Last week, the Federal Trade Commission revealed that it had sent letters to six different data brokers, all of whom provide requestors with reports detailing individual tenant histories, warning them that their practices may be subject to the Fair Credit Reporting Act (“FCRA”). This move follows the FTC’s announcement that it is investigating data brokers that mine consumer information and a congressional inquiry of the industry’s practices.
In its letter to the data brokers, the FTC points out how data brokers that assemble and share individuals’ rental histories are likely “consumer reporting agencies” issuing “consumer reports” and thus subject to the Fair Credit Reporting Act (“FCRA”). As the letter describes in detail, the FCRA requires consumer reporting agencies that issue these sorts of reports must ensure they are being used correctly, are as accurate as possible, and provide consumers access to the reports and a chance to dispute information believed to be inaccurate. Companies that fail to do this may be subject to damages for each violation of the law.Although the FTC’s letter is primarily concerned with the requirements of the FCRA, there are some general lessons that can be taken from this move. First, businesses that covertly collect and share consumer information risk bad press and legal action by the FTC. Second, when a company collects information for one purpose (e.g., an application for a first apartment), the law frowns upon subsequent uses of that information that are different and that a normal consumer wouldn’t expect (e.g., to deny them the next apartment). Lastly, as technology increases the detail of data brokers’ consumer profiles and expands the types of personal information they can trade, the public’s expectation of privacy in such information should not be discounted.
We're keeping up with the latest developments in mobile data collection and have issued an to our 2011 White Paper, Mobile Unique Identifiers and Location Information. The two new events in this area of privacy law include:
- The Location Privacy Protection Act of 2011, which had traction in the Senate, was not presented to Congress by the end of 2012
- Google settled with 38 states and the District of Columbia for $7 million dollars in Wi-Fi data collection investigation.
On February 1, 2013, the FTC released a new report, Mobile Privacy Disclosures: Building Trust Through Transparency, setting out current data protection best practices for mobile operating system (OS) providers and app-developers.
The report’s guiding principle is that these providers must work to give mobile device users:
(1) clear understandings of how her information is being collected, and
(2) tools to manage and protect access to her data.
The FTC recommends that app-developers and OS-providers integrate specific privacy designs into their products, to protect themselves from future FTC actions. It also recommends a general ‘privacy by design’ approach, which would prioritize data minimization, data security, and procedural safeguards at every stage of product development.
It also pushes ad networks, third-party data collectors, and app-industry groups to put a priority on data protection measures, so that they encourage OS-providers and app-developers to provide users more notice and controls.
Recommendations for OS-providers
The FTC focuses on OS-providers as the main stakeholder who can promote data protection. This is because OS-providers largely determine the users’ experience & awareness of data privacy, and because they have substantial leverage over app-developers.
The FTC recommends OS-providers build in privacy alerts and management tools for users, and that they implement enforceable standards for app-developers. These best practices are:
Privacy Alerts for Users
Management Tools for Users
Supervision of App-Developers
Recommendations for App-Developers
The FTC also focuses on what app-developers could be doing better regarding data protection. It recommends the following best practices:
Privacy Alerts for Users
Oversee Ad Networks & 3rd Parties
Reach out for Guidance
Enforcement & consequences
The FTC emphasizes that it will enforce data protection standards for mobile businesses.
It points to its recent action against Path for their collection of users’ address book data and collection of children under 13 without parental consent – and by their action against Frostwire for a peer-to-peer file-sharing app that would lead to users’ unwitting exposure of personal files on their device.
The FTC has put together this report of recommendations so that mobile businesses can avoid such actions. If OS-providers and app-developers implement these designs, and if they comply with the upcoming NTIA privacy code of conduct, the FTC indicates that this compliance will insulate companies from law enforcement actions.
I attended the California Public Utilities Commission (CPUC) Energy Data Access Workshop last week (1/15-16) in San Francisco. I have been following the CPUC's numerous proceedings on energy data privacy, including the Privacy Rule for SmartGrid Data and the discussion about implementing processes for users to authorize the utility to directly transfer their energy usage data to third party providers (e.g. for demand response purposes).
This particular meeting was focused on access to users' energy data for research purposes. A number of research institutes and city planners want access to both personalized and anon/aggregate energy consumption data for energy efficiency planning and research into alternative energy programs. This makes interesting politics because the Privacy Rule places the burden on utilities to protect their users' privacy.
Also interesting was how similar this debate is to other debates (i.e. cookie data or health data) where the question is how to create useful information from data, but to do so in a way that is reasonably aggregated and anonymous to protect user privacy. There were also interesting presentations, particularly by the census bureau, on secure means to provide access to the data when the research requires data in a form that could not be considered to meet this standard.
This Workshop was meant to give the CPUC enough information to start a proceeding that will likely determine whether a new data center with data from the three IOUs will be created or some other means to facilitate access to data will be pursued. Hopefully, it will spark some input from researchers and professionals other fields where these issues are being discussed.
The California Attorney General's office today released its long awaited report Privacy on the Go (pdf) with recommendations for application developers, platforms, and ad-networks. It is a must read-- both for the easy to understand language and clear suggestions, and because it promotes implementations than generally are not considered "required by law." This is the future of privacy design. I urge you to take a look.
Limit collection: Avoid or minimize the collection of personally indentifiable data that you do not need to provide your service and limit the time you keep it. Or as I tell my clients, make a fair bargain with your users! Have policies that make sense and describe them in a way so the user thinks the exchange of their data for your service is reasonable.
Surprise Minimization: Don't collect data or use it in a way that will surprise your users. In other words-- notice early, contextually, and repeatedly!
At Blurry Edge Strategies, we spend a lot of time watching (and
often participating in) significant developments at the intersection of
technology and the law. And as the new year begins, it’s already
clear that we’re facing an exciting and tumultuous 12 months ahead.
Federal regulators – notably the FTC – are telegraphing a
reinvigorated interest in Internet privacy matters; after last year’s
SOPA debacle, lawmakers are primed to take another swing at copyright
enforcement legislation; and social networking giants are wading deep
into international privacy compliance issues, with mixed results.
That’s all ahead. To close out 2012, we’ve compiled for you a guide to
twelve of the most important developments of the last year. We hope you
find it useful.
Principal, Blurry Edge Strategies
I get to talk to a lot of interesting audiences about privacy, security and other issues. Last month was unquestionably the most fun talk-- at DefCon Kids with Jeff Moss (darktangent). CNN was there and wrote about it and I hope parents everywhere will share this information with their 8 year olds.
Computer hacking for 8-year-olds
I have a comment on the NYT Room to Debate forum Google or China: Who Has More to Lose? praising Google's decision not to censor search results on .cn but recognizing that it was the alleged Chinese government's hacking that broke the camel's back as opposed to general disgust with the regime's Internet Freedom policy (I also wrote about this at the time of the initial announcement in January). I do think it shows that while doing business with China could be justified by a goal of fostering engagement, collaborating with the regime cannot.