Data and Privacy: Conversations and Trends from Q1 2015

March is always a big month for privacy – kicking off with National Consumer Protection Week and the IAPP Global Privacy Summit in DC, along with related announcements from regulators and stakeholders on both sides of the Atlantic. During IAPP week, the conversation at many of the dinners and workshops I attended coalesced around a few big themes. We delve into the specifics of the four major privacy trends of the moment below.

The US will not have a comprehensive privacy law this year.

This seems almost crazy since the White House just announced comprehensive privacy legislation, including a consumer privacy bill of rights, earlier this year. Not all of this can be blamed on congressional dysfunction; in fact the legislation has opponents from all sides of the spectrum – privacy advocates, the FTC and the ad industry have all come out against the 2015 Obama privacy bill and its provisions.

For advertisers and marketers, a big concern with the Obama bill should be around the categorization of technical identifiers, such as the advertising ID (IDFA, Google Ad ID), as “personal data.” The FTC has already taken a similar position in its revisions to COPPA last year, when it categorized persistent identifiers (i.e. identifiers that can be used to recognize a user over sites and over time) as personal data.

Categorizing technical identifiers as personal data would lead to increased compliance obligations for companies, and could have a deleterious effect on dynamic data driven industries like online advertising. It’s one of the many examples of how the Obama privacy bill may be “overkill” – as explored in this discussion between Hogan Lovells’ Chris Wolf and the Mercatus Center’s Adam Thierer.

The chances for a national data breach law are strong.

Unless Congress becomes completely paralyzed due to partisan divides, a national data breach law is likely to be enacted this session (this National Law Review article sums up the highlights). The appetite for such a law is stronger after the numerous breaches and hacks of 2014: Anthem, Home Depot, Premera Blue Cross, Sony, Target.

Here are the highlights of current data breach legislation – the Data Accountability and Trust Act (DATA Act), which was introduced by Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) earlier this year. A similar bill is also pending in the Senate:

• Preemption/Enforcement – the law would pre-empt state data breach laws in 47 states, while also giving enforcement powers to state Attorneys General.
• Breach notification trigger – or the number of days within which a company needs to report a breach once they become aware of it, would be standardized to 30 days. Currently this requirement varies depending on the state statute in question.
• Personal data – the definition of personal data includes the usual elements: financial and credit card info, government issued ID number, etc., as well as certain account identifiers e.g. user names, when stored with passwords. The definition does not include technical identifiers. However, it’s also important to remember that the bill would also give the FTC rulemaking authority to expand the definition of personal data, as well as other requirements, at a future date.

The FCC will compete with the FTC on privacy enforcement.

This is a natural development, given the net neutrality rules that were approved by a majority of FCC commissioners back in February. The new rules will give the FCC the ability to prescribe privacy rules that would apply to “common carriers” and would cover all data that these carriers collect, use and share while delivering communications on behalf of their customers (e.g. customer proprietary network information or “CPNI”). With existing settlements against AT&T and Verizon, and a dynamic enforcement chief (Travis LeBlanc, formerly of the California Attorney General’s office), look for the FCC to make its enforcement mark in coming months (more details in this article by the IAPP’s Angelique Carson).

The FTC continues to forge ahead with its education and enforcement mandates. The agency announced a November workshop to learn more about potential benefits, as well as the potential privacy and security concerns, from cross device tracking. And under the leadership of its Chief Technologist, Ashkan Soltani, the FTC has launched the Office of Technology, Research and Investigation, which will provide the FTC the technological expertise it needs to support its enforcement initiatives. In addition to a technological fellowship, the OTRI will have intern positions available for individuals interested in the fascinating intersect between privacy and technology – more in this FTC press release.

The future of the EU-US Safe Harbor probably rests with the ECJ.

The EU-US Safe Harbor was signed by EU and US regulators in 1998, and it is the principal means by which TUNE and over 4,000 other companies transfer data from the EU to the US. In the wake of the Snowden revelations, the Safe Harbor has come under considerable attack by EU commission officials (who nonetheless decided to keep the agreement in place for now), as well as certain data protection officials (e.g. Germany). Indeed, EU regulators remain more concerned by surveillance by the US government, than commercial transfers of data by US companies.

This week, the European Court of Justice or “ECJ” (EU’s highest court) heard arguments in the case of Max Schrems v. Facebook. Max Schrems is an EU citizen who has a longstanding case against Facebook; one of his claims is that Facebook transfers and uses data in violation of EU law under the Safe Harbor. The IAPP’s Jed Bracy has a great summary (with tweets) of the March 24th ECJ arguments in this case which is being watched closely by the privacy community. A decision is not expected until late June 2014.

What do these developments mean for you and your business?

These four trends point to a larger, uber trend – the importance of co-regulation, and self-regulation when determining compliance obligations. With privacy standards in flux on both sides of the Atlantic, demonstrating compliance with industry best practices, including third party certification of that compliance, has become more important than ever.

Advertisers and marketers work in a market that is defined by best practices, and nowhere is that more evident in privacy – where there are a number of associations and certification authorities that outline best practices, and provide opportunities for engagement with other ecosystem players who may be encountering similar issues. These include:

• Digital Advertising Alliance – focused on companies that help provide “interest-based” advertising.
• National Advertising Initiative – focused on third party digital advertising companies
• COPPA (Children’s Privacy) compliance – if you are marketing to kids, you need to be compliant with COPPA, which is a law (not a best practice). There are 6 companies that run certification programs based on COPPA’s requirements: Aristotle, Children’s Advertising Review Unit, Entertainment Software Ratings Board, iKeepSafe, Privo, and TRUSTe.

As these examples show, many in our industry continue to lead by example by adopting best practices through membership in co-regulatory and self-regulatory safe harbors. Which reinforces an important point: that you don’t need heavy-handed privacy rules to force companies to do the right thing. Something regulators should think about as well, as they continue to take on the Sisyphean task of defining privacy rules for fast-moving industries like technology.

Like this article? Sign up for our blog digest emails.