Information Privacy

Protecting consumer privacy has become increasingly challenging. As a result of rapidly changing technology, companies can collect, store, analyze, and share vast amounts of data about consumers. This provides opportunities to aggregate many different pieces of data and create detailed profiles of individual consumers that can be used for a wide range of purposes. Although many of these purposes are beneficial to consumers, they can also raise privacy concerns.

One result of changing technology is that the distinction between personally identifiable information (PII) and non-PII has blurred. Companies now potentially can learn a consumer’s identity from analyzing extensive data, even if the consumer information did not initially contain PII. Moreover, not only does the technology to re-identify non-PII data currently exist, but also companies may have a strong financial incentive to use it.

The differentiation between offline and online information has similarly blurred, making it necessary to consider the privacy implications of data in a more comprehensive manner. With the proliferation of Internet-connected devices, companies are able to track consumers’ behavior and collect unprecedented amounts of data about many aspects of their lives. In some cases, this happens without the consumer’s knowledge.

In 2012 the Federal Trade Commission (FTC) released a privacy framework that provided a list of best practices that it recommends businesses adopt to provide consumers with greater control over their online and offline information privacy. These best practices are designed to update the Fair Information Practice Principles first developed some 40 years ago. The framework’s key principles are:

• privacy by design—privacy should be built into every stage of product development;
• simplified choice—consumers should be able to make privacy choices about their data at a relevant time and in a specific context. Data use inconsistent with the original context of collection requires separate disclosures to consumers at a relevant time and outside the general privacy policy; and
• greater transparency—practices regarding information collection and use should be more transparent. Privacy statements should be clearer, shorter, and more standardized. This will allow for better comprehension and comparison of privacy practices. General statements buried in privacy policies are not sufficient.

The FTC also called on Congress to pass legislation that provides baseline privacy protections for consumers. Such legislation would allow for civil penalties and other remedies. It would provide companies with an incentive to meet their data privacy obligations.

Data brokers are of particular concern to the FTC. Data broker companies collect, collate, analyze, and sell information about consumers’ online and offline behavior. Such companies often collect information about financial, retail, and recreational activities to create profiles of individual consumers. Unlike consumer reporting agencies, data brokers are not required to provide consumers with access to the information they have collected about them. As a result most consumers are unaware that data brokers exist and do not know what kind of information is being sold to other companies.

The FTC recommends that Congress pass legislation that would provide consumers with access to their information held by data brokers and create a centralized website where data brokers can identify themselves to consumers and provide details on the rights of consumers to access their information.

Another area of concern is the tracking of consumers’ online browsing habits by a variety of marketing and other companies. Information about a consumer’s online activities can be collected, analyzed, shared, and sold without the consumer’s knowledge. This has led some to call for a centralized do-not-track mechanism that would allow consumers to opt out of tracking and control the collection and use of their online browsing data. Although such a list faces numerous technical challenges, it potentially could help strengthen the current mechanisms employed in the marketplace.

Social networking has rapidly increased in popularity as a means for friends and relatives to stay in contact with one another. However, the personal data some individuals make available through social networking sites raises potential privacy concerns and can even lead to identity theft. A study by PC World found that one-third of those using social networks post at least three pieces of personally identifiable information in their online profiles. Information such as date or place of birth, address, and mother’s maiden name can provide identity thieves with enough information to commit identity theft.

In 2015 an estimated 13.1 million Americans were victims of identity theft, resulting in the loss of $15 billion to businesses and consumers. Federal and state legislators have passed laws to combat identity theft. At the federal level the Fair and Accurate Credit Transactions (FACT) Act of 2003, which amended the Fair Credit Reporting Act, contains measures to help prevent identity theft and help victims restore their credit. The FACT Act preempts state law in a number of areas. These include the sharing of information among affiliated companies.