- Media Mentions
- Press Releases
- Blog Posts
- State Lobbying & Gift Law Guide
FTC Releases Important New ‘Big Data’ Report
As “Big Data” concerns continue to stimulate substantial debate among legislators, regulators, and privacy advocates, the Federal Trade Commission (FTC) has released its latest report outlining a variety of specific risks and concerns in this area. While the report does not by itself create new compliance obligations for businesses, it raises a variety of important questions that businesses should be assessing in their own operations, highlights existing laws that can be used by the FTC to engage in enforcement in this area, and, in general, identifies areas of concern where the FTC will be looking for ways to protect consumers going forward.
The FTC Report, “Big Data: A Tool for Inclusion or Exclusion,” also includes the key tagline for businesses in its title – “Understanding the Issues.” This document is an important read for businesses engaged in any kind of “big data” activities – including many companies that may not realize their involvement with big data. It does not purport to resolve the many questions raised by the use of “big data” analytics, but it provides an important and useful framework for companies to utilize in evaluating their overall approach to big data. In particular, it focuses on identifying potential “risks” from big data, with a specific emphasis on “the impact of big data on low-income and underserved populations.”
So what are the primary takeaways from this document for companies?
This is an important and useful document, but is not a specific compliance requirement and does not set out specific rules that the FTC expects to be followed. So pay attention, but don’t panic.
But read it carefully.
Nonetheless, it is information that should be reviewed and evaluated by a broad range of companies, including by senior management focusing on strategic data activities. One of the key areas for thought is simply how many companies may be affected – one of the key elements for big data involves how many new companies are creating and gathering potentially useful personal data, and how many new sources of data may be available for analysis by companies that are considering their data analytics capabilities. Obviously, these issues affect consumer-driven businesses directly, but it is important for a much broader range of companies to consider (1) what data they are creating that may be useful to others; (2) what activities by vendors may lead to the creation or gathering of new data; and (3) what data from others may be available for analysis and evaluation.
Make sure you are considering existing laws.
Another key element of the FTC guidance is to remind companies about existing laws where the FTC can take enforcement action for violations. While these laws (like the Fair Credit Reporting Act and various equal opportunity laws) do not apply everywhere in the big data universe, they can be applied by the FTC in certain big data situations.
The FTC Act is the big one.
In addition to “specific” laws like the FCRA, the FTC is reminding companies about its broad authority under the FTC Act. Over the past decade, the FTC has used the FTC Act to “create” a law of data security, which has led to more than 50 enforcement actions against a broad range of companies. Is the FTC signaling that it may be thinking about the same approach for big data activities? Certainly the FTC will have a harder path in this area – given the extended debate in the Wyndham case about its overall authority and the clarity of its guiding principles. Nonetheless, companies always need to be thinking about how the FTC could apply this Act to a company’s activities, particularly if the FTC believes that there are unfair or deceptive practices in play.
Consider the quality of your data.
Aside from potential impact from big data analysis, the FTC also draws attention to an issue that many companies do not pay enough attention to – how good and useful is your data? This will be a key issue going forward, as data arises from many new sources that do not have a track record for accuracy. The FTC is simply making sure that people think about these data quality issues – particularly in the context of how this data can be applied to groups facing larger risks in this area.
Focus on the FTC’s questions for assessment.
And, while the FTC has not set out an enforcement policy, it is sending a clear message about the kinds of activities it is concerned about in the big data area. Companies need to be thinking about these questions in connection with any big data project. Some of the key questions include:
- How representative is your data set?
- Does the data model account for biases?
- How accurate are your predictions from this data?
- Does your reliance on big data create ethical or fairness concerns?
The FTC is also providing a policy road map.
Companies should also use these questions as a broader guide to thinking about their big data activities. Big data is creating important new opportunities, with just as much nervousness from the regulator and advocacy communities. The FTC’s view is not one-sided; it recognizes both the potential opportunities for big data and the potential risks. This means that companies need to be thinking about the implications and impact of their activities, even if there is no clear law or regulation today that makes an activity illegal. Numerous audiences are evaluating new laws and policies about big data. Your activities can drive this debate – in good or bad directions – and there is the real possibility that particularly aggressive or egregious practices can lead to a company becoming a poster child for new laws. The message is clear – be thoughtful, smart, and responsible about your big data activities.
Rely on your privacy officer.
Big data is a prototype area where a thoughtful, knowledgeable, and creative privacy officer can be a critical resource for a company. A good privacy officer needs to understand all the applicable laws and regulations but, more importantly in this context, needs to be thoughtful about potential implications and understanding about where the law may go in the future, as well as being able to assess how big data activities may affect a company’s public profile. Use your privacy officer as an important resource in your company’s evaluation of these issues.
Big data is a growing issue, with no signs of slowing down. The public policy debate is in its infancy, and the new FTC report is a useful and important contribution to the early stages of this debate. Companies should be paying close attention to the opportunities presented by big data, but also must ensure that they are considering the full range of implications for their activities. In addition, it is clear that there will be significant policy discussion from a broad range of interested regulators and enforcement agencies on these issues, so it will be important to monitor the full range of activities in this area, to ensure that your actions don’t run afoul of emerging trends and new rules.