On January 12, 2017, The Federal Trade Commission (FTC) held its second PrivacyCon conference. PrivacyCon brings together researchers, academics, industry representatives, consumer advocates, and government regulators, to discuss the latest research and trends related to consumer privacy and data security. This year’s PrivacyCon featured presentations from academics and technology researchers covering the following five main areas: (1) the Internet of Things (IoT) and Big Data; (2) mobile privacy; (3) consumer privacy expectations; (4) online behavioral advertising; and (5) information security. FTC Chairwoman Edith Ramirez, who is stepping down effective February 10, 2017, opened the conference with the myriad of ways consumer data is collected, asking if the risks associated with data collection outweigh the benefits.

Researchers have historically brought to the FTC’s attention poor privacy and security practices, prompting the FTC to bring enforcement actions. It is therefore important that organizations pay attention to what privacy and security issues are on the FTC’s radar. Some of the practices that featured prominently at this year’s PrivacyCon include: cross-app and cross-platform tracking, privacy vulnerabilities of the smart home, unauthorized collection of geolocation information, exposure of personal information in plain text by apps, illegal acquisition of consumer data, pervasive tracking, and children’s privacy in connected toys.

What Do You Need to Know?

Applying privacy rules and security standards to new technologies was a big theme at PrivacyCon. Despite the number of new and emerging technologies discussed, the issues that emerged were not quite as novel, but merely new iterations of old problems. We have summarized them as follows:

  1. Make Sure You Have a Privacy Policy That Accurately Reflects Your Privacy Practices. PrivacyCon attendees discussed how 71% of mobile apps that collect personal information do not have a privacy policy. They were alarmed by the supposed disconnect between what some privacy policies say and the actual personal data collected (and how they were used) by online services. We have seen the FTC bring enforcement actions against companies that made inaccurate statements in their privacy policies.
  2. Consider (Early) the Privacy and Security Implications of Rolling Out New Technologies. Chairman Ramirez discussed how new technologies that collect personal data have always presented privacy challenges. If you are unsure as to how privacy and security can be integrated into your product, consult professionals who have done this work in other areas. And do it early, to be able to incorporate privacy and security features in developing or implementing new technologies.
  3. Obtain Consent, Especially Where Geolocation Data Is Involved. Because the collection of geolocation information poses increased risks such as exposure of sensitive information (e.g. political and religious affiliations), stalking, and even burglary and physical harm, it is even more important that consumers are put on notice of--and consent to--the collection of their geolocation information.
  4. Know That the Trend of Leveraging Privacy and Security as Market Differentiators Will Continue. Consumer Reports, a nonprofit that provides product ratings and reviews, has a new initiative to start letting consumers know just how secure and privacy-protective products are so consumers can make informed choices, highlighting privacy and security’s added value of creating a competitive advantage for organizations. The nonprofit plans to launch this new initiative in 2017.
  5. Make Sure You Respectfully Serve Ads to Consumers. Research findings show that consumers are increasingly concerned about privacy, but they also recognize the value of targeted advertising when done respectfully. This finding is good for business, highlighting that so long as businesses demonstrate their trustworthiness (for example, by disclosing data practices and having reasonable security measures in place), they can minimize the risks of getting in trouble with the regulators or losing their consumers.

What’s Next?

If your organization is finding it challenging to navigate privacy and security issues in implementing new technologies, know that privacy principles are generally still applicable in new contexts. For security, there are industry standards and best practices that are available as guidance. Moreover, it might be worth remembering that leveraging privacy and security as marketing differentiators provides the proverbial “carrot” to get these issues right, where legal and compliance “sticks” have traditionally been relied upon.