It’s Not How Much Data You Have, But How You Use It
On Thursday, December 6, 2012, the FTC is hosting a panel to “explore the practices and privacy implications of comprehensive collection of data about consumers’ online activities.” Initially envisioned to grapple with the question of ISPs using data about consumers for advertising, the topic for discussion has since broadened to include a range of business models that “have the capability to collect data about computer users across the Internet, beyond direct interactions between consumers and these entities.”
To help inform the discussion, FPF has released a white paper entitled “It’s Not How Much data You Have, But How You Use It: Assessing Privacy in the Context of Consumer Data Integration.” The paper seeks to explain the market factors driving companies to provide an increasingly wide range of integrated services to consumers. We point to consumer demand for interoperability; the need for companies to maintain their channel to the consumer across multiple platforms and devices; the need for access to social content and signals; and innovative data uses that benefit consumers.
Expansions in data collection and new integrated uses have repeatedly been the cause of privacy concerns. But rather than impose new obligations on companies solely because of factors such as comprehensiveness of data, we propose a logical extension of the concept of context, which was introduced by the White House and FTC reports earlier this year. When data is used in new contexts, corporate practices should be judged by the nature of such new contexts and the communication needed to engage consumers without creating a “privacy lurch.” Important factors to consider include the nature of the new context; the value of the new data use; and the expectations a consumer may have developed with respect to a given “brand.” An evaluation based on this “enhanced context” model may warrant a decision to rely solely on good communication without providing consumers with additional choice. Alternatively, it may call for consumer opt-out rights or even express consent, if the nature of the shift in context and supporting factors so warrant.
Attached to the white paper are two annexes prepared by the FPF staff to describe the range of devices and services offered by leading companies and selected examples of integration of data across services and choices provided.
FCC Ruling Allows “One-Time Opt-Out Confirmation Messages” to Continue
The Federal Communications Commission (FCC) has issued a declaratory ruling confirming “that sending a one-time text message confirming a consumer’s request that no further messages be sent does not violate the 1991 Telephone Consumer Protection Act (TCPA) or Commission rules.”
The FCC ruling comes in response to a petition filed earlier this year by SoundBite Communications, a company that provides text message communication services to consumers on behalf of its clients.
The FCC emphasized certain criteria to ensure that one-time opt-out messages do not violate the TCPA or Commission rules:
The sender of the text message has “obtained prior express consent…from the consumer to be sent text messages using and an automatic dialing system.”
The text message confirms the consumer’s opt-out request and does not include marketing or promotional information.
The text message is sent within five minutes of receiving the consumer’s opt-out request or the sender can demonstrate that any delay was reasonable.
The text message is the only additional message sent to the consumer once the opt-out request is received and does not extend to a follow-up confirmation call.
The Future of Privacy Forum filed comments with the FCC encouraging it to grant the petition, explaining the importance of opt-out confirmation messages in cases where consumers are at risk of privacy invasions or identity theft. Opt-out confirmation messages can help companies verify that individuals requesting the opt-out is in fact the subscriber, provide a record of opt-out activity in case the subscriber temporarily loses physical control over the phone, and will likely prompt-further inquiry in cases where the subscriber did not actually opt-out.
SoundBite sought the FCC ruling to reduce the TCPA’s legal ambiguity in this area, which has resulted in numerous lawsuits against communications service providers.
Chris Wolf to speak on Privacy Data Protection: Transatlantic Developments
Microsoft hosts a discussion panel on the future direction of U.S. privacy policy, the overhaul of the European Data Protection Directive and the transatlantic relationship.
A PANEL DISCUSSION WITH:
Justin Brookman (moderator)
Director, Center for Democracy and Technology, Project on Consumer Privacy
Stacy Feuer
Assistant Director for International Consumer Protection, Federal Trade Commission
Mike Hintze
Assistant General Counsel, Microsoft
Kurt Wimmer
Chair, Global Privacy and Data Security practice, Covington & Burling LLP
Nov. 28, 2012 – FPF Senior Fellow Peter Swire to Take on Do Not Track
Best of luck to FPF Senior Fellow and the Ohio State University Moritz College of Law Professor Peter Swire, as he takes on the effort to forge a practical solution for Do Not Track.
Peter’s experience and his evenhanded approach to forging privacy solutions makes him uniquely qualified to take on this challenge.
Jules Polonetsky and Christopher Wolf
Co-Chairmen, Future of Privacy Forum
FPF Senior Fellow Peter Swire Quoted in NYT Front Page Story on ECPA
FPF Senior Fellow and the Ohio State University Moritz College of Law Professor Peter Swire was quoted today in a New York Times front page story highlighting challenges to applying the 1986 Electronic Communications Privacy Act (ECPA) to mobile technologies.
