Article by Boris Segalis and Nihar Shah
Nowadays, a news story on privacy is out of place if it doesn’t mention Do-Not-Track (known as “DNT”) or Big Data. While these hot topics represent key concerns for privacy professionals, advocates and regulators, there is no clear agreement on what they mean or how to address the privacy issues they raise.
In this post, we consider recent developments on these topics, including how the Federal Trade Commission has sought to focus on and connect these new issues.
DNT or DNC
DNT is in the midst of a multifaceted identity crisis, starting with a disagreement over the definition of DNT. Self-regulatory organizations and the advertising industry assert that DNT stands for “Do Not Target,” referring to the use of consumer data for the purposes of targeted advertising. The FTC, buoyed by privacy advocates, appears to take the view that DNT means not only “Do Not Target” but also “Do Not Collect” (DNC).
FTC Commissioner Brill elaborated at the 2012 IAPP Summit that she doesn’t view the current DNT efforts as entirely sufficient because the choice DNT offers does not give consumers appropriate protection against what Brill characterized as “limitless, unmitigated” data collection. But Brill does not argue for wholesale implementation of DNC, and has indicated that the details of the implementation of DNT/DNC will continue to remain a key focus for the FTC.
The industry has continued to respond to these concerns by trying to balance consumer and business interests. While privacy advocates want consumers to have the option to truly opt out of all information collection about them, industry leaders argue that such a move would severely undercut e-commerce in the United States.
In late February, the FTC and Digital Advertising Alliance (DAA) announced Obama Administration support for the DAA’s “Do Not Track” button, in which a consumer presses the button on any browser, and all participating advertisers and browsers would not store consumer information to be used in targeted advertising.
But privacy advocates have expressed reservations about the solution, calling attention to the fact that the button would not allow consumers to opt out of other types of tracking, such as for market research or website analytics.
Commissioner Brill has called the latest DAA proposal “a good first step” but indicated that the FTC does not fully support the DAA’s view that a “Do Not Target” industry standard is completely adequate. She explained that “Do Not Track is not just Do Not Target, but also, when the consumer so chooses, Do Not Collect.” The FTC and DAA both believe that consumer choice is the best method for advocating consumer privacy, but an agreement on what that choice should entail is a long way off.
First Party v. Third Party
Another disagreement affecting DNT is the line between so called “first party” data collection and tracking and “third party” activities. Broadly, “first party” data collectors collect information from users with whom they have a direct relationship (e.g., information CNN collects during a user’s visit to its site). A “third party” data collector collects data about users with whom it does not have a direct relationship (e.g., information collected on the CNN site by advertising networks).
For example, a social media platform may act as both a “first party” and “third party” collector. When a user inputs her birthday and name into Google+, the user should reasonably expect Google+ to use that information as part of the service. This is “first party” data processing. However, when Google places a “+1” button on a different website, a user may not understand that Google is collecting other information about that user in conjunction with that “+1” button. This is “third party” processing.
At the IAPP Summit, Commissioner Brill was challenged on the notion that there is great significance to the relationship between the party collecting data and the consumer. Some of her co-panelists suggested, for example, that data protection should be driven by the nature of the information, not the relationship with the consumer. But it appears that the FTC will continue to focus on the “first party” and “third party” distinction.
The FTC sees a greater threat to consumers in third-party data collection because of perceived lack of notice, choice and transparency in the practices of data collectors and data aggregators (including deep packet inspection and affiliate marketing) that do not have a direct relationship with consumers. But the real challenge is understanding where to draw the line between “first party” and “third party” practices.
In the FTC’s view, concerns about third-party data processing activities have been exacerbated by the changing character of data collection and use. While DNT efforts were initially driven by the desire to offer consumers some protection from behavioral advertising, Brill now also sees DNT as a component of oversight of what has become known as “Big Data.”
Without necessarily referring to the practice as “Big Data,” the media has with some consistency attempted to understand it. For example, a 2010 Wall Street Journal study found that websites had an average of 64 different tracking tools collecting information about site users. With so many data points in hand, many data aggregation companies, a.k.a. data brokers, are able to pinpoint a user’s identity and specific preferences without having any information traditionally considered as personally identifiable information.
