On January 6, 2016, the Federal Trade Commission issued its staff report on big data, Big Data:  A Tool for Inclusion or Exclusion? Understanding the Issues, following up on the FTC’s workshop on big data in September 2014 and seminar on alternative scoring products in March 2014.  The report provides an overview of the characteristics and lifecycle of big data, summarizes the benefits and risks of big data, and outlines considerations for companies using big data, including potentially relevant laws such as the Fair Credit Reporting Act, equal opportunity laws, and laws prohibiting unfair and deceptive acts or practices.

The report serves as a helpful resource for a company in evaluating the potential uses, benefits, risks, and compliance requirements for big data.  While many companies that already use big data will be familiar with the laws analyzed in the report and how to comply with them, new or emerging companies or companies that do not regularly work with consumer protection or financial services laws should read the report with care to develop an understanding of the legal framework applicable to the use of big data.
Continue Reading The FTC Staff Report on Big Data

On Tuesday, the FTC announced the agenda for PrivacyCon, which is being billed as a “first-of-its-kind event” that will facilitate discussions between researchers and academics about privacy and security.  The FTC also released abstracts for the research that will be presented at the conference, scheduled for January 14.  PrivacyCon follows a call from the FTC last summer to “white hat” researchers and academics for papers on new vulnerabilities and how they might be exploited to harm consumers, as well as research in the area of big data, the Internet of things and consumer attitudes towards privacy.
Continue Reading FTC Releases Agenda for First-Ever PrivacyCon

Needless to say, the document most of us are reading now is the 209-page General Data Protection Regulation, just agreed upon by the institutions of the European Union.  A few parts are quite a page-turner.  (Parental consent for under-16s to access the Internet? Srsly?)  But even with this scintillating read, we find ourselves reaching for something a bit less, well, dense.

This weekend we can do that without ever leaving the EU-US comparative mindset.  Professors Ken Bamberger and Deirdre Mulligan of the Berkeley Center for Law & Technology have just published a groundbreaking work called Privacy on the Ground: Driving Corporate Behavior in the United States and Europe (MIT Press).  The book, which expands on the authors’ groundbreaking 2011 article, is based on empirical research that focuses not on what the law says in the EU and the U.S., but how privacy is actually practiced under five countries’ laws – the U.S., U.K., Germany, France, and Spain.  In findings that will be surprising and counterintuitive to some of our European colleagues, Ken and Deirdre find that the strongest privacy management practices are found in the United States and Germany.  That’s right – stronger practices in the U.S. than in France, Spain and the U.K.  I’m looking forward to the European reviews!  And to digging into the details.
Continue Reading Privacy Weekend: Provocative Articles We’re Reading Now

A European Parliament policy department has released a report, entitled Big Data and Smart Devices and Their Impact on Privacy, that criticizes the lack of focus on privacy and data protection in the European Commission’s “Digital Single Market” policy agenda, noting a “conflicting” intersection between the Commission’s Digital Single Market objectives and the EU’s efforts, now in their hopefully final stages, to reform the EU’s general legislation around the protection of personal information.
Continue Reading EU Parliament Policy Report Takes Dim View of EU Commission’s “Pro-Market” Policies on Big Data and Smart Devices

By Meena Harris and Caleb Skeath

  1. Data Breaches
  • Studies show increase.  Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years.  The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012.  Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
  • State laws.  In April, Kentucky became the 47th state to enact a data breach notification law.  Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements.  California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
  • Federal legislation.  Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014.  The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
  • Federal enforcement.  In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches.  The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies.  The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
  • Continued attention in 2015.  Legislative interest in data breach issues has only increased in early 2015.  Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate.  The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.


Continue Reading Top 10 U.S. Privacy Developments of 2014

Yesterday the White House released a report discussing how companies are using big data to charge different prices to different customers, a practice known as price discrimination or differential pricing.  The report describes the benefits of big data for sellers and buyers alike, and concludes that many concerns raised by big data and differential pricing can be addressed by existing antidiscrimination and consumer protection laws.

Big Data and Personalized Pricing 

“Big data” refers to the ability to gather large volumes of data, often from multiple sources, and use it to produce new kinds of observations, measurements, and predictions about individual consumers.  Thus, big data has made it easier for sellers to target different populations with customized marketing and pricing plans.

