Privacy Law expert Daniel Solove interviews Professor Chris Hoffnagle about his new book, Federal Trade Commission Privacy Law and Policy, which provides to readers a great volume of information and scholarly discussion about the FTC in general, its rich and sordid history, as well as its many activities and efforts in the privacy space. Endorsed by the likes of Solove as a "must read," the book, to me, seems like a worthy addition to my (ever-expanding) to-read queue on Kindle.
Below is an excerpt of the interview I found particularly interesting:
"SOLOVE: What is the FTC’s biggest failure?
HOOFNAGLE: The FTC has not found a way to police data brokers. Data brokers both create new privacy problems and intensify existing ones by offering mechanisms to secretly identify consumers and to link their otherwise pseudonymous behavior. The market provides little incentive for data brokers to recognize individuals’ privacy interests.
The FTC has failed to police data brokers because internally, it struggles to articulate how data brokers’ systemic undermining of privacy rights creates marketplace harms. My book offers several approaches to dealing with this problem, drawing upon how the FTC overcame similar challenges in false advertising cases."
Stray thoughts & more on data brokers-->
For further information on the social implications of data brokers providing services for the government:
- See Hoofnagle's Big Brother’s Little Helpers: How ChoicePoint and Other Commercial Data Brokers Collect and Package Your Data for Law Enforcement, a work that indicates that government has access to large amounts of personal information on consumers through commercial data brokers.
- You also might want to check out the Attorney General's Guidelines on General Crimes, Racketeering Enterprise and Terrorism Enterprise Investigations § VI, which points out that the FBI is permitted to obtain information for surveillance purposes “through services or resources (whether nonprofit or commercial) that compile or analyze such information; and information voluntarily provided by private entities."
On the commercial end:
The biggest issue bubbling out of the use of aggregate non-personal data by data brokers, in my mind, is that, often, certain PII can be inferred due to the fact that these data brokers have a wide breadth of information at their disposal and are able to draw fairly accurate conclusions about that data.
Data brokers are a cash cow in today's commercial climate: Companies pay top dollar to third-party data brokers, who in turn provide them with valuable information that allows them to target their advertisements and marketing campaigns towards their consumers with much more precision.
In fact, this is largely why you will see that many companies' privacy policies try to explain away the disclosure and sharing of customers' non-personal information in sometimes circuitous and sugarcoated terms.
SXSW's Privacy Policy, for example, states the following:
"G. Disclosure of Aggregate Information
SXSW may provide to third parties non-personal information about you that does not allow you to be identified or contacted and that is combined with the non-personal information of other users ("Aggregate Information"). For example, we might inform third parties regarding the number of users of our Site and the activities they conduct while on our Site. We might also inform a company that performs services or that provides products and/or services to SXSW (that may or may not be a SXSW business partner or an advertiser on our site) that "50% of our users live in the USA" or that "85% of our users have purchased products and/or services which can be downloaded from SXSW's Site." Depending on the circumstances, we may or may not charge third parties for this Aggregate Information. We may not limit the third parties' use of the Aggregate Information" (emphasis added).
Of course, there's also Google's Privacy Policy, which states, "[w]e may share non-personally identifiable information publicly and with our partners – like publishers, advertisers or connected sites" (emphasis added). The term, "partners," could mean a lot of things, especially for a company whose revenues exceed the GDP of several entire nations--Iceland, the Bahamas, Guatemala, just to name a few.
Facebook is relatively more forthcoming about its use of non-personal information. Its Privacy Policy states, "[w]e work with third party companies who help us provide and improve our Services or who use advertising or related products, which makes it possible to operate our companies and provide free services to people around the world."
Lastly, here's what LinkedIn's Privacy Policy says: "We may transfer your information and process it outside your country of residence, wherever LinkedIn, its affiliates and service providers operate." The catch-all term, "service providers," should give one pause: What does consenting to the sharing of customer information with "service providers" actually imply in a practical sense?
This post has doled out more questions than answers, but there you have it!