Final Report of the FTC Advisory Committee on Online Access and Security

Background
On May 15, 2000, the Advisory Committee on Online Access and Security submitted its Final Report to the Federal Trade Commission. The following summarizes the Final Report (hereinafter "Report").

Access
To defined "reasonable access," the Advisory Committee focused on such issues as the scope of information to which the consumer should have access; the entities that should be obligated to provide consumers access to information about them; and appropriate and feasible means for authenticating access requests to prevent unauthorized access.

The Report acknowledged that implementing the fair information practice principle of Access is a complex task, and there was considerable disagreement among members as to how "reasonable access" should be defined, including whether access should vary with the use or type of data. The Report states that providing the consumer with access to information can promote accuracy and safeguard against errors or fraud in various circumstances, although member disagreed on the circumstances under which access should be provided and the data to which consumers should have access. Some members believed that allowing consumers to review all types of information held by businesses, including marketing data and data from offline sources linked to data collected online, is essential; other believed that"reasonable access" should be interpreted only as a framework for the correction of data used in making important decisions about a consumer.

Scope of access
The Report presented four options for defining the scope of access:


 * 1) the "total access" approach;
 * 2) the "default to consumer access" approach;
 * 3) the "case-by-case" approach; and
 * 4) the "access for correction" approach.

"Total access" approach
Under the "total access" approach, a consumer would be able to access all personal information, regardless of medium, method or source of collection, or the type of data in question. Such information might include physical address, phone number, email address, bank account numbers, credit card numbers, gender, age, income, browser type, operating system type, preference data, transactional data, navigational and clickstream data, and inferred or derived data. The principle underlying this approach is that businesses' information practices should be completely transparent to consumers.

"Default to consumer" approach
Under the "default to consumer" approach, a website would establish a mechanism to make available personal information collected online that is "retrievable in the ordinary course of business." Information "retrievable in the ordinary course of business" is information that can be retrieved by taking steps that are regularly taken by the business with respect to the information, or that the organization is capable of taking under its existing procedures, so long as doing so is not unreasonably burdensome.

The "unreasonable burden" concept helps define what is and what is not retrievable in the ordinary course of business. Thus, the business would not need to set up new databases to maintain information in order to provide access, although the business would need to provide access to aggregations of data that it possesses and retrieves itself. Finally, the business could limit a consumer's access to information where considerations such as another individual's privacy outweigh the individual's interest in access.

"Case-by-case" approach
Under the "case-by-case" approach, access would depend on factors such as the content of the information, the holder of the information, the source of the information, and the likely use of the information. Differences in industry sectors would also be considered. Under this approach, there is no presumption for or against access, and implementation could result in broad or narrow access. For example, consumers could have access to sensitive information collected about them, such as financial and health data, but consumers may have less access to other data, such as inferred data and internal identifiers.

"Access for correction" approach
Under the "access for correction" approach, a website would grant to personal data in its files only where the website uses the personal information to grant or deny significant benefits to an individual, and where granting access would improve the accuracy of the data in a way that justifies the costs. Examples of personal information used to grant or deny significant benefits include credit reports, financial qualifications, and medical records.

Application to other entities
The Report also evaluated whether the Access principle should apply to entities other than the original data collector. Members of the Advisory Committee generally agreed that businesses should provide access to data held by their agents. Some members believed that the obligation to provide access to data held by their agents. Some members believed that the obligation to provide access should also be extended to "downstream" recipients of the data in order to provide adequate privacy protections for consumers. Others believed that this requirement would be too burdensome.