Big Data Guidelines Necessary, Say FTC, Microsoft, Facebook Representatives
The FTC and technology companies like Facebook and Microsoft will focus in 2014 on the proper use and education about big data, said their representatives during a National Cyber Security Alliance event Tuesday. “Whether motivated by the bottom line, connecting with customers, or enforcement and oversight,” said FTC Consumer Protection Bureau Director Jessica Rich, “we all have a shared responsibility because it’s all about empowering customers and enhancing trust.” She noted there are upcoming FTC workshops and studies on data practices. Microsoft Chief Privacy Officer Brendon Lynch said there is a need for “reasonable limits” on data use that are based on a better understanding of the context in which that data was provided. Facebook Chief Privacy Officer-Policy Erin Egan focused on the impetus for companies to inform users of their data use policies through multiple channels, not just a privacy policy heavy on legal jargon.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
At the FTC, “every day is Data Privacy Day,” Rich said, referring to the National Cyber Security Alliance-backed Data Privacy Day, held each Jan. 28 since 2008. “We'd like to make every day Data Privacy Day for consumers and businesses, too. That’s why many of us at the FTC strongly support the enactment of new privacy and data security legislation.” While legislation languishes on Capitol Hill, the FTC has moved forward with “every tool at its disposal,” Rich said. She said a long-anticipated FTC data broker report is expected “in the coming months,” and a report following the agency’s Internet of Things (IoT) workshop (WID Nov 21 p4) will “summarize what we've learned” and maybe suggest some “best practices,” she said. Don’t expect the IoT report “imminently,” she said. “But hopefully soon."
Rich said companies “must invest in privacy and view it as a key part of their business strategy.” The “business impact” of a security breach “is enormous,” she said, citing FTC enforcement cases across numerous industries and the recent Target data breach (WID Jan 17 p5). The “touchstone” of a company’s data security should be “reasonableness,” taking into account factors such as the volume of data, sensitivity of data and protection tools available to the company, Rich said. “These factors are very much within a company’s ability to learn and consider for itself."
Companies are working to define the “soft squishy area in the middle” between data uses that are “completely out of bounds” and those that are “acceptable” based on the context of data collection, said Microsoft’s Lynch. Companies like his are conducting “a lot of data analysis over the long term to be able to help deliver relevant search results,” he said: “You need a large data set to determine those kind of things, but it doesn’t necessarily have to be in” Personally Identifiable Information form. As data analysis becomes more sophisticated and “you discover some new connection, let’s say in health data, that would be very beneficial to certain parts of people in that data set,” companies must decide what the rules are around re-identifying people in that data set, he said.
Industry and consumer advocates agreed there should be “reasonable limits to how that information is used,” said Susan Grant, consumer protection director at Consumer Federation of America. But the challenge is figuring out “how do we almost instill that reasonable use test into algorithms,” said Lynch. “This is where all stakeholders need to get involved in really helping define what good privacy means and define what reasonable uses are.” Grant echoed Rich’s call for “broad principles established in law.” Then she went further, saying Congress should give the FTC “rulemaking authority that went beyond the entities that it currently has the jurisdiction over."
Consumers must be brought in as well, Facebook’s Egan said. “We've always treated our data use policy as a guide to how Facebook works -- so it’s long,” she said. “I don’t think that’s the right way to communicate with people.” Companies should reorient how a “data use” policy -- a term she and other panelists preferred to “privacy” policy -- is disseminated and presented to consumers, she said. Egan referenced Facebook’s attempt at “iconization,” or naturally embedding icons and pop-ups that a user is more likely to come across during normal use. For instance, when a user posts publicly to Facebook, there is a small globe icon on that post and a pop-up window that appears to tell the user, “please know that when you post this anyone can see it,” Egan said. This approach will be essential as users increasingly move to mobile devices, she said. “It’s a multifaceted approach that’s needed.”