Privacy by design, meaning building privacy into a company's products and practices at each stage of development.

Simplified choices for consumers.

Greater transparency for data practices.

Mobile apps. The FTC report urges companies that offer mobile apps to work toward offering improved privacy protections. The FTC would like companies to develop concise mobile app privacy disclosures that tell users what data will be collected, how it will be used and how it will be shared. The FTC staff will hold a workshop to address mobile app disclosures.

Consumer choice on data collection and use. The FTC intends to make the collection and use of consumer information more transparent and provide consumers with access to their data. The FTC report outlines guidance for companies about when to provide consumers with choice about how their data is used. Under the FTC's framework, companies do not need to provide consumers with choice before collecting and using information for practices that are:

Do Not Track. The report calls on companies to allow consumers to control the collection and use of their online browsing data by developing and supporting an online Do Not Track mechanism. The report states that the FTC will work with certain groups to implement a system, including browser vendors, the Digital Advertising Alliance and the World Wide Web Consortium. In particular, the report cites heightened privacy concerns about the extent to which online consumer activity is tracked by internet service providers, operating systems, browsers and social media companies.

Data brokers. The FTC also recommends that Congress should consider legislation to increase oversight of data brokers and make their practices more transparent. In essence, data brokers buy, compile and sell highly personal consumer information. The report notes that consumers are often unaware of the data brokers' existence, or why they collect and use consumer data. To increase the transparency of data broker practices, the report:

Promoting enforceable self-regulatory codes. The FTC also plans to work with industry stakeholders to develop sector-specific codes of conduct. If strong privacy protection codes are developed, the FTC explains that it will view adherence to them favorably in its law enforcement work under Section 5 of the FTC Act. As part of the FTC's policing of unfair or deceptive practices, it will also police a company's failure to abide by any self-regulatory programs that it joins.

Reduction in scope. The final report made two important modifications as to scope:

Circumstances that do not require choice. In its preliminary report, the FTC proposed a principle providing that companies do not need to provide consumers with privacy choices before collecting and using their data for commonly accepted practices, such as product fulfillment. In the final report, the FTC refined this principle to state, as discussed above, that consumer choice is not required when reasonable given the context of the transaction or relationship with the customer, or required or specifically authorized by law.

Affirmative express consent. Both the preliminary and final report specify that a company should give consumers choice when the company's practices are inconsistent with the context of a particular transaction or the business relationship with the consumer. In the final report, the FTC specifies that companies should obtain affirmative express consent before:

The change addressing material retroactive changes is consistent with the FTC's recent voluntary consent orders, for example its November 2011 settlement with Facebook.

With respect to sensitive data, the FTC noted that because whether a particular piece of data is sensitive is often a subjective determination. Therefore, companies should be certain to implement all of the framework's components, including the ability to access and, if appropriate, correct or delete, data.