Federal Trade Commission Reports on “Data Brokers”
The Federal Trade Commission (FTC) released a study entitled “Data Brokers: A Call for Transparency and Accountability” on May 27, 2014 (Report).4 The Report is based on the FTC’s 2012 request for information issued to nine companies the FTC views as “data brokers,” a term the FTC defines to include “companies that collect consumers’ personal information and resell or share that information with others.”5 The Report focuses on practices that fall outside the Fair Credit Reporting Act, and can be grouped into three categories: (1) marketing, (2) risk mitigation, and (3) people search.
In the Report, the FTC recommends that Congress consider legislation to give consumers more transparency and data access for products in each of these three categories. In addition, the Report calls upon the industry to implement a “privacy by design” approach, to strengthen measures to avoid collecting data from children and teenagers for marketing and other purposes, and to take reasonable precautions to ensure that downstream recipients are not using data for eligibility determinations or illegal discrimination.
NTIA Multistakeholder Process Continues
On June 3, 2014, the National Telecommunications and Information Administration (NTIA) convened its seventh “Privacy Multistakeholder Meeting” on developing a code of conduct for facial recognition technology (FRT). While the first several meetings explored FRT technology and current and prospective applications, this meeting continued a shift away from fact-finding and toward a discussion about developing a code of conduct. In this context, participants of the meeting focused on elements that would need to be addressed in a code of conduct, such as which entities are covered, and issues of scope and consent.
The stakeholders discussed potential issues involving “facial profiling,” described as the use of FRT to tag characteristics (e.g., names, ethnicity, or gender) to facial templates. Participants agreed to examine facial profiling further during the process of drafting a code of conduct. The group also considered issues surrounding the timing of offering and obtaining consent for the use of FRT. In examining these issues, participants discussed use cases such as a casino identifying card-counters through video surveillance. The group also considered, but did not resolve, whether “personally identifiable information” (PII) under the Privacy Act of 1974 should be used as guidance for obligations in a code of conduct for FRT.
On June 24, 2014, NTIA convened the eighth meeting to discuss potential risks and issues associated with FRT and definitions that would be included in a code of conduct. Participants also discussed a draft proposal containing recommendations for commercial use of biometric technology.
Regarding the proposal, the discussion focused on the distinction made between PII and biometric data, as well as between anonymity and privacy. The group discussed a document containing draft definitions of terms for a code of conduct, and began to enumerate potential risks that could be addressed in a code of conduct, including issues arising from storage of facial templates, data breaches, withdrawal of templates from a database, and government access. The next meeting is expected to take place in July.
Consumer Financial Protection Bureau Takes Action on Privacy Issues
The Consumer Financial Protection Bureau (CFPB) recently took two regulatory steps related to financial privacy. In May, the CFPB released a proposal to amend its annual privacy notice requirement under the Gramm-Leach-Bliley Act (implemented through Regulation P). Dozens of public comments were filed on the proposal before the June 12, 2014 deadline. Currently, “financial institutions” subject to Regulation P must provide their customers with initial and annual notices regarding their privacy policies via mail. The CFPB has proposed to allow financial institutions that do not engage in certain types of information- sharing activities to stop mailing an annual disclosure if they post the annual notices on their websites and meet certain other conditions, including using the model notice form set out in Regulation P. This new approach responds to public comments the CFPB previously received on the topic of streamlining regulations the CFPB inherited from other agencies.
Additionally, in conjunction with a field hearing held on June 12, 2014 in New Orleans, the CFPB released a request for information on mobile financial products, and particularly on opportunities for serving economically vulnerable consumers. Comments responding to this request are due on September 10, 2014. Among other issues, the CFPB has requested information on privacy and security concerns that may be associated with mobile financial services, data breach potential, and possible risks associated with creating marketing segments associated with mobile financial customers.
Federal Trade Commission Concludes Spring Privacy Seminar
In May 2014, the Federal Trade Commission (FTC or Commission) concluded its spring privacy series with a seminar on “Consumer Generated and Controlled Health Data.” Opening remarks were delivered by Commissioner Julie Brill, who asserted that more consumer protections are needed around health data. The day’s seminar also included two presentations, on health data flows and data sharing by popular health and fitness apps, and a panel discussion. The panel discussion featured four panelists from the government and private sector who focused on the distinctions between the types of information and entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and those that are not covered by HIPAA.
This seminar was the Commission’s third and final installment in its 2014 Spring Privacy Series. Earlier seminars included presentations and panel discussions on Mobile Device Tracking and Alternative Scoring products. The March 19th seminar, focusing on alternative scoring and predictive analytics, featured a presentation on creating predictive analytics and the benefits of various types of predictive models, including fraud prevention, recommendation engines, and spam filtering. A panel discussion also featured six panelists from industry, government, and the consumer advocate community, focusing on the application of existing laws to predictive analytics and the accuracy of predictive models.
The mobile device tracking seminar, held earlier in the year, followed a similar format of presentation and panel discussion. Its focus was on the types of information gathered by mobile devices, data retention policies, and privacy considerations. The presentations demonstrated different technologies used to facilitate the collection of users’ information from mobile devices and presented research findings into consumers’ awareness of these technologies.