FCC Has Important Data Privacy Role, Clyburn Says

The FCC’s approach in this area should be technology- and process-neutral, Clyburn said. “I am not afraid to step in and regulate when the market does not provide fair and equitable results,” she said. However, regulations cannot force companies to comply in one specific way, she said. For instance, the FCC approved a declaratory ruling in June requiring carriers to protect customer proprietary network information (CPNI) on mobile phones, which includes the phone number dialed and the location from which that number was dialed (CD June 28 p4). The ruling did not, though, require any particular type of protection, Clyburn said -- carriers were free to choose their own protection method. “The ruling also made clear it did not prohibit carriers from collecting the information needed to improve networks,” she said.

The FCC “took a similar approach” with its E-911 location accuracy rules, Clyburn said. The commission held a November workshop on the issue (CD Nov 19 p1), during which “we heard how call centers” were struggling to determine the location of mobile calls. Three months later, the FCC circulated proposed location accuracy rules for carriers as well as “proposed testing methods to ensure carriers were meeting these proposed rules,” said Clyburn. But the commission did not want to dictate one testing method. “We encouraged carriers to propose other testing methods that may better suit their business plans,” she said. Lawmakers also leaned on the FCC to act on this issue during a Senate Communications Subcommittee January hearing (CD Jan 17 p8).

It’s difficult to create data collection rules because of changing definitions, said Jules Polonetsky, executive director of the Future of Privacy Forum, an industry privacy advocate backed by large tech companies such as Google, Facebook, Apple and Microsoft. The concepts of “personally identifiable information” (PII) and “anonymous” or “de-identified” data are widely misunderstood, Polonetsky said. “People say in privacy policy, ‘We don’t share personal information, but we may share information that’s aggregated,'” he said. But “aggregated” does not mean “anonymous,” he said. “If you're sharing [aggregated information] with a third-party network, or you have a ’share this’ button, you're sharing it individually.” That means the information can be linked back to an individual. “It’s user-level” information, Polonetsky said.

At the same time, California laws and FTC regulations are expanding the definition of PII, said Wiley Rein privacy lawyer William Baker. “The definition of PII is always expanding to include more stuff,” he said. So it’s not clear what “tracking” or “sharing data means,” said Polonetsky. The California Online Privacy Protection Act (CalOPPA), for instance, requires commercial websites collecting PII to say in their privacy policy exactly what’s being collected, with whom that PII is shared, and how users can review the PII collected about them, said Venable privacy lawyer Emilio Cividanes. That touches a wide swath of websites, he said. But Polonetsky noted that changing definitions make it confusing for websites to know how to craft their privacy policies to address the law.

People are looking to upcoming privacy policy guidelines from the California attorney general’s office for some answers. The guidelines were prompted by the state’s Do Not Track law, which requires websites to say how they respond to a Do Not Track signal, and went into effect Jan. 1 (CD Jan 2 p4). Panelists said the guidelines were supposed to be released Thursday morning, but are now expected Friday or early next week.