Protecting consumer privacy has become increasingly challenging. As a result of rapidly changing technology, companies can collect, store, analyze, and share vast amounts of data about consumers. This provides opportunities to aggregate many different pieces of data and create detailed profiles of individual consumers that can be used for a wide range of purposes. Although many of these purposes are beneficial to consumers, they can also raise privacy concerns.
One result of changing technology is that the distinction between personally identifiable information (PII) and non-PII has blurred. Companies now potentially can learn a consumer’s identity from analyzing extensive data, even if the consumer information did not initially contain PII. Moreover, not only does the technology to re-identify non-PII data currently exist, but also companies may have a strong financial incentive to use it.
The differentiation between offline and online information has similarly blurred, making it necessary to consider the privacy implications of data in a more comprehensive manner. With the proliferation of Internet-connected devices, companies are able to track consumers’ behavior and collect unprecedented amounts of data about many aspects of their lives. In some cases, this happens without the consumer’s knowledge.
In 2012 the Federal Trade Commission (FTC) released a privacy framework that provided a list of best practices that it recommends businesses adopt to provide consumers with greater control over their online and offline information privacy. These best practices are designed to update the Fair Information Practice Principles first developed some 40 years ago. The framework’s key principles are:
- privacy by design—privacy should be built into every stage of product development;
- greater transparency—practices regarding information collection and use should be more transparent. Privacy statements should be clearer, shorter, and more standardized. This will allow for better comprehension and comparison of privacy practices. General statements buried in privacy policies are not sufficient.
The FTC also called on Congress to pass legislation that provides baseline privacy protections for consumers. Such legislation would allow for civil penalties and other remedies. It would provide companies with an incentive to meet their data privacy obligations.
Data brokers are of particular concern to the FTC. Data broker companies collect, collate, analyze, and sell information about consumers’ online and offline behavior. Such companies often collect information about financial, retail, and recreational activities to create profiles of individual consumers. Unlike consumer reporting agencies, data brokers are not required to provide consumers with access to the information they have collected about them. As a result most consumers are unaware that data brokers exist and do not know what kind of information is being sold to other companies.
The FTC recommends that Congress pass legislation that would provide consumers with access to their information held by data brokers and create a centralized website where data brokers can identify themselves to consumers and provide details on the rights of consumers to access their information.
Another area of concern is the tracking of consumers’ online browsing habits by a variety of marketing and other companies. Information about a consumer’s online activities can be collected, analyzed, shared, and sold without the consumer’s knowledge. This has led some to call for a centralized do-not-track mechanism that would allow consumers to opt out of tracking and control the collection and use of their online browsing data. Although such a list faces numerous technical challenges, it potentially could help strengthen the current mechanisms employed in the marketplace.
Social networking has rapidly increased in popularity as a means for friends and relatives to stay in contact with one another. However, the personal data some individuals make available through social networking sites raises potential privacy concerns and can even lead to identity theft. A study by PC World found that one-third of those using social networks post at least three pieces of personally identifiable information in their online profiles. Information such as date or place of birth, address, and mother’s maiden name can provide identity thieves with enough information to commit identity theft.
In 2015 an estimated 13.1 million Americans were victims of identity theft, resulting in the loss of $15 billion to businesses and consumers. Federal and state legislators have passed laws to combat identity theft. At the federal level the Fair and Accurate Credit Transactions (FACT) Act of 2003, which amended the Fair Credit Reporting Act, contains measures to help prevent identity theft and help victims restore their credit. The FACT Act preempts state law in a number of areas. These include the sharing of information among affiliated companies.
Information Privacy: Policy
Sharing financial data
Policymakers and the private sector should protect against the collection, use, and dissemination of personally identifiable information (PII) and information about consumers’ use of financial, credit, retail, and communications services without prior authorization or consent.
Consumer control over information sharing
Existing and emerging technologies should embed privacy protections into products from the design stage forward.
Consumers should not have to pay to block the sharing of information about their use of financial, credit, retail, and communications services nor should they be forced to comply with burdensome procedures to ensure that protection.
Consumers should have the opportunity to determine whether their non-publicly available information should be used or disclosed for purposes other than those for which the information was originally provided.
The principle of informed consent should govern the disclosure or sharing of all sensitive non-publicly available information (see Chapter 7, Health—Privacy and Confidentiality of Health Information, regarding the privacy of medical records; and Chapter 10, Utilities: Telecommunications, Energy and Other Services—Privacy Protections in the Use of Telecommunication and Utility Services, regarding privacy in telecommunications and energy use).
Privacy statements should be clearer, shorter, and more standardized, and should provide choices that are easy for consumers to use so that they can provide informed consent.
Congress should ensure, in cooperation with private-sector self-regulatory initiatives if possible, that individuals and companies collecting or purchasing and using information on consumers adhere to established privacy framework recommendations.
Legislation should be enacted to ensure that privacy is consistently protected online and offline, based on established privacy framework recommendations.
Reidentification of data
Do not track
Consumer access to personal information
Consumer profiling using electronic coupons
The federal government should strengthen protections and enforcement against identity theft, particularly with regard to information and database security in federally regulated financial institutions and other businesses that maintain large databases of consumer information.
States should strengthen protections against identity theft in areas not clearly preempted by federal law.
States should enhance penalties for identity theft to encourage enforcement and prosecution.
States should allow victims to make reports of identity theft at convenient locations.
Greater resources and training should be provided for state and local law enforcement personnel to improve their response to victims and increase interjurisdictional cooperation in investigating identity crimes and apprehending perpetrators.
Financial education programs should include training about the dangers of posting PII on social networking sites.