mishaps, privacy has become a competitive differentiator upon which businesses can easily capitalize.