It is no secret that “Big Data” offers revolutionary potential for companies, and already many are pushing the limits with more targeted marketing and customer intelligence gathering. Now the Federal Trade Commission is working to carve out a role as the protector of consumer privacy as companies ramp up those Big Data efforts.
In an August speech to the Technology Policy Institute, an influential think tank that focuses on innovation and technological change, FTC Chairman Edith Ramirez suggested that her agency should use its authority to regulate the evolution of Big Data and ensure “rigorous privacy safeguards.” “Like a vigilant lifeguard, the FTC's job is not to spoil anyone's fun but to make sure that no one gets hurt,” she told the audience. “The time has come for businesses to move their data collection and use practices out of the shadows and into the sunlight,” she said.
During the speech, Ramirez made a case that the FTC was duly empowered by Congress to take on that challenge. The Federal Trade Commission Act gives the FTC authority for preventing unfair or deceptive acts or practices that may affect interstate commerce, which, according to Ramirez, extends to those related to privacy and data security.
Ramirez's speech is just the latest indication that the FTC is staking its claim as the new sheriff in town to police Big Data practices. It has backed these fighting words with action, asserting its authority against companies it says failed to provide reasonable data security. In total, the FTC has brought more than 40 data security cases, including against LexisNexis, ChoicePoint, and Twitter, for failing to provide reasonable data security safeguards. Actions against Google, Facebook, MySpace, and others alleged that they deceived consumers by breaching commitments to keep their data confidential. Last year, it sued the Wyndham hotel chain for poor data security practices that led to three data breaches in an 18-month period and more than a half-million credit card files falling into the hands of an identity-theft ring based in Russia.
Last week, when a coalition of consumer privacy advocates fought back against Facebook's proposed changes to its privacy policy, changes they say would give it unfettered use of user data and content for advertising, they turned to the FTC to intervene. The Commission already monitors online and app privacy as it relates to kids, under the Children' Online Privacy Protection Act, and it is even looking to extend its reach to the privacy risks of household appliances and cars connected to the Internet.
FTC Commissioner Julie Brill has been advocated the “Reclaim Your Name” initiative, a self-regulatory program that encourages individuals to find out how brokers are collecting and using their data. The plan would give people access to information that data brokers have amassed about them; allow them to opt out if they learn that a data broker is selling their information; and provide consumers the opportunity to correct errors in information used for decisions about substantive benefits.
The FTC's actions and Ramirez's speech suggesting increased scrutiny of Big Data practices are setting off alarm bells for many companies that collect or store consumer data. The speech “suggested not recommendations of best practices but what could be interpreted as mandates,” says Alan Friel, a partner at law firm Edwards Wildman Palmer. He views the use of its “unfairness authority” under Section 5 of the Federal Trade Act as “a cause for concern.”
Friel is also concerned that the FTC may be over-stepping its authority. To prove unfairness, the FTC must establish that a practice is likely to cause substantial harm or injury to consumers; that injury is not reasonably avoidable; and that injury is not outweighed by countervailing benefits to the consumer or competition. “Many feel that this is not a clear standard sufficient to give companies notice of what they can and cannot do with respect to consumer privacy,” Friel says. “Its application to Big Data would allow the FTC to essentially create law without the clear authority or direction of Congress.” It would also fall outside of the rulemaking process, which requires notice and public comment, he says.
A Legal Challenge
As the FTC has sued companies over cyber-security breaches or inadequate privacy security policies, most have quietly acquiesced and agreed to out-of-court settlements and consent decrees. Wyndham, however, is fighting back against claims that it engaged in “unfair or deceptive” practices by not maintaining appropriate data security protections. Its defense is that Congress never granted the FTC cyber-security oversight and, therefore, the agency's lawsuit exceeds its enforcement authority.
“Even if the FTC loses its unfairness jurisdiction in data security, it can still go after sloppy security practices where, as most companies do, the company stated that it maintains a high level of security.”
—Alan Friel,
Partner,
Edwards Wildman Palmer
Perhaps the biggest challenge for Wyndham is that the FTC also alleges it made misrepresentations of its data security safeguards and practices. “Even if the FTC loses its unfairness jurisdiction in data security, it can still go after sloppy security practices where, as most companies do, the company stated that it maintains a high level of security,” Friel says.
The Wyndham case is important, but unlikely to significantly change the trend toward regulation and prosecution of companies for data security issues, says William Terpening of the law firm Nexsen Pruet.
According to Terpening, the FTC and other authorities are enforcing laws that are already on the books, including statutes protecting children and consumers of financial products and healthcare services. Also, Terpening says, data privacy has captured the public's attention, causing them increasingly to see data privacy rights as analogous to more traditional civil and constitutional privacy rights. “As people start to regard digital information as their property, we will see increasing tension between consumers and companies over who gets to own and use digital information,” he says.
What to Do?
Given the FTC's crackdown and the uncertain outcome of the Wyndham legal challenge, what should companies that broker in Big Data do?
Friel suggests studying the FTC's 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.”
FTC ON BIG DATA
The following are from recent remarks made by FTC Chairman Edith Ramirez regarding the Federal Trade Commission's renewed focus of “Big Data” privacy issues.
One risk is that the lure of “big data” leads to the indiscriminate collection of personal information. Some big data proponents argue that data is now the raw material of innovation, and therefore more data is always better. We are told that during the Industrial Revolution, there was no such thing as too much coal and iron ore. The resulting steel sparked the innovation that transformed the world—skyscrapers, high speed trains, and so on. Today's raw material, the argument goes, is data, and we need as much of it as we can collect.
That's a bridge—maybe even a steel bridge—I wouldn't buy. The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the off-chance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and co al, there is low quality, unreliable data. And old data is of little value. Is there really any worth to my law school search history when I was struggling to understand the rule against perpetuities? Should that data be held in perpetuity?
Source: FTC.
It calls on companies handling consumer data to implement recommendations for protecting privacy, including: building in reasonable security for consumer data, limited collection and retention, and procedures to promote data accuracy; giving consumers the option to decide what information is shared about them, and with whom, including do-not-track tools; and greater transparency of their use of consumers' information, and providing consumers access to data collected about them.
The actions presented in that report, shouldn't be treated as mere suggestions, Friel says. Ramirez specifically referenced them in her speech, and they will likely be the drivers of enforcement action.
Companies must do whatever they can to avoid a claim of false or misleading advertising. “This requires regular audits and updates,” he says. “They should have a chief privacy officer who works with the heads of all groups that touch consumer or employee data to develop a good compliance program.”
He warns that companies doing business internationally, are likely subject to more consumer-protective privacy schemes such as those of the EU, and may decide it is simply most efficient to apply some or all of those standards to U.S. operations.
“The best first measure in dealing proactively with digital data compliance issues is to treat the problem like any other old-fashioned compliance problem, because that is how the law will see and address the problem later,” Terpening says. Companies must understand that most digital breach problems will be “people problems” where digital data gets compromised because of human error or greed.
“Companies run into problems because they do not train and monitor their employees and systems properly, and they don't properly guard against criminal threats,” he says.
No comments yet