The Federal Trade Commission has released a report on online privacy that emphasizes three business best practices—one of which is letting consumers have consent over the secondary use of their individually identifiable information.
The 112-page report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers
, calls on companies handling personally identifiable information to provide consumers with the "option to decide what information is shared about them, and with whom," according to a summary of the report on the FTC website
A similar consent provision was included in the initial federal rule covering healthcare information privacy written in 2000 to flesh out the Heath Insurance Portability and Accountability Act of 1996, the key federal healthcare IT privacy law. The HIPAA privacy rule was changed in 2002, however, to grant hospitals, office-based physicians and other so-called covered entities permission to disclose personally identifiable patient information for treatment, payment and a broad category of "other" healthcare operations. The new, FTC-proposed privacy framework proposal would have no legal effect on HIPAA-covered entities, but HHS is in the process of updating the HIPAA privacy rule to incorporate more-stringent privacy protections within the American Recovery and Reinvestment Act of 2009, including restoring patient consent on a limited basis.
The FTC would effectuate patient choice with a "do not track" mechanism that could be built into Web browsers and be honored voluntarily by online commerce sites. The two other basic principles in the report are "privacy by design," a concept with roots in Canada that looks to companies and organizations to "build in consumers' privacy protections at every stage in developing their products," according to the report summary.
The FTC also called for companies to be more transparent about their collection and use of consumer information and to give consumers access to data gathered about them. The report is a follow-up to a staff report on online privacy issued by the FTC in December 2010
Some of the recommendations in the new report would require legislation, including a law affording "baseline" privacy protection, according to FTC Chairman Jon Liebowitz, who spoke at a news conference Monday about the report. However, Liebowitz said he was optimistic that enlightened self-interest, not legislation, would lead to substantial industry adoption of a do-not-track option by the end of this year.
"I'm very hopeful that do-not-track can be done without legislation," he said. "I think that companies would be wise to avoid that."