The White House report identifies two trends driving the increased application of big data to marketing and consumer analytics.  The first trend is the widespread adoption of new information technology platforms, most importantly the Internet and the smartphone.  These platforms give businesses access to a wide variety of applications like search engines, maps, blogs, and music or video streaming services.  In turn, these applications create new ways for businesses to interact with consumers, which produce new sources and types of data, including (1) a user’s location via mapping software; (2) their browser and search history; (3) the songs and videos they have streamed; (4) their retail purchase history; and (5) the contents of their online reviews and blog posts.  Sellers can use these new types of information to make educated guesses about consumer characteristics like location, gender, and income.  The second trend is the growth of the ad-supported business model, and the creation of a secondary market in consumer information.  The ability to place ads that are targeted to a specific audience based on their personal characteristics makes information about consumers’ characteristics particularly valuable to businesses.  This, in turn, has fostered a growing industry of data brokers and information intermediaries who buy and sell customer lists and other data used by marketers to assemble digital profiles of individual consumers.
Continue Reading White House Issues Report on Big Data and Differential Pricing

At the International Conference of Data Protection and Privacy Commissioners in Mauritius this week, representatives of the private sector and academia joined together to discuss the positive changes and attendant risks that the internet of things and big data may bring to daily life. Attendees memorialized the observations and conclusions of their discussions in a Declaration on the Internet of Things and a Resolution on Big Data. The documents are not, of course, binding. But, the fact that the Declaration and Resolution drew the consensus of a large gathering of international data protection regulators renders them relevant indicators of direction of data privacy policies and trends.
Continue Reading Data Protection Officials Adopt Internet of Things Declaration and Big Data Resolution

The International Association of Privacy Professionals hosted its annual Privacy Academy, at which one panel, “Data Brokers Demystified,” specifically focused on regulation of the data-broker industry.  The panelists included Janis Kestenbaum from the Federal Trade Commission, Jennifer Glasgow from Acxiom, and Pam Dixon from the World Privacy Forum.  Emilio Cividanes from Venable also participated.

Major Conclusions of the FTC Report (Janis Kestenbaum)

  • Data brokers operate with a fundamental lack of transparency.  They engage in extensive collection of information about nearly every US consumer, profiles of which are composed of billions of data elements.
  • Much data collection occurs without consumer awareness and uses a wide variety of online and offline sources, such as social networks, blogs, individual purchases and transactions with retailers, state and federal governments, events requiring registration, and magazine subscriptions.
  • The practice of “onboarding”–where offline data is onboarded onto an online cookie and is used to market to consumers online–is increasingly common.
  • Some data collected is sensitive, but even non-sensitive data is sometimes used to make “sensitive inferences” about (for example) health status, income, education, ethnicity, religion, and political ideology.  Consumers are often segmented into “clusters” based on these inferred characteristics.
  • For regulators, some of these clusters are concerning.  For example, one cluster is entitled “Urban Scramble” and contains high concentrations of low-income ethnic minorities.
  • Congress should create a centralized portal where consumers can go online and access individual data brokers’ websites to opt out and access and correct their information.  For consumer-facing entities, like retailers, consumers must be given some kind of choice before data is sold to a data broker, and when that data is sensitive, the choice should be in the form of an opt in.
    Continue Reading IAPP Privacy Academy: “Data Brokers Demystified”

A recent statement from the Article 29 Working Party, the independent European advisory body on data protection and privacy, comprised of representatives of the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, finds that the EU data protection principles, outlined in the EU Data Protection Directive 95/46/EC, are still valid and appropriate for the development and use of big data analysis.

The statement responded to recent calls by stakeholders that certain data protection principles under EU law should be “substantially reviewed” to enable promising developments in big data operations. The Article 29 Working Party Statement, adopted on September 16, 2014, acknowledged that challenges presented by big data might require “innovative thinking” on how to address key data protection principles; but, the protection of personal data remains fundamentally engrained in building trust between companies and consumers.

Continue Reading Article 29 Working Party Emphasizes Importance of Personal Data Protection for Big Data Operations and Development