The FTC reported yesterday its endorsement of a "Do Not Track" mechanism to provide consumers with a means to avoid the collection of browser data regarding online product and service browsing.  Such data is often used for online targeted ads.    In examining the need for a new framework, the FTC cited slow progress in online industry self-regulation.

The specific implementation method discussed was an opt-out using a persistent browser cookie that would notify advertisers of the user's privacy options. 

The FTC report also touched upon some other interesting privacy protection ideas including standardized notices and access to consumer data held by data brokers.    The report recognizes that companies need not seek consent for common practices related to specific transactions, legal compliance, service improvement, prevention of fraud, and first-party marketing.   Presumably, this means that websites will be able to ignore the "Do Not Track" cookie when engaging in such practices. 

The report also contains significant discussion of privacy practices that transcend the online world.  The FTC advocates a "privacy by design" approach (http://www.privacybydesign.ca).  Under this approach, companies should build privacy protections such as security, limited collection, limited retention, proper disposal, and accuracy procedures into their daily business practices.  This approach will present an interesting twist for many companies who have relied on past authority to clearly state in their online privacy policies that such policies do not apply to information collected offline. 

Public comment on the report is accepted until January 2011.  Until the FTC finalizes its position on these matters, companies may consider focusing on more specific disclosures with respect to practices that involve the transfer of data to third parties for targeted advertising purposes or otherwise. Companies should also pay close consideration to privacy issues in everyday business practices.   Clearly, this report is an indication that a detailed privacy policy will not suffice in the future.