In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”

The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change.  In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company's relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).

There Are Benefits of Tracking

The experts all agreed that there are obvious benefits of data collection. The aggregation of data can be used to provide data security, offer effective personalization for consumers, and aid in the development of new products and services.

Consumers Can Also Be Harmed by Tracking

Conversely, everyone agreed that the more data that is collected, the greater the risk for harm from certain uses of the data. This harm is often recognized is economic in nature, but some participants pointed out that harm can also be reputational. Where consensus broke down was over the question of whether the data collection, itself, is a form of harm.

Most Consumers Don’t Understand Data Collection

Consumers, in general, have little understanding about how much of their personal data is collected online—let alone who is collecting it, how they are doing it, and why it is being done. Because so much of the data collection happens behind the scenes, it is hard to say that consumers are making informed decisions about the web-based products they use in their everyday lives, even when they are provided with notice and choice.

The Need for Technology-Neutral Regulation

Although the FTC moderators were interested in DPI—a technology that can be used by Internet service providers and other companies to inspect the content of packets as they travel over the Internet—the experts emphatically stated that regulators should not demonize technology, but instead, regulate certain uses. Panelists explained that by focusing on specific technologies, such as DPI or cookies, regulators miss the complexity of the issues. Because technology is ever changing, there will always be an alternative way of collecting large amounts of data. Since there is no single choke point, participants suggested that regulators examine the harmful uses of data that need to be prevented and policed against

James Bormes, a Chicago lawyer, paid a $350 court filing fee through the federal government’s pay.gov system with his American Express card. He was sent an electronic receipt for the transaction, which contained his credit card’s expiration date. Bormes alleged that this violated FACTA's prohibition on printing expiration dates on credit card receipts issued at the point of sale.  He sued the government, seeking class-action status on behalf of thousands of people issued receipts that displayed card expiration dates or more than the last five digits of credit and debit card numbers (which FACTA also prohibits).

The district court initially dismissed the suit, finding that the FCRA does not contain an explicit waiver of the government’s sovereign immunity and could, therefore, not allow for the plaintiff’s damages claims. Bormes appealed to the Federal Circuit, which has exclusive jurisdiction for appeals in which a lower court’s jurisdiction was based partly on the Little Tucker Act. The government moved to transfer the suit to the Seventh Circuit, arguing that the Act’s jurisdictional provision did not apply. The Federal Circuit denied the motion and vacated the lower court’s ruling. The federal government then took the sovereign immunity issue to the Supreme Court.

“Where, as in FCRA, a statute contains its own self-executing remedial scheme, [courts] look only to that statute to determine whether Congress intended to subject the United States to damages liability.” The Court ruled that the federal government, therefore, does not necessarily give up its sovereign immunity in FCRA cases. It refrained, however, from deciding whether the FCRA, on its own, waives that immunity. Transferring the case for remand the Court reserved that question for the Seventh Circuit to consider.

Looking ahead, even if the Seventh Circuit concludes that the FCRA does, in fact, waive the government’s immunity, it will be an uphill battle for Bormes. In 2010, the Seventh Circuit, in Shlahtichman v. 1-800 Contacts, Inc., 615 F.3d 794 (7th Cir. 2010), ruled that the FACTA does not apply to electronic displays or e-mail confirmations of online transactions.

The law governing mobile payments is a complex blend of existing laws including the Electronic Fund Transfer Act and Gramm-Leach-Bliley as well as rapidly-changing state laws. In deploying mobile payment technologies, depository institutions should carefully analyze and address all of the relevant authorities.

HP demonstrated an automated tool that it is testing as part of its privacy by design implementation which looked impressive. The HP "Accountablity Model Tool" sends records and reports to the HP privacy office as products are developed.  Google introduced the audience to the "data liberation front" which enables users to extract their data from Google products - see www.dataliberation.org.

I spoke on a second panel discussing privacy issues associated with US distribution chains.  Chris Olsen, Assistant Director in the Division of Privacy and Identity Protection at the Federal Trade Commission, led the privacy discussion on our panel.  Chris emphasized the same three themes as Commissioner Brill - privacy by design, transparency and choice and discussed some recent enforcement actions.  In my comments I pointed out that distribution chains validate the FTC report's suggestion that baseline privacy regulation should apply to all entities that have access to consumer data, because this will help ensure that intermediaries in distribution chains also respect consumer privacy.  Intermediaries may have access to vast amounts of data but they are often invisible to consumers.  Such intermediaries are not constrained by the fear of consumer backlash, as consumers are unaware of their role - so hence the need for regulation to cover such data intermediaries.  The luma graphic illustrates just how many intermediaries now exist in the digital economy.  I also commented that contracts remain an important tool in achieving good privacy practices because they provide the basis for day to day enforcement of good privacy practices between business partners.

It was my first time to the ABA Antitrust Spring meeting and I was certainly impressed with the quality of the event. 

My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners. 

The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations.  As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider. 

The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance.  In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider.  IT contracts also need to require that the provider comply with the customer’s policies on FIPPs. 

One aspect of the DOC green paper that I like is the idea of a safe harbor for companies that do implement FTC-approved codes of conduct.  Perhaps one of these codes of conduct could be a set of baseline principles for contracts with IT service providers.  Creating an optional, but enforceable and standard set of principles on privacy and security would create some new efficiencies in contract negotiations.  It is unrealistic to create a one-size-fits-all set of security standards and mechanisms, as IT contracts are so diverse and cover so many different types of environments.  But a code of conduct could create some baselines for IT contracts.  For example, basic principles could include a requirement for reasonable security measures, a prohibition on any use of customer data beyond what is necessary for service delivery and a right to conduct reasonable audits and assessments or a right to receive regular shared audit reports conducted by an independent third party. 

The safe harbor protection would offer the “carrot” necessary to encourage the market to adopt these as standard principles and dispense with some of the threshold quibbling as to whether it is appropriate for the contract to include such terms.  Such a code of conduct would directly support consumer privacy, because companies can only provide assurances to consumers regarding privacy and security if they have sufficient control over the consumers’ data, including control over the data when it is in the hands of third parties such as IT service providers.  Even if no new legislation materializes as a result of the FTC and DOC documents, it is clear that companies simply cannot take a passive approach to these issues in relation to IT contracts. 

In my next post I provide observations on some changes to consider for form contracts based on  the FTC report’s commentary on the PII vs non-PII distinction and re-indentification of data.