Feds Offer Best Practices for Customer Privacy
Hospitality industry operators often collect information to better serve their customers. Information may be collected during various touch points, including employee-guest interactions, the company website, and through business partners, and may include personal identifiable information, preferences, groups with which customers are affiliated, etc. While customers understand that sharing their personal information helps businesses better serve their needs, they also have a right to know how that personal information is being collected, used and shared.
Recently, the Federal Trade Commission released its final report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.” This final report calls on Congress to enact general privacy, data security and breach notification, and data broker legislation in order to protect consumer privacy. While Congress works on drafting legislation, the FTC is calling on companies to self-regulate by adopting the “best practices” set forth in the FTC’s privacy framework. The FTC’s recommended best practices are: (1) privacy by design; (2) simplified choice; and (3) greater transparency.
The privacy framework applies only to commercial entities that collect non-sensitive data from more than 5,000 customers per year. Moreover, to the extent that the framework goes beyond current legal requirements, law enforcement is not to use these best practices as a template for actions or regulations under laws currently enforced by the FTC. However, it is expected that the principles of the privacy framework will appear in resolutions to FTC enforcement actions as requirements of consent orders.
Privacy by design: This element recommends that entities build in privacy at every stage of product development. Substantive protections include data security efforts such as encryption, reasonable collection limits, sound retention and disposal practices, and data accuracy. Policies and procedures should be designed that:
•Protect personal information from unauthorized access;
•Keep personal information accurate and up-to-date;
•Require that business partners with which information is shared exercise reasonable efforts to maintain the confidentiality of personal information about customers;
•Educate employees regarding privacy and best practices for protecting customer information;
•Protect personal information transmitted via websites during online transactions or when using other technology.
Simplified choice: A customer should be offered a choice at the time, and in the context, that his or her data would be used. Affirmative consent should be obtained before data is used in a manner different than when collected, and when sensitive data is being collected for a certain purpose. Let customers know that they can opt-out of having their information used for marketing purposes, and of having their online behavior tracked by “cookies” or other technologies.
Greater transparency: A customer should be provided with reasonable access to company-maintained data. The extent of a customer’s access should be proportionate to the sensitivity of the data and the nature of its use. In privacy policies, educate customers regarding how information is collected and used. Also, provide customers with contact information should they have any questions regarding their personal information.
By complying with the above privacy framework, not only will your business be following best practices recommended by the FTC, your customers will appreciate that you are keeping them, and the security of their information, a top priority.
What was your first job?
Cutting grass for neighbors
Who inspires you?
My wife and kids
What are your hobbies?
Kayaking and hiking
What technologies excite you?
Anything Apple
Sage advice:
The way that organizations treat privacy and information security is a part of the customer experience and all businesses should make addressing these issues a priority.
What three people would you invite to lunch?
My grandmother, Ronald Reagan, and any of the Supreme Court Justices
What is your favorite book?
The Poisonwood Bible
What is your favorite vacation spot?
Kenya and Hawaii
Theodore J. Kobus III, Esquire, is a partner at Baker & Hostetler LLP, whose clients include a variety of individuals and businesses in such diverse industries as hospitality, healthcare, financial services, media, energy, sports and technology. Kimberly Wong is an associate with the firm.
Additional reporting by:
Kimberly Wong
Associate/ Baker & Hostetler LLP
Recently, the Federal Trade Commission released its final report, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers.” This final report calls on Congress to enact general privacy, data security and breach notification, and data broker legislation in order to protect consumer privacy. While Congress works on drafting legislation, the FTC is calling on companies to self-regulate by adopting the “best practices” set forth in the FTC’s privacy framework. The FTC’s recommended best practices are: (1) privacy by design; (2) simplified choice; and (3) greater transparency.
The privacy framework applies only to commercial entities that collect non-sensitive data from more than 5,000 customers per year. Moreover, to the extent that the framework goes beyond current legal requirements, law enforcement is not to use these best practices as a template for actions or regulations under laws currently enforced by the FTC. However, it is expected that the principles of the privacy framework will appear in resolutions to FTC enforcement actions as requirements of consent orders.
Privacy by design: This element recommends that entities build in privacy at every stage of product development. Substantive protections include data security efforts such as encryption, reasonable collection limits, sound retention and disposal practices, and data accuracy. Policies and procedures should be designed that:
•Protect personal information from unauthorized access;
•Keep personal information accurate and up-to-date;
•Require that business partners with which information is shared exercise reasonable efforts to maintain the confidentiality of personal information about customers;
•Educate employees regarding privacy and best practices for protecting customer information;
•Protect personal information transmitted via websites during online transactions or when using other technology.
Simplified choice: A customer should be offered a choice at the time, and in the context, that his or her data would be used. Affirmative consent should be obtained before data is used in a manner different than when collected, and when sensitive data is being collected for a certain purpose. Let customers know that they can opt-out of having their information used for marketing purposes, and of having their online behavior tracked by “cookies” or other technologies.
Greater transparency: A customer should be provided with reasonable access to company-maintained data. The extent of a customer’s access should be proportionate to the sensitivity of the data and the nature of its use. In privacy policies, educate customers regarding how information is collected and used. Also, provide customers with contact information should they have any questions regarding their personal information.
By complying with the above privacy framework, not only will your business be following best practices recommended by the FTC, your customers will appreciate that you are keeping them, and the security of their information, a top priority.
What was your first job?
Cutting grass for neighbors
Who inspires you?
My wife and kids
What are your hobbies?
Kayaking and hiking
What technologies excite you?
Anything Apple
Sage advice:
The way that organizations treat privacy and information security is a part of the customer experience and all businesses should make addressing these issues a priority.
What three people would you invite to lunch?
My grandmother, Ronald Reagan, and any of the Supreme Court Justices
What is your favorite book?
The Poisonwood Bible
What is your favorite vacation spot?
Kenya and Hawaii
Theodore J. Kobus III, Esquire, is a partner at Baker & Hostetler LLP, whose clients include a variety of individuals and businesses in such diverse industries as hospitality, healthcare, financial services, media, energy, sports and technology. Kimberly Wong is an associate with the firm.
Additional reporting by:
Kimberly Wong
Associate/ Baker & Hostetler LLP