Here is a passage:
As technology races ahead of the law, courts and lawmakers are still trying to figure out how to think about the often intimate data that cellphones contain, said Peter P. Swire, a law professor at Ohio State University. Neither the 1986 statute nor the Constitution, he said, could have anticipated how much information cellphones may contain, including detailed records of people’s travels and diagrams of their friends.
“It didn’t take into account what the modern cellphone has — your location, the content of communications that are easily readable, including Facebook posts, chats, texts and all that stuff,” Mr. Swire said.
The article cites a series of divergent rulings regarding the admissibility of information obtained from cellular devices, highlighting the lack of a clear legal standard on cellular information and privacy.
The NY Times article was published ahead of Thursday’s Senate Judiciary Committee vote on a proposed amendment to ECPA.
Personal reflection and report: together at the 34th annual meeting of data protection authorities and privacy commissioners
FPF Founder and Co-chair Christopher Wolf has captured some of the remaining differences in international approaches to privacy in his reflections on last month’s 34th annual meeting of data protection authorities and privacy commissioners in Punta del Este, Uruguay.
The article is featured in the International Association of Privacy Professionals’ (IAPP) current issue of “the Privacy Advisor.”
FPF to co-host App Developers Privacy Summit series in D.C. on Nov. 29th
We’re hosting an event with the Application Developers Alliance in D.C. on Thursday, November 29th and we would love to see you there! It’s free to register, but space is limited. Here are the details – please feel free to share this information with anyone who might be interested:
Free Happy Hour + Application Developer Privacy Conversation – Thursday, November 29 at Living Social
WHAT: Happy Hour and Open Discussion – How are privacy policies going to impact developers’ work? What can you do influence the debate? No charge, but you must register to reserve a spot – REGISTER NOW
WHO: Leading the discussion — Tim Sparapani, Sr. Advisor for Policy and Law, Application Developers Alliance; Colin O’Malley, Chief Strategy Officer, Evidon; Jeff Brueggeman, Vice President-Public Policy and Deputy Chief Privacy Officer, AT&T; Michael Mayernick, Co-Founder, Spinnakr; Jules Polonetsky, Co-chair and Director, Future of Privacy Forum; FTC representative (tbc)
WHEN: Thursday, November 29 – 6:30-9:30pm
WHERE: Living Social, Dupont Room — 918 F Street, NW Washington, DC 20004
WHY: Developers are in the crosshairs of a nationwide explosion of lawmaking. Legislators and regulators are making decisions about software privacy that will make your work more difficult, and this is your opportunity to make your voice heard. Anyone who writes software — no matter the language or platform — must understand the issues and take the lead in the discussion to ensure privacy protections are effective but do not impede growth in the business of creating software.
That’s why we’ve brought the privacy conversation to developers in cities across the U.S. The series includes conversations guided by discussion leaders to help developers better understand the changing privacy landscape and give them a voice in the dialogue. This isn’t a heavy event, it’s a conversation led by and for developers which is why we’re also providing a fully stocked happy hour. Because we know even the biggest challenges can be solved over a few beers (just not too many). REGISTER NOW.
Nov. 13, 2012 Epic.org Privacy Chat via Twitter #PrivChat
This weeks event features FPF Senior Fellow, Peter Swire. Peter is Faculty Advisor for 2012-2013 Symposium “The Second Wave of Global Privacy Protection” to be held on November 16, 2012.
Topics to be discussed can be submitted in advance of the chat, either on Twitter using the #PrivChat OR via the Privacy Camp Blog.
For more information and how to join the conversation click here.
New Smart Grid Research Shows Last Generation Technologies Pose Privacy Risks
Researchers at the University of South Carolina have published research showing that some types of electrical meters are broadcasting unencrypted information that could enable eavesdropping on energy usage data. New meters based on AMI (advanced metering infrastructure) should avoid this problem because they use encryption as recommended by the National Institute of Standards and Technology’s Smart Grid Interoperability Panel.
Proposed Framework for a Policy Protecting Customer Information Privacy in Michigan
The Michigan Public Service Commission (MPSC) recently requested information and comments related to its proposed framework for a policy protecting customer information privacy. The Commission’s current rules, 1999 AC, R 460.101 et seq., Consumer Standards and Billing Practices for Residential Customers provide some limited protection of customer privacy with respect to billing information. The new framework under consideration is a set of best practices intended to address customer data privacy related to advanced metering infrastructure.
While many of the suggested protection will be welcome, it is worth flagging at least one aspect of the framework, which will make it extremely inconvenient for consumers who want to easily activate new devices that responsibly take advantage of smart grid data. The framework requires that “customer usage data, personally identifiable information, and certain other customer information are only disclosed to third parties with the customer’s written consent.” Companies with responsible privacy practices in place should be able to use electronic means to make consent simple for consumers.
