On January 18, the Federal Trade Commission released its annual Privacy and Data Security Update, highlighting its enforcement efforts in 2017. The report discusses significant enforcement efforts in the areas of privacy, data security, credit reporting and financial privacy, international enforcement, children’s privacy, and telemarketing. The report also highlights the FTC’s efforts in advocacy,
The International Association of Privacy Professionals hosted its annual Privacy Academy, at which one panel, “Data Brokers Demystified,” specifically focused on regulation of the data-broker industry. The panelists included Janis Kestenbaum from the Federal Trade Commission, Jennifer Glasgow from Acxiom, and Pam Dixon from the World Privacy Forum. Emilio Cividanes from Venable also participated.
Major Conclusions of the FTC Report (Janis Kestenbaum)
- Data brokers operate with a fundamental lack of transparency. They engage in extensive collection of information about nearly every US consumer, profiles of which are composed of billions of data elements.
- Much data collection occurs without consumer awareness and uses a wide variety of online and offline sources, such as social networks, blogs, individual purchases and transactions with retailers, state and federal governments, events requiring registration, and magazine subscriptions.
- The practice of “onboarding”–where offline data is onboarded onto an online cookie and is used to market to consumers online–is increasingly common.
- Some data collected is sensitive, but even non-sensitive data is sometimes used to make “sensitive inferences” about (for example) health status, income, education, ethnicity, religion, and political ideology. Consumers are often segmented into “clusters” based on these inferred characteristics.
- For regulators, some of these clusters are concerning. For example, one cluster is entitled “Urban Scramble” and contains high concentrations of low-income ethnic minorities.
- Congress should create a centralized portal where consumers can go online and access individual data brokers’ websites to opt out and access and correct their information. For consumer-facing entities, like retailers, consumers must be given some kind of choice before data is sold to a data broker, and when that data is sensitive, the choice should be in the form of an opt in.
Continue Reading IAPP Privacy Academy: “Data Brokers Demystified”
Yesterday, the FTC announced a settlement with Goldenshores Technologies, a company that makes the most-downloaded flashlight app on the Android platform. The FTC alleged that Goldenshores violated Section 5 of the FTC Act by failing to disclose to consumers that it shared location data it collected from users’ device with third parties. Although a list…
Last month, the FTC held a public workshop on the “Internet of Things” (or “IoT”), during which it examined the privacy and security implications of everyday objects being connected to the Internet and to each other. The workshop—which considered “things” ranging from connected cars to remote-controlled defibrillators—brought together academics, business and industry representatives, and consumer advocacy groups to explore these issues.
The participants voiced a variety of views about what the IoT means for consumer privacy. One memorable—and certainly debatable—perspective was that of Vint Cerf, Google’s chief Internet evangelist and lead engineer on the Internet prototype “ARPANET,” who told the audience that “privacy may actually be an anomaly” and ultimately unsustainable in our increasingly connected world.
There were other key moments in the workshop that helped to illuminate the FTC’s position on how businesses should approach the IoT. Now that the initial reports are in, we provide 5 key takeaways after the jump.…
Earlier this week, U.S. Federal Trade Commission (FTC) Chairwoman Edith Ramirez gave the keynote address at a technology conference, in which she focused on the privacy challenges of so-called “big data.” Her remarks provide some guidance about what the FTC considers “best practices” in terms of deploying big data analytics without raising privacy concerns.
- Data minimization and sound retention limits. The Chairwoman urged companies to “[a]void the indiscriminate collection of personal information” and suggested that it is not appropriate for companies to, “[k]eep data on the off-chance that it might prove useful.” She also suggested that retention limits are appropriate, noting that “old data is of little value.”
- De-identification. She noted that stripping out unique identifiers to render data anonymous can be an effective risk-mitigation technique. She cited the FTC’s 2012 Privacy Report as describing “an approach to de-identification that seeks to balance the benefits of de-identification with the risks that anonymous data will be re-identified.”
- Choice. She called on companies to “focus on consumer choice at the time of collection.” She noted that when consumers decide to share personal data with a business, that consent “is generally limited to the transaction at hand.” “Rarely, if ever, are consumers given a say about the aggregation of their personal data or secondary uses that are not even contemplated when their data is first collected.” Chairwoman Ramirez did not expand on what she believes that companies should do to provide consumers more of a “say” with respect to the aggregation and secondary uses of their data.
Less than a week after the Bi-Partisan Congressional Caucus’s briefing on data brokers and privacy, the Federal Trade Commission has issued orders requiring nine data brokerage companies to provide the agency with information about how they collect and use data about consumers. The nine data brokers receiving orders from the FTC were: Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf, and Recorded Future. The agency is seeking details about:
- the nature and sources of the consumer information the data brokers collect;
- how the data brokers use, maintain, and disseminate the information; and
- the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold.
The nine companies must respond by February 1, and based on the information it receives, the FTC will prepare a study to make recommendations on whether and how the data broker industry could improve its privacy practices.…
On Thursday, the Federal Trade Commission (“FTC”) hosted a workshop to explore the practices and privacy implications of comprehensive data collection. The event gathered consumer protection groups, academics, privacy professionals, and business and industry representatives to examine the current state of comprehensive data collection, its risks and potential benefits, and what the future holds for consumers and their choices.
In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”
The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change. In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company’s relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).…
This week, the FTC released a staff report urging companies to adopt best practices for commercial uses of facial recognition technology. The report, entitled Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies, follows a workshop held last December and more than 80 public comments addressing issues raised at the workshop. Facing Facts largely discusses how the core privacy principles from the Commission’s March 2012 privacy report — privacy by design, simplified choice, and transparency — should inform the use of facial recognition technologies, such as digital signs that can assess the age and gender of consumers standing before them as well as online photo tagging tools.
In this post, we provide an overview of the staff report’s guidance on how each of the principles should be applied by companies that employ facial recognition in their products and services.…
Today, the Senate Committee on Commerce, Science, and Transportation held a hearing to seek the views of the Federal Trade Commission and the Administration on privacy issues. Discussion at the hearing, entitled “The Need for Privacy Protections: Perspectives from the Administration and the Federal Trade Commission,” focused in significant part on the privacy reports recently released by the FTC and the Administration.
Committee Chairman John D. (Jay) Rockefeller IV (D-WV) introduced the hearing by calling for “strong legal protections” and “simple and easy to understand rules” about information collection. He called for “strong, consumer-focused” privacy legislation this year, though conceded that no consensus about such legislation exists yet. Senator John Kerry (D-MA) also voiced support for privacy legislation. In contrast, Senator Pat Toomey (R-PA) expressed skepticism about new legislation, calling for a detailed cost/benefit analysis and identification of a specific market failure prior to any new regulation.…
The Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising continues to gather steam. Last month, after the Program garnered favorable mention in the FTC’s final privacy report, a representative of the Interactive Advertising Bureau (one of the DAA’s participating organizations) announced that the Program’s Advertising Option Icon is now being served in more…