The Federal Trade Commission held its PrivacyCon event, featuring nineteen presentations showcasing original research regarding important consumer privacy and security issues by leading academics from universities and think tanks from around the world. A full video recording of the webcast is available here.
The conference took place in Washington on Jan. 14, 2016, and included discussion about the policy implications of the research being conducted with thought leaders from academia, research, consumer advocacy, and industry.
FTC Commissioner Julie Brill succinctly outlined the top concerns facing business as they navigate these problems. “At a high level, I think two principles should guide policy and practice. First, individuals have to be in the loop regarding decisions about what data is collected about them and how it is used….Second, I’m weary on solutions that depend too heavily on any one technical measure [to protect consumer privacy]. … But these principles leave many questions open and details unspecified. What data do consumers expect companies to collect from them? How do they expect companies to use this data? What do consumers understand about what actually happens to their data? Which aspects of data processing should be under consumer’s control? And how effective are the tools that companies offer to consumers to exercise control?”
Guidance and suggested approaches to address these concerns emerged across the presentations:
Privacy Notices and Enhancing User Understanding. The FTC’s Kristen Anderson noted various themes that emerged from one of the panels: (1) Notice seems to be failing. Form contracts are ubiquitous, permissions are being requested invisibly, and consumers are relying on things other than privacy policies to determine whether to use an app and to form their expectations of how information is shared. (2) Companies’ policies and practices are not aligning with consumer expectations, and instead, there are significant mismatches between consumer expectations and reality. (3) Companies’ privacy policies should highlight unexpected consumer data collection and use. For instance, Carnegie Melon’s Ashwini Rao and Florian Schaub posited that a privacy notice should not have to inform a consumer about things that they already expect; it should only have to inform about the collection/dissemination of information that is unexpected. This would help to enhance readability and to encourage meaningful understanding and consent. Privacy notices should cut legalese and help users to read selectively for areas that matter to them. In one panel, Professor Joseph Turow, of the University of Pennsylvania, observed that there is a false assumption that consumers understand privacy tradeoffs – that because people openly share photos and other personal information on the web, they must consent to the kinds of data collection occurring on sites they visit. Rather than consenting to this tradeoff, Mr. Turow’s research has found that the majority of people have a sense of resignation about data collection and are not weighing the costs and benefits.
These themes were emphasized again at the close of the conference by Lorrie Cranor (the FTC’s Chief Technologist). She emphasized that the collective goal is to make policies more transparent and accessible.
The Costs of Data Incidents, and Particular Attention to the Health Care Industry. Sasha Romanosky, from the RAND Institute, shared comprehensive data about the costs and causes of data breaches, privacy violations and/or phishing. The presentation emphasizes the risks companies face without quick legal action taken on their behalf. RAND found that the most affected category of business is the health care industry. The legal landscape reveals many private actions occurring in federal court. He also counted 1,687 legal actions proceeding from data breaches—1,394 of which were civil. Of those, 1,123 were in federal court, and 977 of those were private actions. Perhaps even more interestingly, he had terrific data on the costs of cyber events to businesses. Most of these events cost firms around $200,000. At the medians, data breaches cost $170,000; security incidents $330,000; privacy violations $1.34; and phishing $150,000. Of particular concern is that many of the companies suffering the breaches are repeatedly affected. Specifically, 38% of firms suffer multiple events, and the costs go up for repeat offenders.
Particular Concern for Sensitive Health Data. In addition to facing a large share of data breaches, the health care industry faces other significant issues related to the sensitive medical data they store and request. Andelka Phillips (University of Oxford) and Jan Charbonneau (University of Tasmania) examined data privacy issues specific to direct-to-consumer genetic testing (“DTC”). Phillips and Charbonneau began their presentation by noting that genetic data is the “most personal data” available. This data is inherently identifiable, and it is not possible to de-identify genetic data in the case of a data breach (unlike, say, a password, which can be changed following a breach). This raises the stakes for the health care industry in particular, and makes clear that industry’s need for skilled counsel to help them navigate the risks of obtaining this information. Also, whereas traditional genetic testing occurs within each country’s healthcare system and involves “patients”, DTC genetic testing is a commercial transaction that occurs in the marketplace, typically online, and is governed by contracts, terms of service, and privacy policies. Significantly, DTC testing involves “consumers”, and not merely “patients” – which enlivens consumer protection legislation and may implicate contract/negligence legal issues.
Significantly, the FTC’s call for presentations for PrivacyCon requested research and announced its intent that “[t]he dialogue between researchers and policymakers must continue well after the PrivacyCon event.” Based on the themes that emerged through this year’s PrivacyCon panels, we can expect that viewers and practitioners have been given a glimpse of the FTC’s priorities in the areas of privacy and data security for the coming months and years.
