The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Data Brokers: The Feds are Watching YOU

Data brokers are invisible to consumers and unbridled by regulation. The Federal Trade Commission (FTC) has repeatedly emphasized the need for targeted legislation to regulate this industry. In an attempt to bolster self-regulatory efforts, the FTC’s March 2012 privacy report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, calls on data brokers to post their data collection practices and to provide consumers with choices on what information is being collected and retained. However, self-regulatory efforts have largely failed.

Perhaps until now. The following events may change the regulatory landscape for companies engaging in data mining practices.

Lawmakers Release Information on Data Brokers’ Collection and Use of Consumer Information

On November 8, 2012, a bipartisan group of lawmakers, including Reps. Edward Markey and Joe Barton, Co-Chairmen of the Congressional Bi-Partisan Privacy Caucus, released responses to letters sent last July to nine major data brokerage companies regarding their data mining practices. The results were disconcerting. The companies reported they were collecting consumer data from a variety of sources, including telephone directories, mobile phones, government agencies, financial institutions, social media sites, and consumers themselves. All but one (Acxiom, relevance to be discussed below) rejected the categorization of their business practices as “data brokerage.” And only Acxiom provided information on the number of consumers who requested access to their information in the last two years: 77 out of 190 million consumers from whom data had been mined.

In a joint statement released the same day, lawmakers characterized the companies’ responses as offering “only a glimpse of the practices of an industry that has operated in the shadow for years.” Lawmakers vowed to continue their efforts to learn more about the data brokerage industry and to “push for whatever steps are necessary to make sure Americans know how this industry operates and are granted control over their own information.”

Recall that Acxiom Corporation’s mining practices had been unveiled by the New York Times last June. The Times characterized Acxiom as the world’s largest commercial database on consumers, operating tens of thousands of servers to collect and analyze consumer data on hundreds of million consumers worldwide on trillions of data transactions a year. The article reported that Acxiom and others operate an extremely profitable enterprise, yielding over $77 million per fiscal year, and enjoy a broad customer base of banks, investment services, automakers, department stores, just about any major company looking for insight into its consumers.

FTC Settlement with Online Data Brokerage Company, Compete, Inc.

On October 22, 2012, the FTC announced its proposed settlement with web analytics company Compete, Inc. The FTC alleged the company used web-tracking software to follow the browsing behavior of millions of consumers without disclosing the extent of the information being collected. Compete got unwitting consumers to download the tracking software by, among other things, promising rewards for sharing opinions about products and services on an online forum. Once installed, the tracking component collected information about consumers’ online activity and captured information consumers entered into websites, including consumers’ usernames, passwords, credit card and financial account information, security codes, and Social Security Numbers. Compete then compiled this data to generate consumer reports, which it sold to clients wanting to improve their website traffic and sales. The FTC alleged the company failed to adopt reasonable data security practices and deceived consumers about the amount of personal information that its website would collect, and also charged Compete with deceptive practices for falsely claiming that the data it kept was anonymous. The proposed settlement requires Compete to obtain consumers’ express consent before collecting any data from software downloaded onto consumers’ computers, to delete personal information already collected, and to provide directions for uninstalling its software.

FTC to Host December 2012 Workshop on Data Mining

On December 6, 2012, the FTC will host a public workshop, entitled “The Big Picture: Comprehensive Data Collection,” which will explore the practices and privacy implications of comprehensive data collection. The FTC’s preliminary agenda includes an examination by consumer protection organizations, academics, business and industry representatives, and privacy professionals of the technological landscape related to data mining, its benefits and risks, consumer knowledge and attitude, and the future of comprehensive data collection. The workshop will likely address many of the questions left unanswered by the nine data brokers queried by lawmakers regarding the companies’ data mining practices.

It remains to be seen whether these events will provide enough legislative inertia to promulgate industry-wide change. Until then, data brokers will continue their practice of unfettered commercial data mining of sensitive consumer information.

Leave a comment

FTC Releases Report on Use of Facial Recognition Technology

On October 22, the FTC released its report regarding best practices in using facial recognition technology.  The report, entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies,” is intended to address privacy concerns associated with the growing use of facial recognition technology, by helping companies that use and develop these technologies protect consumers’ privacy as they create and market new products and services.  The report was developed after the FTC hosted a workshop in December of 2011 on facial recognition technology and received public comments on the issue.

The report recommends that companies using facial recognition technologies (1) design the products or services with privacy in mind; (2) develop reasonable security protections for the information collected through the use of such technologies, and maintain procedures for determining when to keep collected information or destroy it; and (3) keep the sensitivity of the information collected in mind when developing facial recognition technologies.  For example, the FTC noted that digital signs using such technology should not be used in places where children gather.

The report also recommends that companies provide clear notice of the use of facial recognition technologies when consumers come into contact with them, both on and offline, and give consumers a choice as to whether data is collected about them.  For example, in the social networking space, the report recommends that the site give consumers clear notice of the use of facial recognition technologies (outside of a privacy policy), and provide users the ability to turn off the facial recognition feature at any time and have their biometric data collection from previous photos and videos permanently deleted.

Finally, the report recommends that companies obtain affirmative consent from consumers before collecting or using biometric data in at least two instances – first, before using consumers’ images or biometric data in a manner different than what the company previously represented to such consumers, and second, before identifying anonymous images of a person to a third part who could not have otherwise identified such person without their consent, such as identifying users to other users who are not their “friends” on a social networking site.

Interestingly, Commissioner J. Thomas Rosch issued a dissenting statement with the report, stating that the report “goes too far, too soon.”  The FTC voted 4-1 to release the report.

Leave a comment

Facebook and Microsoft Privacy Setting Updates & Influence of EU Regulators

Facebook released a new data privacy feature this past Friday. The feature consists of an introduction to how the account user’s information may be shared across Facebook. Everyone who creates a new Facebook account will be brought to the feature as part of the profile creation process.
In its post giving notice of the feature, Facebook mentioned that the feedback given by the Irish Data Protection Commissioner’s Office provided guidance for the feature’s development.
The development of the feature is another example of European data privacy regulators informing the practices of large US tech companies.
For instance, as noted in The Secure Times, Google has been in a tussle with European data privacy regulators throughout 2012 about changes to its privacy policy that it announced in January. And Microsoft’s recent update to its services agreement for Bing and Hotmail and other of its online services has not received very much attention in the US (at least as compared to Google’s changes earlier this year), but EU regulators are reported to be looking into this also, according to Bloomberg.
When changes in the management, use, and sharing of consumer data are pressed by local regulators, the need for operational efficiency may lead to global developments in data privacy features for some of the most popular online platforms.