[author: Rita Esposito]

With the US government slow to enact a major federal data privacy policy, the void is being filled by state legislatures and various federal agencies.

Navigating the choppy waters of US federal data privacy policy can be difficult, primarily because a lack of policymaking at the federal level has led to state – rather than federal – legislatures taking the lead on recent consumer privacy laws.

Five US states in particular can be considered leaders: California, Virginia, Utah, Connecticut and Colorado. Although their approaches to data privacy are not identical, the provisions adopted by these five address issues such as information sharing, removal and modification of collected data. Additionally, other pending laws exist in other states.

State law comparisons aside, the lesson here is that state law is enacted in recognition of the fact that consumers want their data privacy protected and they want a legal framework designed to ensure this protection.

On the federal side, things have progressed discontinuously. Although there have been discussions in Congress about potential new legislation — with one or two potential measures showing some prospect — the most recent efforts on Capitol Hill have made little headway over the past two decades, as the issues technology and privacy have become more complex. That leaves executive agencies, such as the Federal Trade Commission (FTC), as the primary official resource for guidance on federal data privacy policy.

The FTC has a long history. Founded in 1915, the FTC’s mission is to protect consumers and promote competition. Following the Privacy Act of 1974, the agency revamped its own records system. One of its best-known document collections is the do not call list, which keeps records of the telephone numbers of people who do not wish to receive telemarketing calls. The FTC also began in the 1970s to enforce the Fair Credit Reporting Act, which governs information collected by credit reporting agencies. Although part of its fair credit regulatory authority was transferred to Consumer Financial Protection Bureau when it was created in the 2010 Dodd-Frank Act, the FTC served for decades as the primary enforcer of privacy laws.

Businesses can often start at FTC website for guidance from the FTC in evaluating compliance with federal laws. The FTC has additional information covering disciplines such as advertising and marketing, credit and finance, privacy and security; it also covers industry sectors, ranging from funerals to finance, real estate and mortgages. Praising the use of plain language, the FTC strives to help businesses understand and comply with the law. Additionally, the FTC investigates and mitigates privacy incidents; and it has also indexed guidance documents that may clarify policy and offer guidance, although they do not have the force and effect of law behind them.

The FTC also intervenes on international issues, such as disputes over the Privacy Shield Framework. Following an administrative dispute by NTT Global Data Centers which involved non-compliance with EU-US Privacy Data Shieldthe FTC has established four compliance tips for businesses who transferred their consumer data from Europe to the United States. These tips included: I) keep the privacy statements up to date; ii) if you participate, comply with the provisions; iii) maintain certification; and iv) follow withdrawal procedures if withdrawal is chosen.

By accessing the FTC’s website, businesses can begin to research some of the privacy issues that businesses face on a daily basis, and the site can become a regular resource for keeping up to date on issues and changing practices in order to remain compliant with federal law.

Provide advice on COPPA

In another example, the FTC provides guidance on how Children’s Online Privacy Protection Act (COPPA) applies to the collection of personal information collected from children under the age of 13. In particular, COPPA covers the operatorsthat’s to sayanyone operating an Internet-based website or online service that collects or maintains personal information about users or visitors.

COPPA not only applies to gaming sites, educational sites, and online social media companies, it also applies to anyone who markets to children and collects information about them. Modern children carry phones, have debit cards, explore apps and are more comfortable with technology, which almost always involves the collection of user data. How information about them is shared and distributed is subject to strict requirements under COPPA. In a bulletin to chief executives and chief compliance officers of all national banks, department and division heads, and all examination staff, the Office of the Comptroller of the Currency (OCC) said :

COPPA, which comes into force on April 21, 2000, prohibits unfair or deceptive acts or practices in connection with the collection, use/or disclosure of personal information from and about children on the Internet. COPPA and the Final Rule [issued by the FTC] apply to national banks. Additionally, COPPA Section 1306 gives the OCC responsibility for enforcement. Review procedures, currently under development, will provide further guidance.

The FTC has a six-step compliance plan for COPPAand one of those steps is for a COPPA-covered business to have a privacy policy on its website, post a link to it, and include information such as:

  • a list of all operators (such as advertising networks) collecting personal information;
  • a description of the personal information and how it is used;
  • a description of parental rights explaining that only reasonably necessary information is required; parents can review this information, order its deletion, and opt out of any further collection of information. (Note that parents may prohibit the disclosure of collected information to third parties such as social networks); and
  • procedures allowing parents to exercise their rights.

Additionally, the FTC provides a table for specific and narrow exceptions to COPPA’s consent mandate.

For those seeking to ensure compliance with privacy or other government requirements, the FTC website may be helpful as a first step in the process. Additionally, as the law in an area develops, monitoring the site for interpretation and agency advice can save time, energy, and resources in the pursuit of a better understanding of the rules that apply in an ever-changing technological landscape.

[View source.]