On August 19, Federal Trade Commission Chairwoman Edith Ramirez cautioned companies that collect large quantities of consumer data that the FTC intends to closely scrutinize the measures those companies take to protect consumer privacy. In her keynote address at the Technology Policy Institute’s annual conference in Aspen, Colorado, Chairwoman Ramirez expressed concerns about the private sector’s increasing collection and use of “big data,” or datasets whose size is beyond the ability of typical database software tools to capture, store, manage, and analyze. In addition to renewing the FTC’s call for new privacy legislation, Chairwoman Ramirez signaled that the agency intends to increase its enforcement of existing federal statutes against perceived threats to consumer privacy caused by these large repositories of consumer information. Chairwoman Ramirez’s address reflects a growing focus at the FTC on the collection and use of consumer data, which all companies interacting with such data should note.
In her address, Chairwoman Ramirez argued that the “skyrocketing ability of business to store and analyze vast quantities of data” implicates individual privacy concerns because the data may reflect an individual’s health concerns, web browsing history, purchasing habits, social, religious and political preferences, and financial or other nonpublic information. While acknowledging that such databases can bring benefits to consumers and businesses in the form of increased innovation and efficiency, she cautioned that the FTC will take action against companies using them that do not implement appropriate privacy safeguards, likening the agency to a “vigilant lifeguard” whose job is to “make sure that no one gets hurt.” Ramirez pointed to the FTC’s authority to regulate “unfair or deceptive” business practices under the FTC Act as giving the FTC license to “make sure companies live up to their commitments” to protect the data and refrain from data practices that she contended could cause harm to consumers, such as inadequate data security measures. Ramirez also identified sector-specific privacy laws that the FTC enforces, such as the Fair Credit Reporting Act (which regulates credit reports and credit reporting agencies) and the Children’s Online Privacy Protection Act (which requires certain privacy measures for information about children), as permitting the FTC to regulate big data in specific contexts.
Chairwoman Ramirez then identified several privacy risks respecting “big data” that the FTC expects companies to minimize. First, Ramirez warned companies against “indiscriminate collection” of data, arguing that companies should not collect and retain personal information unnecessary to an identified purpose. Second, she contended that corporations often collect or use data in ways that consumers have not authorized, necessitating improved opportunities for meaningful consumer choice. Third, she argued that collection of big data creates a risk of large data breaches, making it crucial for firms acquiring such data to implement “reasonable” security measures. Fourth, she expressed concern that many companies are creating detailed profiles of individuals containing highly sensitive information, without consumers knowing who the companies are or how they are using the information, and that consumers deserve better visibility into and control over those profiles. Finally, Ramirez argued that big data may be unfairly used to make determinations about individuals based on unwarranted inferences or correlations, which consumers should have a means to challenge.
Chairwoman Ramirez urged companies to minimize these risks by following the three core principles set forth in the FTC’s 2012 Privacy Report. First, she said, companies should implement “privacy by design,” or building privacy in as products and services are being developed. Second, companies should offer consumers simple and easy-to-use mechanisms for receiving notice and exercising a choice respecting how their data is collected and used. Finally, Ramirez called for greater transparency regarding companies’ commercial data practices, so that their policies and practices are no longer “enshrouded in considerable smog.”
Chairwoman Ramirez’s remarks reflect a growing focus at the FTC on the collection and use of consumer data. Earlier this month, agency Commissioner Julie Brill expressed similar concerns in an op-ed calling on private sector participants to implement an initiative Commissioner Brill termed “Reclaim Your Name.” This initiative would involve permitting consumers to learn how data brokers are collecting and using their data, giving consumers access to data brokers’ information, allowing consumers to opt out of the sale of their information for marketing purposes, and permitting consumers to correct errors in the information used for decisions about substantive benefits. The FTC also recently subpoenaed nine data brokers to produce information about their data collection, use and disclosure practices. As the agency’s focus on the collection and use of data, particularly “big data,” intensifies companies that interact with consumer information should carefully review their policies and practices and assess the legal risks involved.