As both benefits and dangers tied to “big data” continue to swell, Edith Ramirez, chairwoman of the Federal Trade Commission, said the agency will use the tools it has available to defend consumer privacy while expecting companies to be the foremost protectors of information.
“The time has come for businesses to move their data collection and use practices out of the shadows and into the sunlight,” Ramirez said in a keynote speech yesterday at the 2013 Aspen Forum.
“Big data” is the term associated with the massive quantities of information created every day that can be sorted and analyzed by firms to better complete tasks like forecast stock prices, target advertising and streamline business operations.
Ramirez said this collection and analysis must be transparent and shouldn’t lead to such vast accumulations of information that companies can’t keep consumer data protected.
Unlimited data collection is bad for privacy, she said, disputing the argument that information is a raw material that should be stockpiled in the largest quantities possible on the “off-chance” that it might be useful.
“Is there really any worth to my law school search history when I was struggling to understand the rule against perpetuities?,” Ramirez said at the event hosted by the Technology Policy Institute. “Should that data be held in perpetuity?”
Ramirez said consumers need to have a say in how their data is collected. Individuals may volunteer personal information for a particular purpose, she said, not knowing that it is actually being harvested for some secondary use they never considered.
Technology — including “smart” refrigerators and other appliances that are constantly wired to the Internet — complicates the equation by providing companies with a constant stream of user information.
Potentially, this information can improve service, Ramirez said, though it also puts user privacy at risk, something the FTC will explore in a November workshop.
When companies store huge quantities of information, they also make attractive targets for criminals, Ramirez said. To cut down on cyber crime, the FTC targets companies deemed to have weak defenses and issues enforcement actions.
In the absence of a broad statute requiring companies to maintain data defenses, the FTC files enforcement actions using Section 5 of the FTC Act, which prohibits unfair and deceptive practices. In essence, the commission says companies acted deceptively or unfairly in breaching privacy agreements or putting consumer data at risk.
So far, the FTC has brought more than 40 data security cases and privacy cases under that authority, including cases against Google, LexisNexis and Twitter.
Companies have almost always settled, meaning the specifics of the rules that companies must follow have been negotiated behind closed doors rather than litigated in court.
However, the Wyndham hotel chain, in a landmark case, is fighting the FTC’s enforcement authority, arguing that the commission has never published rules to say how companies are supposed to comply with the law.
Ramirez said the FTC does not have rulemaking authority in that context, something she wants Congress to change, and is using the tools it has available for privacy enforcement.
The FTC alleges that Wyndham’s lax security allowed for three data breaches over 18 months, compromising payment card information for more than 600,000 Wyndham consumers.
“That’s the kind of situation where there is substantial consumer harm or the likelihood of substantial consumer harm where an entity like the FTC ought to be taking action,” Ramirez said.
The commission, she said, is seeking the authority to levy civil penalties against companies that fail to maintain reasonable security.
The FTC also has privacy enforcement authority under the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act.
To protect consumers, Ramirez said companies need to build privacy security into their products and services from the outset, raising the question of whether data collection is sufficiently secure and balanced with potential risks.
At the same time, consumers need to be told when data is being collected and given an option to keep their online information from being tracked.
“For too long, the way personal information is collected and used has been at best an enigma ‘enshrouded in considerable smog.’” Ramirez said. “We need to clear the air.”