Comcast Newsmakers: Jules Talks Consumer Privacy and Location-Based Services

In a recent episode of Comcast Newsmakers, Jules discussed the many new ways that data about your location is being used — such as navigation or helping you connect with friends. He addressed what can you do to protect the privacy of that data? A conversation with Jules Polonetsky, Executive Director and Co-Chair of the Future of Privacy Forum.

When Opting Out of Student Data Collection Isn't the Solution

Opting-out, whether for testing or other activities, is getting a lot of press in the Education world right now.  Jules and I recently wrote for EdSurge on this topic…when it is, or isn’t, the right policy decision.

The bottom line? “Opt-out rights should be an opportunity for parents to decline uses of data that truly are secondary to the functioning of our educational system – not an opportunity to avoid resolution of education policy issues that affect all students.”

Check out the full article here.

Posted by: Brenda Leong, Legal and Policy Fellow/Education Privacy

Comparing the Data Broker Bill to the Consumer Privacy Bill of Rights

Considering the privacy concerns raised by data brokers, we thought it would be useful to compare how data brokers are treated under Senator Edward Markey’s recent data broker bill, which has considerable support from privacy and consumer advocates (as well as Senators Blumenthal, Franken, and Whitehouse), and under the Consumer Privacy Bill of Rights.

The different receptions each bill has received is interesting in light of the fact that Sen. Markey’s bill echoes much of the Consumer Privacy Bill of Rights (CPBR) by giving consumers greater access to and control over personal data collected about them. While the CPBR has a broader scope and attempts to set out privacy and security obligations across sectors and industries, its provisions would still apply to data brokers and perhaps accomplish some of the same aims as the Markey bill.

Scope: Who and What Gets Covered?

The Markey bill applies exclusively to data brokers, which are defined as a “commercial entity that collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell the information or provide third party access to the information.” The CPBR applies to any “covered entity” that collects, creates, processes, retains, uses, or discloses personal data, which would include data brokers. Though it does provide several carve outs, it is unlikely that most data brokers within the meaning of the Markey bill would fall under any of the exceptions in the CPBR.

The CPBR has a far more detailed definition of personal information, which echoes the definition used by the Federal Trade Commission. It focuses on any information that is linked or linkable to a specific individual – or that is linked to a device that is associated with or routinely used by an individual. The definition sets forth a non-exhaustive list of types of personal data (notably “unique persistent identifiers” and “unique identifiers or other uniquely assigned or descriptive information about personal computing or communication devices”). It carves out de-identified data (detailing the requirements for data to be considered de-identified), deleted data, employee information and some “cyber threat indicators.”

The Markey bill does not give a precise definition of personal information but does differentiate between non-public and public record information, placing different correction requirements on data brokers for each category. The Markey bill emphasizes that non-public information is “of a private nature,” but it is unclear whether non-public information would precisely capture all of the types of data envisioned by the CPBR definition.

Transparency Obligations

Both acts would oblige data brokers to provide the individual with a clear and conspicuous notice. The Markey Bill requires the data broker to maintain an internet website to allow individuals to review information about them and to express their preferences. The CPBR does not have this requirement, but the broader bill is more precise with regards to the content and format of the notice, which shall inform the consumer about the company’s privacy and security practices.

Accuracy, Access, and Correction Rights

Both bills require data brokers to maintain reasonable procedures to ensure that personal data under their control is accurate. However, the core of both bills is focused on improving consumer access to their personal data, as well as their ability to correct any inaccuracies.

1. Access

The Markey bill and the CPBR would set out obligations for data brokers to provide consumers with access to their information upon request. In terms of access requirements, the Markey bill requires data brokers to “provide an individual a means to review any personal information or any other information that specifically identifies that individual, that the data broker collects, assembles, or maintains on that individual.” The CPBR requires that individuals be given “reasonable access to, or an accurate representation of, personal data that both pertains to such individual and is under the control of such covered entity.”

Although both bills offer an access right, the CPBR contains some limitations that could result in consumers being denied access by data brokers. Specifically, the bill states that the “degree and means of any access shall be reasonable and appropriate for the risks associated with the personal data, the risk of adverse action against the individual if the data is inaccurate, and the cost of the covered entity of providing access.” There is considerable question about how these considerations might limit access.

2. Correction

Both bills require data brokers to give individuals the ability to challenge the accuracy and completeness of any personal data they hold about a consumer. If a consumer can prove an inaccuracy, the Markey bill requires the data broker to correct the information. It is interesting to note that the CPBR would allow a data broker to decline to correct an inaccuracy in cases where the use of incorrect data cannot result in an adverse action against an individual, but then gives consumers the right to demand the information be deleted.

While the CPBR places a number of limitations on consumer access, the Markey bill places similar limits on the ability of consumers to correct information. For example, the CPBR limits access requests that are “frivolous and vexatious,” and the Markey bill allows data brokers to deny requests to correct information that it believes are “frivolous or irrelevant.”

