FTC Puts Off Privacy Report Until at Least Fall
SAN FRANCISCO -- “The fall is the target” for the Federal Trade Commission to release a report based on its three privacy roundtables in Washington and Berkeley, Calif., from December to March, an official said. Commission officials had been quoted as saying they were aiming for June or July. But the FTC is still reviewing the comments, which have taken a long time to transcribe, said Loretta Garrison of the Division of Privacy and Identity Protection late Tuesday at a Practising Law Institute seminar. The commission is still trying to decide what kind of report to produce, she said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
A theme of the roundtables was that the central distinction between personally identifiable and anonymized information isn’t realistic anymore, Garrison said. That’s a result of the large amount of data readily available about a person online and off and the ease of piecing it together, she said. This changes the calculus for organizations that routinely have assumed “we don’t have to worry about” anything that isn’t personally identifiable, Garrison said. Senior Counsel Shannon Smith of the consumer protection division of the Washington Attorney General’s Office said she expects state law enforcers to “look more broadly at personal information” as deserving protection, beyond data such as Social Security numbers and categories such as medical and financial information.
States continue to impose new data-security requirements, officials said. A new Washington law extends liability to vendors with even “transitory control” over protected information, Smith said. The measure was pushed through the Legislature by financial institutions that wanted indemnification for the costs of breaches that aren’t directly against them but that they were “on the hook” for, she said.
And new data-security regulations took effect in Massachusetts in March “after several delays,” said Scott Schafer, the chief of the consumer protection division in that state’s Attorney General’s Office. Anyone, even if out of state, with personal information about Massachusetts residents must adopt a data security plan that, most controversially, requires encryption of data that goes over public networks or onto public devices, he said. This was softened during adoption with the proviso “to the extent reasonably feasible,” Schafer said. Enforcement “is largely going to remain the same” as it had been,” he said. The rules resulted from a massive breach of data held by the retailer TJX, headquartered in Massachusetts, Schafer said.