JULIE BRILL: Consumers do have responsibility to understand their data and to protect it the best way they can.
But the data collection and use that consumers face online, on their mobile apps and with connected devices, will be much too complicated for them to navigate on their own. And once we get to the world where the Internet disappears and where all of our devices will automatically connect, it’ll be harder for consumers to deal with this.
Companies need to proactively help consumers.
Consumers’ attention is a precious resource and needs to be engaged when truly necessary: Like when there’s going to be data shared with an unexpected third party, or for a use beyond the ways consumers would expect given who they’re interacting with.
There’s a real problem when it comes to third-party data collectors like ad networks. Advertisers and ad networks really need to step up to the plate to provide more usable tools for consumers, so they can understand who these third parties are that are collecting this information.
You’ve spoken about a portal where consumers can see what information various data companies have. Logistically, how would that work, given the amount of stakeholders involved and the amount of data that’s out there?
The ad tech industry says they have a portal in AdChoices. My concern is that consumers don’t see it, they don’t interact with it and when I tried to interact with it, it’s highly nonfunctional. The industry says they have a tool, but it needs a lot of work.
The IoT further complicates the ecosystem. What sort of tool could help consumers make decisions around connected device data?
The home command center for connected devices can be used as a portal to inform consumers about privacy and data security issues, so consumers can make choices about the entities who can see their information – other than the product manufacturer who might need to use the information for functionality purposes.
And there are ways this can happen in addition to the home command center – if we get to a place where we have machine-readable privacy policies.
Forty percent of information flowing with respect to the Internet of Things is machine-to-machine communication, not machine-to-human. We need to engage that communication by having privacy policies that are machine-readable. If we have that, a consumer can set her smartphone to indicate her privacy choices. She walks into a room, hits the relevant privacy app and that app reads her privacy policies with regard to the connected devices in that room. The app can then make choices about what information can be collected, based on what the consumer’s choices are.
One area where there’s been an effect is the issue of data transfers about European citizens to the US. The EU has concerns about the government collection of data and has implemented a conversation with the US government about what had been known as Safe Harbor, the prior data transfer mechanism. Now they have announced a new data transfer mechanism, which in my view is greatly improved.
At a much broader level, if you look at the laws the Europeans are in the process of implementing – the General Data Protection Regulations – you’ll see a lot of American concepts in that. There’s a Children’s Online Privacy Protection Act provision, a data breach notification provision and privacy by design, which is something the FTC has long been championing and which we borrowed from a brilliant Canadian woman named Ann Cavoukian.
There’s a robust conversation traveling across the Atlantic, with regard to data protection mechanisms and best practices. It’s not just the European thought leaders [who] are influencing the US, which they are. But the US stakeholders are helping to influence and shape what’s happening in Europe.
One of the big questions at the IAPP conference was: What’s the difference between the FTC and the FCC?
The FCC will only be involved with certain types of companies, for example, telcos or ISPs. The FTC does not have jurisdiction over common carriers. When the FCC declared ISPs to be common carriers, it took away our jurisdiction over ISPs. Not that we’ve done a whole lot involving ISPs, but we’ve brought a few important cases, including one still pending.
The FTC has long been involved with privacy and data security. The FTC uses the deception and unfairness authority under the FTC Act, where we proceed against companies engaged in deceptive or unfair acts. We have the authority to enforce various statues like COPPA (Children’s Online Privacy Protection Act), the FCRA (Fair Credit Reporting Act), certain aspects of the Gramm-Leach-Bliley Act and other laws that touch on privacy, like CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing Act) and aspects of aspects of HIPAA HITECH (Health Information Technology for Economic and Clinical Health Act). We also have very broad, remedial authority to use the unfair and deceptive acts and practices authority.
The FTC has the authority to obtain redress and to place companies under orders for a long period of time if we so choose. The most important authority we have that the FCC doesn’t is the ability to get redress for consumers.
On the other hand, the FCC has the authority to write rules and seek penalties. We have some penalty authority under the FCRA and COPPA, but we don’t have general civil penalty authority, which the FCC does.
You can see why I’ve said it’s an increasingly complicated landscape.
But there are some instances where the carrier also is a player in online advertising and data – like Verizon, which purchased AOL.
I won’t respond with respect to any particular company, but I’ll talk about the way the agencies have worked together.
The FTC has worked with a lot of different agencies where our jurisdiction has overlapped. The CFPB (Consumer Financial Protection Bureau) has a great deal of jurisdiction involving financial fraud, and we share jurisdiction with them when it comes to credit reporting, debt relief, payday lenders – I could go on.
We’ve created a memorandum of understanding between the two agencies on how we work together and communicate, and it’s working fine. Similarly, with the FCC, we’ve also developed a memorandum of understanding about how we’ll work on cases where we have mutual authority and interests. That’s newer, but it’s also working just fine.