FTC’s Do Not Track Part 2: Scope & Promoting Privacy
Today, we continue our analysis of the FTC’s “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers” in preparation for my presentation next week at the SMX West Conference. The FTC is promoting three aspects: (1) privacy by design; (2) clear and meaningful choice; and (3) transparency. We focus on the scope of the Framework and privacy by design.
“The proposed framework applies broadly to commercial entities that collect, maintain, share, or otherwise use consumer data that be reasonably linked to a specific consumer, computer or other device.” The focus in the past has been on what has been described as Personally Identifiable Information or PII that would identify a specific user. Now, the FTC wants to broaden the type of information it wants to protect to include anything that can not only identify the user, but the actual computer or device such as a smart phone that may simply reveal a location.
All Privacy All of the Time
The FTC wants to promote what it is calling Privacy by Design which essentially means companies should promote privacy by everyone at every stage. When developing your product or service, the FTC suggests you should: (1) collect only what you need; (2) for that limited purposes; (3) retain it only as long as you need it; and (4) implement reasonable procedures to promote accuracy.
The FTC suggests you should include a specific privacy person or department whose responsibility includes privacy R&D, training and review to test whatever reasonable safeguards you put in place. Now before you scream, what about my Facebook page that includes information about fans, there is practicality in the Framework in that the FTC suggests the level of scrutiny depends on the sensitivity of the data collected, the size of the outfit and the types of risks involved with a worst case scenario. The FTC suggests that had companies had persons in charge of privacy in early 2000, there would not have been the problems with data breaches caused by employee’s unkowingly revealing data through P2P technologies. The FTC is also promoting increased use of technologies that encrypt data and specifically identified SSL and TLS technologies.
So have you determined what types information you really need? The FTC provides some real world examples:
- If an advertising network is tracking consumers’ online activities to serve targeted ads, there is no need for the network to use key loggers or other applications to capture all data a consumer inputs.
- If a company collects information about unsecured wireless networks for the purpose of providing location-based services, the company should implement reasonable procedures to prevent additional, unintended collection of consumer data, such as the contents of individuals’ wireless communications.
- If a mobile application is providing traffic and weather information to a consumer based on his or her location information, it does not need to collect contact lists or call logs from the consumer’s device.
With regard to the length of time you need the information, the FTC seemed to emphasize not retaining geolocation very long. By way of example, the FTC cited an example of geolocation data that revealed a person kept going to a clinic once a week could reveal private health information about that person that should be kept private.
All of this sounds reasonable and practical, but even at this stage I am not sure we fully understand all the benign (or evil uses) of the data we can collect. What if Google identified the information it thought it needed when it first started and ignored the rest? Think about how Google uses that data now compared to its non-advertising early stage of development. What is the next valuable use or type of collectable data? If I knew that, I would be doing it, without doing evil of course.