As the Federal Trade Commission prepares to release a new framework of privacy principles to prod the Internet industry toward tighter protections for consumers' online data, one of the agency's commissioners said that she has grown particularly alarmed at the unchecked actions of data brokers to mine, analyze and potentially sell sensitive information.
Speaking at the George Washington University law school to mark Data Privacy Day, FTC Commissioner Julie Brill warned that companies engaged in the collection and sale of consumer data can expect closer scrutiny from the agency as it moves broadly to step up its efforts in the privacy arena.
Those concerns are heightened when reports bubble up about data brokers pairing online and offline information and packaging it into a predictive model that a life insurance provider, for instance, could use to shape the terms of a policy.
"Analysts are undoubtedly working right now to identify certain Facebook or Twitter habits or activities as predictive of behaviors relevant to whether a person is a good or trustworthy employee, or is likely to pay back a loan," Brill said. "Might there not be a day very soon when these analysts offer to sell information scraped from social networks to current and potential employers to be used to determine whether you'll get a job or promotion? Or to the bank, where you've applied for a loan, to help it determine whether to give you the loan and on what terms?"
In December 2010, the FTC released a preliminary report offering basic guidance for policymakers and members of Congress on a set of principles the agency had developed after a series of meetings with industry stakeholders, businesses, industry groups and others. That report laid out a series of proposals for protecting consumer privacy, including the idea of a do-not-track mechanism that would allow users to opt out of data collection programs patterned after the national do-not-call registry for telemarketers, with the final framework expected to be released early this year.
Brill indicated that the final report, which will formally stand as a set of nonbinding recommendations, will reinforce the guiding principles that animated the preliminary proposals, namely that companies should incorporate privacy by design as they develop new products, services and policies, and that users should be given the choice not to share information and businesses should make their data collection activities transparent.
While many Web companies and advertising outfits have taken steps to give users more insight into their profiles and control over what information is collected, privacy advocates continue to call on the FTC to take a tougher stance on the issue. And in certain instances it has. The agency last year reached high-profile settlements with Google and Facebook over complaints of unfair and deceptive practices and misleading disclosures, for instance, agreements through which the companies will submit to periodic reviews by an independent auditor, among other conditions. Asked about Google's recent changes to its privacy policies, Brill declined to comment, citing the consent agreement her agency reached with the search giant. "It is something that is certainly of interest," she said.
Data Brokers a Quiet Threat
While the privacy practices of the Internet heavyweights often command the headlines, Brill sees in data brokers a much lesser-known threat to consumer privacy, given that those outfits largely operate behind the scenes.
"I am calling on data brokers to take the transparency principle and put it into practice," Brill said, urging industry players to collaborate on a set of best practices, much as online advertisers have.
"Develop a user-friendly, one-stop shop where consumers can gain access to information that data brokers have amassed about them and, in appropriate circumstances, give consumers the ability to correct that information," she added. "Data brokers need to get cracking now to put something like this into place."
In practice, the FTC's enforcement authority in the area of online consumer privacy is limited without action on the part of Congress, and most observers agree that it is highly unlikely that any of the various legislative proposals that have been floated to address the issue will gain political momentum in this election-shortened session.
However, the agency does have its own established mandates through which it can bring enforcement actions, as it did in the cases of Facebook and Google. Brill signaled that data brokers can expect similar scrutiny, though she acknowledged that the industry remains shadowy, and that many of the businesses engaged in data dealing might not even be aware that they are operating in a regulated market.
"We don't know who all of them are," she said. "Many of the data brokers ... may not realize that they are engaging in activities that may fall under the Fair Credit Reporting Act."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline
Read more about government in CIO's Government Drilldown.