The message from U.S. Federal Trade Commissioner Rebecca Kelly Slaughter was loud and clear on the keynote stage at the IAPP's Privacy. Security. Risk. 2021: Times are changing with the way people view, prioritize and conceptualize their data. Addressing these uncharted waters from a regulatory standpoint continues to be a work in progress, but Slaughter certainly has a vision.
Slaughter took the stage in San Diego, California, with the intention of providing "food for thought" and provoking "some new ways of thinking" on what she and some colleagues view as the future of data. She admitted transition of all sorts at the FTC has been the catalyst for reflecting on and changing perspectives while reviewing the FTC's mission with "open eyes about what has been working and where we need a new direction."
"This is what I refer to in my office as the 'Wait, but why?' mode of analysis. Too often we can do an expert job of explaining how we analyze particular cases or what our strategy is, but not why we do it that way," Slaughter said. "When we step back and ask, we frequently uncover areas in need of a dramatic rethink."
'New ways of thinking'
With an eye toward reconsideration, Slaughter used her time on stage to unpack "assumptions" regarding the data ecosystem that are garnering the "Wait, but why?" attention while explaining what regulatory efforts can and can't do to help. The lead assumption Slaughter took on was why privacy is the primary concern in data-driven markets, making clear it should be a chief consideration but fearing such focus will "exclude from our gaze other critical issues consumers face." Slaughter and the agency have indeed turned the tides beyond privacy, evident by deeper dives into
Slaughter wants to target and arrive at solutions for specific business practices that are leading to abuses. The blanket remedy that's most often raised is more notice and choice, another assumption Slaughter doesn't buy into. She said it began as a "sensible application of basic user protection principles," but it's now a less effective approach that "simply doubles down on a notice-and-choice universe where neither notice nor choice is meaningful for most users."
Moving beyond notice and choice
"Too many services are about leveraging consumer data instead of straightforwardly providing value. For even the savviest users, the price of browsing the internet is being tracked across the web," Slaughter said. "As federal enforcers, it is incumbent on us to identify the unfair, deceptive and anti-competitive practices that are harming consumers and to use all our statutory tools to strategically and structurally address illegal conduct. The pervasive nature of commercial surveillance, its substantial injuries to consumers, its unavoidable nature, and the benefits that outweigh those injuries demonstrate a fundamental unfairness at the heart of the data economy."
Believing the notice and choice framework, specifically concepts of opting in versus opting out, as the only option brings another fallible assumption. In her rebuttal, Slaughter pitched purpose and use restrictions as the foundation for a data minimization framework that would "turn off the data pump and deprive the surveillance economy engine the fuel it needs to work."
Data minimization isn't a foreign concept, with notable provisions for such limitation in the EU General Data Protection Regulation as well as the Children's Online Privacy Protection Act and comprehensive privacy laws in Colorado and Virginia. Slaughter said its use or lack thereof by U.S. national security agencies has bogged down the perceived benefits of a minimization framework, but it is nonetheless an effective plan when deployed and enforced properly.
The case for data minimization
"Collection and use limitations can help protect people's rights. It should not be necessary to trade one's data away as a cost of full participation in society and the modern information economy," Slaughter said. "Users ought to be able to make sensible decisions about the products they want to use and companies should only ask for data required to provide those products and services that are being asked for, not additional data to build consumer profiles. There also needs to be strict limits on how that information is shared, and for how long and under what conditions it is to be stored.
"A minimization approach could facilitate compliance by establishing bright-line rules around what data can be collected and how it can be used. That would allow us to move past the tedious compliance exercise of interminable and unreadable click-through terms of service contracts that only give the illusion of meaningful notice and choice."
Minimization rules would be a smaller piece to a bigger pie, which many believe needs to be federal privacy legislation. Slaughter said she prefers a well-crafted federal standard, but in its absence she does see should take up a rulemaking process. Slaughter noted those opposing FTC privacy rulemaking consider the process and its results "toothless" in the near and long term, while she sees a broader value and effect.
"The benefit of rulemaking is to provide clarity to the markets on what a prescribed conduct is rather than waiting until after a violation, and the resulting harm, has occurred to address it," Slaughter said. "We have an opportunity to develop a public participatory record and use it to draft rules that let businesses know what Section 5 (of the FTC Act) means in the context of the data economy. We can show that our understanding of what isn't fair has evolved in response to these prevailing market practices and give specific guidance to industry about requirements of the law that will facilitate compliance and streamline the commission's enforcement burdens, allowing us to use limited resources more effectively."