On Monday, the National Association of Attorneys General (NAAG) held its Spring Consumer Protection Conference in Washington, DC, which was attended by AG staff from 40 states and the District of Columbia. A panel on data privacy, “Latest Developments in Privacy Issues,” highlighted developments that are noteworthy for a wide array of consumer-facing businesses. FTC Commissioner Julie Brill and John Morris, the Director of Internet Policy at the National Telecommunications and Information Administration (NTIA) (part of the Commerce Department), spoke on the panel, which was moderated by Esther Chavez, an Assistant Attorney General from Texas.
Panel Discussion: “Latest Federal Developments in Privacy Issues”
- The chief message from both Commissioner Brill and Director Morris was that there is an acute need for privacy legislation, regulation, and enforcement on both the federal and state levels. They urged states to get involved in drafting legislation and expressed a desire to see states involved in enforcement.
- Commissioner Brill discussed the March 2012 FTC report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers. The report makes three recommendations for businesses handling consumer data: (i) privacy by design (build privacy protections into products as developed); (ii) simplified choice (provide consumers with the option to decide what information is shared and with whom, e.g., Do-Not-Track); and (iii) transparency regarding the collection and use of information and access for consumers to review (and correct) their personal data. The FTC also wants Congress to enact basic privacy legislation allowing for AG enforcement. The FTC’s “to do” list for this year, is:
- Development of do-not-track mechanisms (expected to be complete by the end of the year);
- Development of greater privacy disclosures in mobile phones (Commissioner Brill thought the CA AG’s recent global agreement with mobile app operators on consumer privacy protections was a good start);
- Scrutiny of data brokers as a result of their possession of a large volume of data and their relative obscurity from public view;
- Development of self-regulatory codes of conduct that are sector-specific; and
- Enforcement actions in appropriate circumstances.
- Commissioner Brill also stressed that states have a unique role in the privacy area based on what they see locally and their enhanced tools for financial recovery/penalties beyond that which the FTC may be able to pursue.
- Director John Morris discussed the Administration’s February 2012 Consumer Privacy Bill of Rights, which sets out expectations for companies that handle and use personal data. He stated that the Administration hopes that Congress enacts the Consumer Privacy Bill of Rights, which should include mechanisms for FTC and State AG enforcement. NTIA is soliciting input from all stakeholders, including State AGs, about how to create enforceable codes of conduct that apply the Bill of Rights in specific business contexts.
Takeaway for Business:
Given the fact that Maryland AG Gansler’s Presidential initiative for 2012-13 will examine issues surrounding privacy, including data protection measures and the collection and use of data, the states are likely to become more involved in looking at business practices affecting consumer data privacy, especially given the federal government’s advocacy for state enforcement and regulatory involvement. Therefore, it is important that businesses evaluate their privacy policies and practices in light of the concerns expressed in the recent FTC and administration reports and proactively develop a strategy for dealing with State AGs on issues regarding consumer privacy.
Note: We recently hosted a webcast with AG Gansler where he discussed this issue, among others, and you can register to listen to a recording of the webcast here.