Big data, privacy, and the FTC

Recently, FTC Chairwoman Edith Ramirez announced that the FTC will be aggressively policing companies with control over large databases of information, and will crack down on companies that don’t practice what they preach with consumer data use and data security. This announcement comes right on the heels of FTC member Julie Brill’s op-ed in the Washington Post about the agency’s new standards of transparency for data brokers.

This should not surprise anyone, or cause anyone to panic. Large data brokers — “big data” — is a major privacy battleground, and if you’re not aware of that right now, you’re not paying attention. Companies that control, and can aggregate and analyze, vast quantities of different kinds of data are using their abilities to innovate, and we are only beginning to see how big data can be used for exciting predictive analytics (analyzing trends in current data in order to predict future trends). However, these same predictive analytic abilities also pose a privacy risk.

For example, since 2008, Google has been monitoring its search data to help fight the flu. Using pattern analysis on aggregated search queries, Google has started correlating search trends to flu outbreaks. As it has amassed more and more data, Google began doing predictive analytics on these search trends. It is now able to predict a flu outbreak based on these search patterns /more quickly than/ the CDC can (because in the real world, people often put off going to the doctor when they have the sniffles, but they’ll do a Google search for home remedies). Because Google Flu Trends can predict large outbreaks, the CDC can get flu vaccine to affected cities in time.

That’s the positive side of big data. One of the negative sides is the way a store may aggregate and monitor its customers’ purchases so closely that it can predict changes in an individual’s health. For instance, Target assigns each of its customers a “pregnancy prediction” score based on their other purchases, such as lotion or vitamins, and begins to send coupons and advertisements accordingly. A customer became very angry upon receiving coupons from Target for diapers and cribs addressed to his teenage daughter, who had not yet disclosed to him that she was pregnant, and had certainly not intentionally disclosed it to Target or authorized Target to disclose her health information.

The FTC has to strike a delicate balance here between the beneficial promises of big data and the very real privacy issues that predictive analytics raises. In taking a position of aggressive policing, Chairwoman Ramirez has said that she wants to enable the FTC to “get out of the way of innovation while making sure that consumer privacy is respected.”

So what does this mean to you?

If you’re a consumer: not much. There are a lot of companies, and more each day, gathering your information, aggregating your data, and performing predictive analytics. All this means is that the FTC will be doing more stringent enforcement of these companies’ privacy practices, and that’s a good thing for consumers.

If you’re a big data company, or trying to become one, this is more interesting to you. As they say, forewarned is forearmed: you know that the FTC will be policing big data aggressively. Take your fate into your own hands.

  • Start by building privacy controls in from the beginning. Privacy by design is one of the FTC’s major cornerstones to good organizational privacy. If you approach your business venture knowing that there will be privacy concerns and build in ways to mitigate and manage those privacy concerns from the start, you’ll be much better off as your business grows.
  • Communicate your privacy practices clearly to your users. You don’t have to hold back from doing the things that make your business work. You just need to tell your users what things you’re doing, and allow them to make informed decisions. When users can make informed decisions based on clearly presented facts, they are more likely to trust you with their information.
  • Establish good internal privacy and security policies so that your company can keep its promises. You may have the greatest privacy policy in the world, but if your employees aren’t reading it and don’t know what your promises are, then they won’t be able to follow it. Your application developers won’t be able to build privacy controls into new updates if they don’t know the rules. Your network and firewall administrators can’t set up security policies that are in line with what you have promised.
  • Maintain good data security practices, so that your users aren’t harmed when they give up their data to you. Inadequate data security is a problem for any company, but it can be catastrophic for big data brokers who have vast stores of consumer data. The FTC will be specifically looking for companies who are putting their customers at risk by failing to keep data secure, so set up good data encryption schemes, patch your equipment properly, and educate your internal users on good practices.