The report, which builds upon a less formal staff report published in December 2010 with public input and recent developments, aims to outline how the FTC believes Internet companies should protect consumers' privacy through a process of self-regulation. The report does warn however that legislative measures could be called for in certain instances.
Perhaps most important in the recommendations are the acceptable data practices that are outlined. The FTC says companies should "take reasonable measures to ensure that the data is de-identified," should publicly commit not to re-identify the data and build provisions into their contracts with downstream data recipients that forbid them from trying to re-identify the data.
Another important change, aimed at lessening the burden on small businesses, is that the FTC now says its framework should not apply to companies the collect non-sensitive data from fewer than 5,000 customers annually as long as they do not share the data with third parties.