Brill Outlines Data Broker Initiative, Says W3C Not ‘Silver Bullet’ for DNT

Leaders in the data broker industry “have expressed some interest in pursuing ideas to achieve greater transparency,” Brill said. In the past, she has encouraged data brokers to create an online portal where consumers can access -- and, when appropriate -- correct or remove data about themselves. Data brokers that participate in the initiative “would agree to tailor their data handling and notice and choice tools to the sensitivity of the information at issue,” she said. Brill also supports legislation “that would require data brokers to provide notice, access, and correction rights to consumers scaled to the sensitivity and use of the data at issue,” she said. Brill said she has also asked credit reporting agencies to create a similar system for corrections, so that “a consumer’s corrections to one credit reporting agency’s files will automatically correct the same information held by other credit reporting agencies."

The Reclaim Your Name initiative “meshes nicely with the FTC’s ongoing interest in a universal, simple, persistent, and effective Do Not Track [DNT] mechanism,” Brill said. She urged stakeholders participating in the World Wide Web Consortium (W3C) DNT process to “forge ahead with their work and reach consensus.” Reclaim Your Name and DNT “will restore consumers’ rights to privacy that big data has not just challenged but has abrogated in too many instances,” she said. The W3C process is not “the only way in which DNT can be implemented, nor do I think it’s the silver bullet,” Brill continued. “I do think that there will be various players who are going to work hard to try to give consumers technological means to stop some tracking online,” including technology companies, she said. Discussions about tracking should consider the offline tracking that happens as well, she said: “We need to expand the discussion … to be thinking more broadly about the dossiers” that companies have on consumers.

NTIA stakeholder discussions about transparency around data collection on mobile devices are “exceedingly important,” Brill said. “But it’s going to be the first step.” The developer-focused NTIA process is centered on “short notices” and “key information going to consumers at an appropriate time,” but the involvement of app platforms is essential to “make sure the consumers get the information” when they need it, she said. In the past, FTC staff has asked the NTIA stakeholders to consider including more language about just-in-time notice in their voluntary code of conduct. Stakeholders have said that requiring that kind of notice would involve presenting short-form privacy policies at the time of download, which would involve the app platforms, which are out of the scope of the process as defined by the NTIA.

The draft code of conduct being developed by NTIA stakeholders treats health data better than any other self-regulatory program, said Pam Dixon, executive director of the World Privacy Forum and a drafter of the NTIA code, on a later panel. The “NTIA code currently has the best definition of health data … if we ever finish it,” she said. The code of conduct enforced by the Network Advertising Initiative (NAI) -- a self-regulatory program for online advertisers -- has, “at this point in time, the very best middle ground” for how data collectors should treat health information, Dixon continued. Though the NAI code talks about health data as data concerning “particular or precise diseases” -- which “doesn’t work” and “needs to change” -- that is mitigated by the fact that NAI requires its members to indicate in their privacy policies if they are using data connected to “anything about the body,” she said.