Individual Control and Accountability

The CPBR emphasizes the importance of individual control, and would require data brokers to provide individuals with “reasonable means to control the processing of personal data about them in proportion to the privacy risk to the individual and consistent with context.” However, the bill is largely silent as to what “reasonable means” could entail, but it allows for companies to satisfy the right of individual control by permitting individuals to request that their personal information be de-identified. The Markey bill is more direct, giving individuals the right to stop data brokers from using, sharing, or selling their personal information for marketing purposes through an opt-out mechanism.

The Markey bill’s accountability obligation consists only of an auditing requirement, requiring each data broker to “establish measures that facilitate the auditing or retracing of any internal or external access to, or transmission of, any data containing personal information collected, assembled, or maintained by the covered data broker.” The accountability obligations are much broader in the CPBR. It includes, but is not limited to, employee training, audits, “privacy by design,” and contractual requirements.

***

Despite the completely different reception each bill received, this short analysis suggests that both would impose similar obligations on data brokers. Both work to improve transparency around data practices and to improve consumer’s access to the vast array of personal information being held by data brokers.  There is no question many provisions in the CPBR have been sharply criticized, but the bill could largely facilitate the same goals as the Markey bill. In some respects, the broad nature of the CPBR even allows the bill to go further than the Markey bill, offering important security obligations and contextual considerations that are not addressed by the Markey bill at all.

-Joseph Jerome and Bénédicte Dambrine

FPF Senior Fellow Peter Swire Receives Privacy Leadership Award

The Future of Privacy Forum congratulates our Senior Fellow, Peter Swire, on receiving the 2015 Privacy Leadership Award from the International Association of Privacy Professionals. Peter has worked with FPF since 2010 on a wide range of privacy and cyber-security issues, such as encryption, Big Data, and many more. His current work with FPF includes research on de-identification, Mutual Legal Assistance Treaties, and privacy for the Internet of Things.

Here are Peter’s remarks from the March 6 IAPP Summit, when receiving the award:

 

I’d like to thank the Academy.

I am honored to receive this award and humbled to do so with many people in this audience who have inspired me and done so much to protect privacy internationally, and over so many years.

My thanks to the IAPP, its Board, and Trevor Hughes for his amazing leadership.  Isn’t this Summit amazing?

This moment has led me to reflect on how I first became involved in privacy, and why.  I would highlight four things.

First, I have had a life-long fascination with the intersection of technology, policy, and law.  I love science fiction, and I especially love stories about how people and societies respond to new technological challenges.  In many ways that’s what we do as privacy professionals.

Second, I love doing research. How can we make sense of the complex issues that face us?  My first article on the law of the Internet was in 1993, and the issues have kept coming fast and furious ever since.

Third, I am drawn to public service and solving real-world problems.  Some of those experiences were mentioned in the introduction by Jim – my work as Chief Counselor for Privacy in the Clinton Administration, the efforts to craft a global DNT standard, and then President Obama’s Review Group on Intelligence and Communications Technology.

Fourth, working on privacy gives me an opportunity to teach, and hopefully inspire, a new generation of students and privacy professionals.  One great pleasure of attending IAPP functions is the opportunity to talk with former students and see how they have grown into leaders in their own right.

Today and moving forward, I feel fortunate to be part of some amazing organizations, as we study and address some of the most pressing privacy problems in the world.

First, is Georgia Tech, my new home since 2013.  Each fall I co-teach a privacy and technology course with the one and only Annie Antón. One exciting part about being at Georgia Tech is the work we are doing to bring technologists and engineers together with law and policy —  and we have multiple research streams on IoT, cybersecurity, and numerous other topics.

Second, I recently started as a Senior Counsel with Alston & Bird.  Jim Harvey and David Keating lead an outstanding team of privacy and cyber lawyers.  I am excited to be solving real-world problems for clients in this new setting.  I welcome all of you to come speak with us if we can be of assistance.

Next, I continue as a fellow with the Future of Privacy Forum.  Jules Polonetsky leads the day-to-day efforts with his incredible energy and intelligence, including a growing list of successful self-regulatory agreements.  Chris Wolf, the other co-founder, many of you know for the grace, class, and insight he brings to every endeavor.

Finally, on the list of organizations I am proud to be affiliated with, the Center for Democracy and Technology this year welcomed Nuala O’Connor as its new leader.  I was on a panel just yesterday with Nuala, and it will be exciting for all of us to see where she will lead.

A passion for research, solving practical problems, providing thought leadership, and articulating moral vision – those are themes, I hope, for the work of many of you in this audience.

We are fortunate to be privacy professionals in this era when privacy is at the center of so many important debates in our society.  My thanks to the IAPP for this award today.  My bigger thanks to all of you for what we can build together in the years to come.