FTC Takes Big Data Privacy Seriously

I’m still trying to catch up from last week’s Gigaom Structure conference, where I spent two days listening to the Big Data industrial complex yak about it itself. Besides the usual buzzword cloud (recommendations, analytics, hadoop), there was an interesting privacy subtext. And while many are willing to ignore any kind of privacy issues in Big Data and anoint self-regulation as a savior, a few did explicitly talk about the risks of holding data on millions of consumers.

The references to data privacy came up, not surprisingly, in the context of financial, medical, and government agency use cases–the only areas with strong federal privacy and data security laws. I heard Booz Allen’s Peter Guerra bring up the 1st privacy commandment of Big Data for governmental use–“thou shall not integrate two data sets”. Federal laws on data privacy and sharing of data between agencies goes back to the Privacy Act of 1974. Health sciences has similar rules of thumb because of HIPAA and some other regulations.

So who’s minding the privacy shop for consumer these days? The FTC has taken over this job under its fair and deceptive practices mandate. It has brought actions and reached settlements against all the usual suspects– Google, Facebook, Path, Rapleaf–for saying they were protecting privacy of subscribers but really not.

Anyway, the FTC’s Daniel Kaufman, Deputy Director of the Bureau of Consumer Protection, was on hand to say that they’re looking at the data broker industry. The FTC is going to release a report this year on the results of their investigation into nine of the more prominent players. While Kaufman would like to see Congress pass new privacy legislation and give the FTC the power to charge civil penalties, for now the FTC is officially hoping self-regulation mania will sweep the industry–ha!

As one of the few attendees who can claim to have read through most of the FTC’s 2012, Protecting Consumer Privacy in an Era of Rapid Change that Kaufman mentioned, I knew the official line on privacy–industry should adopt “privacy by design” principles. However, the report’s recommendations call for targeted legislation aimed at the data brokers, and it is the basis for the President’s own privacy “Bill of Rights” legislation–which has not gone anywhere.

During questioning, Kaufman was asked whether there the FTC could enforce a “data label” for web services, the same as the FDA does for drugs and food. Of course, the agency can’t quite do that–they don’t have that kind of power for the still very unregulated Intertoobz. But they are interested in a more human readable disclosure explaining what’s being down with your data–what the EU already has.

We’ll have to wait a little longer for the data broker report, but I suspect it may give them enough leverage to final set down some rules of the road for Web privacy.