Privacy in the Online Ecosystem: Obligations and Best Practices Are Evolving

Preview of upcoming session at Strata Santa Clara

At the end of 2012, the Federal Trade Commission (“FTC”) hosted the public workshop, “The Big Picture – Comprehensive Online Data Collection,” which focused on privacy concerns relating to the comprehensive collection of consumer online data by Internet service providers (“ISPs”), operating systems, browsers, search engines, and social media. During the workshop, panelists debated the impact of service providers’ ability to collect data about computer and device users across unaffiliated websites, including when some entities have no direct relationship with such users.

As one example of the issues raised by the panelists, Professor Neil Richards, from the Washington University in St. Louis School of Law, stated that, despite its benefits, comprehensive data collection infringes on the concept of “intellectual privacy,” which is predicated on consumers’ ability to freely search, interact, and express themselves online. Professor Richards also stated that comprehensive data collection is creating a transformational power shift in which businesses can effectively persuade consumers based on their knowledge of consumer preferences. Yet, according to Professor Richards, few consumers actually understand “the basis of the bargain,” or the extent to which their information is being collected.

Over the past several years, the FTC and other federal and state regulators have been working to address such concerns through policy development, publication of recommended best practices, and enforcement against companies that handled personal data in a manner viewed as unfair and/or deceptive under trade practice statutes. For example, as to the first point, the FTC released its final privacy framework in March 2012 that provided best practices intended primarily for businesses that interact directly with consumers. The key principles in the report focused on providing consumers with notice and consent regarding the personal information that it collected from them and how that information is used or shared with third parties.

More recently, federal and state regulators have started to respond to the reality that the online environment―the fast growing mobile online environment in particular―is increasingly multi-layered and involves a range of different entities that may touch a consumer’s personal data. Earlier this month, for example, the FTC released the staff report Mobile Privacy Disclosures:  Building Trust Through Transparency, which provides a series of consumer privacy-focused recommendations targeted to all stakeholders in the mobile app ecosystem―including platform and operating system providers, advertising networks, analytics companies, and other third parties―rather than just app developers or service providers that may “own” the relationship with the consumer. The report stresses the need for greater collaboration, consistent communication, and self-policing among these ecosystem partners to ensure that customers receive proper notice about the data being collected, and that such data is properly protected.

My upcoming presentation at Strata Santa Clara will draw from these and other best practices and learning lessons to describe how companies, no matter where they reside in the online ecosystem, can avoid big privacy “don’ts” when collecting, storing, or sharing consumers’ personal data. I’ll describe key privacy-related developments led by state and federal regulators and break down how these events are likely to inform consumer privacy activities with respect to big data for the remainder of 2013. I look forward to seeing you there!

tags: , , , , , , , , ,