Notably, Commissioner Brill has lamented that common de-identifying techniques involve no more than removing any references to name and address from collected data. Websites store the unique identifier of the computer or mobile device used to access a website, devices that, Brill notes, are “for all intents and purposes, linked to individuals.”
Most recently, The New York Times reported that companies have engaged in the practice of collecting vast amounts of innocuous data on an individual in order to collect sensitive information about customers. For instance, Target began tracking purchases from consumers to establish that they were pregnant, often within just two purchase cycles. Subsequently, the company would include pregnancy-related advertisements in interactions with that consumer.
And thus Big Data can best be characterized as a state of mind, a realization of the enormous analytical potential to use data that has been and continues to be amassed about individuals to gain new levels of insight into consumer behavior. Whether a prospective restaurateur wants to know whether to open a sushi bar in an upscale neighborhood and how to price the menu, or a store wants to know if a customer might be pregnant, Big Data is there to provide solutions.
The FTC does not appear to view Big Data negatively (and it would be unwise to do so), but it wants the industry to play by the rules, including the rules the White House has articulated in its privacy report. Brill suggested that the government may need to provide heightened consumer protections against certain types of Big Data practices, particularly the aggregation of ostensibly innocuous data to determine sensitive information, such as health status, sexual orientation and financial status.
The FTC believes it has several tools at its disposal to attempt to reign-in Big Data. First, Brill has made it clear that she believes that collection or use of information for purposes articulated in the Fair Credit Reporting Act may well deem the party engaging in the practices a consumer reporting agency under the FCRA, subjecting it to myriad restrictions on data use, disclosure, accuracy and security. Brill has suggested that, for example, FCRA should apply to data scraped from social media if the data is used for FCRA purposes.
In addition, Brill wants Big Data to join in on a one stop shop DNT portal. Brill does not suggest that consumers should have an opportunity to opt out of uses of their data covered by the FCRA (provided there is compliance), but she views as essential consumers’ ability to access and correct the data.
She would like all DNT technologies to work together to offer consumers a one stop shop to understand what information has been collected about them and the option to correct their information. Brill also would like to see the portal offer a universal DNC option for the collection and use of consumer data for non-FCRA purposes that are not necessary to process transactions (i.e., marketing).
There has been enforcement activity that can fairly be characterized as an attempt to rein in Big Data. For example, the FTC successfully pressed Social Intelligence, a company that collected and sold social media data for employment eligibility purposes, to admit that it is a consumer reporting agency subject to the FCRA. In addition, the Equal Employment Opportunity Commission has taken steps to seek to preclude companies from using credit report data in the employment process.
Further, a number of states have passed laws that, with some exceptions, prohibit the use of credit reports in the employment process. Consumer reporting is the precursor of modern Big Data and offers a preview of the regulatory climate that may impact this new industry.
Big Data is poised to expand. The advent of the Smart Grid (which includes smart meters, smart appliances, electric/hybrid car charging stations and other elements of the utility infrastructure) will enable the collection of ever more precise and powerful information about consumer behavior. Again, the Smart Grid has the potential to boost the U.S. economy, but as the consumer information flows into Big Data, regulators will want the industry to play by the rules.
While Big Data is in flux, there are things data companies can do: understand how the company processes data, contractual and legal limitations on the data processing, best practices (including those gleaned from FTC guidance and White House and FTC reports) and enforcement risks, and implement privacy controls that are consistent with the organization’s business needs and risk comfort levels.
We know that the departure point for FTC’s enforcement is privacy violations that the Commission perceives to be egregious. This should give some comfort to Big Data companies that strive to process personal data in a fair and transparent manner that they would not be the first door on which the FTC knocks.
Finally, while the DNT debate is raging, companies have at their disposal many existing options to be proactive in ensuring that their online privacy practices are fair and transparent in the eyes of regulators and consumer advocacy groups (e.g., BBB and NAI advertising opt-out programs, website analytics opt-outs and other tools).
However the debate on DNT ultimately settles, companies can use these tools today to demonstrate their commitment to respecting consumers’ privacy choices.
Cross-posted from InfoLawGroup