When it comes to Big Data — combing large datasets to unearth previously undiscoverable patterns in consumer behavior — the line between what’s permissible and what’s proper can be a fine one.
At a panel discussion at the New York State Bar’s Annual Meeting last week, Marc Roth, a privacy lawyer at Manatt, Phelps & Phillips, said his clients are frequently coming up with new ideas that make him nervous.
“When companies ask me, ‘Can we do this?’ sometimes I give two answers: it’s not illegal, but it’s kind of creepy. And you might not want to do it for that reason,” Roth said. “Without naming names, some will respect that answer, and some will not.”
Anwesa Paul, a Senior Privacy Counsel at American Express, highlighted an incident in 2012, when Target analyzed a teenage girl’s purchases and determined she was pregnant. When Target sent coupons for baby necessities to the girl’s home, they inadvertently revealed the pregnancy to her father.
“The underlying premise was, ‘We want to give an offer that’s relevant to you,’” Paul said. “The problem is it’s almost too relevant to you. You have to keep that creepy factor in mind when you’re using big data.”
In addition to the question of creepiness, speakers also discussed the growing number of privacy class actions, the rise of “data brokers” — companies whose whole business model is centered on buying and selling consumer data — and whether the Federal Trade Commission has overstepped its authority in policing cybersecurity.
The panel, titled “The Other Side of the House: FTC Policy and Enforcement in Privacy and Big Data,” was moderated by William Efron, Northeast Regional Director for the FTC. In addition to Roth and Paul, the panelists included Andrea Arias, an attorney with the FTC, and Janis Kestenbaum, a partner at Perkins Coie.
Big Law Business rounded up the best quotes from the discussion.
Andrea Arias (FTC)
- “Every company is now wanting to do something with data. Companies that were sitting on data previously now want to monetize it in some way.”
- “If companies are thinking of rolling out a new product, they should reach out to the FTC and get our input. Often, we can help them avoid the pitfalls.”
- “Data brokers are collecting millions of data points about consumers, often without consumers’ knowledge. They’re acting outside of the consumer space.”
- “Data brokers are taking a few data points and drawing inferences about consumers. Some of those inferences are very sensitive: ethnicity, religion, political affiliation, even whether you’re pregnant, for example.”
Janis Kestenbaum (Perkins Coie)
- “More traditional companies that never thought about privacy five years ago are realizing that maybe they are sitting on data. They want to see how they can use it internally or monetize it.”
- On the Third Circuit’s decision in Wyndham: “Companies pay a lot of attention to data security regardless of whether the FTC has unfairness authority.”
- “A lot of bloggers and reporters and writers cover privacy. Companies may sometimes think that what they do, consumers won’t understand, but they now realize that someone out there is quite possibly paying attention.”
Anwesa Paul (American Express)
- “Lawyers used to rely on tech specialists to tell them what was going on, but now you have to have a deep understanding of how your products work in order to draft an online privacy statement, make representations about your product, or anything along those lines.”
- “The FTC’s enforcement actions really highlight how certain companies didn’t have a good handle on how products worked, or on what their peers were doing.”
- “Privacy class actions are growing. Class action lawyers are very eager to bring privacy actions.”
- “Big data allows you to put this kitchen sink of data into computer, and the computer finds patterns you couldn’t have found computing manually. That level of analysis has unearthed a lot of opportunities, but also unearthed legal risks you may not have considered before.”
- On Target pregnancy case: “The underlying premise was, ‘We want to give an offer that’s relevant to you.’ The problem is it’s almost too relevant to you. You have to keep that creepy factor in mind when you’re using big data.”
Marc Roth (Manatt)
- “Twenty to thirty years ago there was very little information to be collected on customers. Some companies didn’t even know who their customers were.”
- On the FTC requiring “reasonable” data protections: “The FTC has expanded that to mean you know how technology is developing. For a small company, that’s a challenge.”
- “If a company does what they can to protect data and gets hacked, should they have known that there’s a new virus out there, or some type of intrusion device? It might be difficult for them to know that. But the FTC might bring a case.”
- “Any time you’re faced with an FTC enforcement action, you’re sure to see plaintiffs vultures flying around as well. That’s a big concern.”
- On the Telephone Consumer Protection Act (TCPA): “It’s an extortion statute. If you get sued, you have to defend. They literally hold you hostage. In terms of non-FTC enforcement, that’s probably the largest area of litigation we’re seeing.”
- “When companies ask me, ‘Can we do this?’ sometimes I give two answers: it’s not illegal, but it’s kind of creepy. And you might not want to do it for that reason. Without naming names, some will respect that answer, and some will not.”