As the number of connected devices grew (the so-called "Internet of Things"), so, too, did the risk of data hacking and unauthorized access to sensitive personal information. After the Federal Trade Commission (FTC) action against, and its settlement with, in-store beacon tracking company Nomi Technologies, other companies — especially the makers of data-connected devices and apps — spent time and money on ensuring that they provided consumers with transparency and choice with respect to how and when their data was collected.

The continued collection, sale, and use of vast amounts of consumer data in the Big Data industry regularly was raised as a primary concern of the FTC due to the perceived lack of transparency and consumer control.

The FTC's authority as the primary regulator in the privacy and data security arena was reaffirmed with its litigation victory against Wyndham Hotels and Resorts. The FTC alleged that Wyndham had failed to safeguard its network where sensitive consumer information was stored. Wyndham argued that the FTC lacked the authority to regulate companies' security practices. The FTC prevailed and, as a result, it continued to exercise its authority to regulate such practices.

Perhaps the greatest privacy and data security development in 2015 arose from the European Court of Justice's decision declaring the United States-European Union Safe Harbor Framework invalid. Over 4,400 U.S. companies had joined this self-certification program to enable them to transfer personal data of EU residents from the EU to the United States. The EU and the United States have since negotiated the EU-U.S. Privacy Shield to resolve this matter, though final approval by the EU Parliament is pending. If approval is granted, implementation will likely take a number of months.

Looking Ahead

  • Companies will need to invest in more sophisticated privacy and data security infrastructures to comply with their commitments to consumers as well as the increased regulatory and legislative focus on data security.
  • With no definitive set of required security controls under U.S. law, companies must look at varying standards, regulatory guidance, self-regulatory organizations, and recognized best practices. Most importantly, a company must practice what it preaches. That is, it must put into action the promises and guarantees made in its privacy policy.
  • Companies exporting personal data from the EU to the United States must understand and comply with the EU Data Protection Directive.
  • There also will be changes in the collection and processing practices of Big Data as well as increased oversight of the Big Data market and products and services in the Internet of Things.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.