Modern marketing professionals have access to an astounding amount of information on consumers' tastes, preferences and habits. The marketing departments at credit card companies, in particular, can track a staggering amount of information, all without a consumer's knowledge. For example, if an individual went for a period of time without using a credit card to buy groceries, and then began to use the card again for regular grocery purchases, those facts might suggest to the credit card company that the consumer may have been experiencing some financial distress (say, job loss), but is now in a more stable situation and could be in a better position to handle more credit in the future. And, if a credit card company does not already have or track this kind of data, it can — like other marketers — obtain this information from data brokers — e.g. companies that buy and sell personal consumer information.
New Federal Trade Commission ("FTC") recommendations indicate that the Commission supports Congress creating a centralized website where credit card companies, data brokers and related marketers would allow consumers to see which firms are tracking consumer information, how they collect the data, and to whom they are selling the information. The overarching principle of the FTC recommendations is that companies should give each consumer a choice in how data concerning that consumer is used.
Data brokers and related businesses — from credit card companies to Facebook — need to know that the days of more free-flowing access to consumer information — as well as the buying and selling of such information — may be drying up.
The recent FTC report recommends best practices that complement existing privacy regulations and laws. These practices are intended to encourage behaviors that protect consumer privacy, but do not conflict with existing statutes such as HIPAA, HITECH, and the Gramm-Leach Bliley Act. The protected data includes data that can be linked to a particular consumer or device, whether it be a desktop computer, laptop, phone (smart or otherwise), or tablet/iPad. According to the report, studies indicate that consumers may object to being tracked, even if their identity is not disclosed. In addition, there is a potential for harm through discriminatory pricing, even though the individual's name is kept private. Further, according to the report, there have been instances where the identities of individuals have been "reverse engineered" from public data that did not contain personally identifiable information ("PII"). Consequently, the line between PII and non-PII has become distorted.
The recommendations do not apply to entities that collect small amounts of non-sensitive consumer data from under 5,000 consumers, as long as they do not share the data with any third parties.
Congress has yet to act on the FTC recommendations, but could do so in the near future, especially as the FTC and other federal government entities bring consumer data collection practices to light. That, in turn, could jump start consumer concerns about privacy.
Marketers, consumer data brokers and related businesses would do well to have in place policies and procedures designed to comply with this sea change if it comes in, as it could.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.