Information Privacy

Protecting consumer privacy has become increasingly challenging. Rapidly changing technology allows companies to collect, store, analyze, and share vast amounts of data about consumers. This provides opportunities to use data for a wide range of purposes. Although many of these purposes are beneficial to consumers, they can also raise privacy concerns.

In 2012, the Federal Trade Commission released a privacy framework that provided a list of best practices that it recommends businesses adopt to provide consumers with greater control over their online and offline information privacy. These best practices are designed to update the Fair Information Practice Principles first developed some 40 years ago. The framework’s key principles are:

• Privacy by design—privacy should be built into every stage of product development;
• Simplified choice—consumers should be able to make privacy choices about their data at a relevant time and in a specific context. Data use inconsistent with the original context of collection requires separate disclosures to consumers at a relevant time and outside the general privacy policy; and
• Greater transparency—practices regarding information collection and use should be more transparent. Privacy statements should be clearer, shorter, and more standardized. This will allow for better comprehension and comparison of privacy practices. General statements buried in privacy policies are not sufficient.

The Federal Trade Commission has called on Congress to pass legislation that provides baseline privacy protections for consumers. Such legislation would allow for civil penalties and other remedies. It would provide companies with an incentive to meet their data privacy obligations.

An area of concern is data broker companies. They collect, collate, analyze, and sell information about consumers’ online and offline behavior. Such companies often collect information about financial, retail, and recreational activities to create profiles of individual consumers. Unlike consumer reporting agencies, data brokers are not required to provide consumers with access to the information they have collected about them. As a result, most consumers are unaware that data brokers exist and do not know what kind of information is being sold to other companies.

Another area of concern is the tracking of consumers’ online browsing habits. Information about a consumer’s online activities can be collected, analyzed, shared, and sold without the consumer’s knowledge.

One recent positive development is the General Data Protection Regulation (GDPR), which went into effect in 2018. This is a European Union (EU) regulation that has worldwide reach. It requires companies that handle data from any EU citizen to ensure that all users, even those outside the EU, receive affirmative consent before they can track certain data. GDPR also gives EU residents the right to request their data from companies and ask for certain information to be deleted or corrected if it is inaccurate. GDPR’s penalties are severe. Companies that violate it face fines of the greater of 20 million euros or 4 percent of their global revenue. Therefore, some companies choose not to make their websites available in the EU.

Social networking is an extremely popular way for friends and relatives to stay in contact with one another. However, some individuals make detailed personal information available through social networking sites. This raises potential privacy concerns and can even lead to identity theft. A study by PC World found that one-third of those using social networks post at least three pieces of personally identifiable information in their online profiles. Information such as date or place of birth, address, and mother’s maiden name can provide identity thieves with enough information to commit identity theft.

In 2017 an estimated 16.7 million Americans were victims of identity fraud, resulting in $16.8 billion in consumer losses. Several federal laws protect against identity theft and fraud. This includes providing consumer protections related to credit files compiled by the three major credit bureaus. For example, federal law provides consumers with the right to:

• review their credit file from each major credit reporting agencies once a year for free,
• correct inaccuracies in their credit files. and
• place a fraud alert or a security freeze on each credit file.

The Fair and Accurate Credit Transactions (FACT) Act of 2003 allows consumers to review their credit files from each of the three bureaus, correct inaccuracies in the files, and place a fraud alert when identity theft is suspected. In addition, the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 allows all Americans to place a security freeze on their credit reports for free. It also requires the Federal Trade Commission to post a website with links to credit reporting agencies to request a freeze.

Both these federal laws preempt state laws. The FACT Act preempts state law in a number of areas, including the sharing of information among affiliated companies. The Economic Growth, Regulatory Relief, and Consumer Protection Act preempts state security freeze laws, including those that would limit who can gain access to an individual’s credit record while under a credit freeze.