FTC Regulations and Email Marketing

Last week, the United States Federal Trade Commission (FTC), the nation’s chief privacy policy and enforcement agency for 40 years, issued its final and long-awaited industry privacy report. The report also notes that the FTC received over 450 comments on the staff’s preliminary recommendations. Based on technological advances and industry developments since the December 2010 staff report and in response to the comments, the report refines the guidance for when companies should provide consumers with choice about how their data is used. While Congress considers privacy legislation, the Commission also urges individual companies and self-regulatory bodies to accelerate the adoption of the principles contained in the privacy framework. What was exciting was the report’s clear acknowledgement of how the industry self-regulatory models are working and its wishes to continue that. “We are confident that we as an industry can continue the self-regulatory efforts without legislation and the FTC agrees in their report.”

It also said that:

  • The FTC would be vigilant in enforcing self-regulatory codes of conduct among companies in the area of data privacy.
  • A company’s failure to live up to a voluntary code of conduct would act as a scarlet letter in an FTC enforcement action, which we’ve already seen heavily in the last year.
  • The FTC is interested in developing sector-specific codes of conduct, meaning tackling specific issues with specific regulations vs. umbrella regulations.

Also, over the course of the next year, the Commission staff will work to encourage consumer privacy protections by focusing on five main action items:

  • Do-Not-Track. The Commission did commend the progress made in this area: browser vendors have developed tools to allow consumers to limit data collection about them, the Digital Advertising Alliance has developed its own icon-based system and also committed to honor the browser tools, and the World Wide Web Consortium standards-setting body is developing standards.
  • Mobile. The FTC urges companies offering mobile services to work toward improved privacy protections, including “short” and meaningful disclosures. To that end, it will host a workshop on May 30, 2012 to address how mobile privacy disclosures can be short, effective, and accessible to consumers on small screens. If you haven’t seen TRUSTe’s mobile-optimized privacy notice, I suggest you check it out here.
  • Data brokers. The Commission calls on data brokers to make their operations more transparent by creating a centralized website to identify themselves, and to disclose how they collect and use consumer data. In addition, the website should detail the choices that data brokers provide consumers about their own information.
  • Large platform providers. The report cited heightened privacy concerns about the extent to which platforms, such as Internet service providers (ISPs), operating systems, browsers, and social media companies seek to comprehensively track consumers’ online activities. The FTC will host a public workshop in the second half of 2012 to explore issues related to comprehensive tracking.
  • Promoting enforceable self-regulatory codes. And again, the FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.

The final report also calls on companies handling consumer data to implement recommendations for protecting privacy, including:

  • Companies should build in consumers’ privacy protections and data management procedures at every stage in developing their products using Privacy by Design, which is a wonderful concept, invented and championed by Ontario Privacy Commissioner Ann Cavoukian. These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy.
  • Simplifying consumer choice, which simply could mean being more upfront about their choices for communications and also preference centers.
  • Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.
  • Incorporating substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.
  • Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.
  • Increasing the transparency of their data practices.
  • Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices.
  • All stakeholders should expand their efforts to educate consumers about commercial data privacy practices.

Hopefully you can see that this is not a regulation or enforceable framework, but does apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties. For many of you this will apply and you should already being doing a lot of this because of best common practices you’ve learned over the years when it comes to digital marketing through channels like email.

Related reading

Signpost with two signs pointing in different directions, one labelled B2B and one labelled B2C.
Vector graphic of a hand holding a megaphone