In a briefing convened by the Congressional Privacy Caucus last week, co-chairs Ed Markey (D-MA) and Joe Barton (R-TX) explored the roles of “data brokers,” along with two chief regulators from the FTC, Chairman Jon Leibowitz and Commissioner Julie Brill. The briefing and discussion was wide-ranging, and if anything, it seemed to raise more questions than provide answers.
If there was one single over-arching takeaway for me, it was that there exists a very complex data ecosystem that includes consumers, businesses and governments, and it’s increasingly difficult to label entities for purposes of creating new laws and regulations. Following is a summary of key themes I took out of this briefing:
(1) There’s no broad agreement on the definition of “data broker.” The discussion did not include a clear articulation of what the lawmakers and regulators believe to be a data broker definition of exactly what is a “data broker,” which seems to be the key question before deciding on new policies. The best articulation was “an entity that collects data but which has no intersection w/ consumers directly.” While this may make sense on the surface, it quickly breaks-down when moving forward to craft rules for data brokers, because it clearly leaves open a wide range of entities that openly characterize themselves as brokers but also provide for direct interaction with consumers.
I wish we could put any discussion about new policies on hold until we can at least clearly know what we’re talking about as a “data broker.”
(2) It’s the “use” stupid. I was constantly reminded of the old refrain, “it’s the economy, stupid,” the now infamous phrase that explained ultimately why Bill Clinton would ultimately be elected President in 1992. If there is one thing that seems to enjoy broad agreement around data privacy, it’s that it is more important — and useful— to look at how a data is used, and the potential for harm, than it is to single out ill-defined entities and try to craft specific legal and regulatory roadmaps for their behavior. While, this was my takeaway and was surely shared by many other present at the briefing, it is the opposite of what leading lawmakers and regulators are thinking.
(3) The FTC will maintain a steady focus on “data brokers.” Regardless of the challenge in clearly defining data brokers, the FTC is sure they don’t like ‘em. As clearly articulated by Commissioners Leibowitz and Brill, the FTC will maintain a heavy focus on “data brokers” – as was a unanimous recommendation from the FTC’s Privacy Paper issued earlier this year. While they did recognize there are significant benefits provided by “data brokers,” they made the following pronouncements: (1) much more needs to be done on the transparency front, (2) industry needs to do more to articulate existing transparency mechanisms; and (3) the Commission is exploring “what can and should be done beyond merely enforcement” of existing laws.
(4) Reps. Markey and Barton will focus this conversation on children, then expand – As the bipartisan team leaders for increased privacy protection for consumers, Reps. Markey and Barton reiterated their commitment to continue moving forward with all deliberate speed in the next Congress, reintroducing their Do Not Track Kids Act (H.R. 1895) and promising to sign-on even more than the 45 cosponsors from the current bill. . While that is surely no surprise to anyone, they went further to effectively outline their strategy to use the conversation on children’s privacy, expand the current age qualification in COPPA, and use this as a gateway to adopting privacy laws more broadly beyond children.
(5) Transparency and industry leadership are key – Another theme that keeps coming up is the need for greater transparency and industry leadership in this area. Similar to the ongoing discussions regarding “mobile transparency,” industry can and will surely continue to improve practices in this area, or we’ll be building the case for regulators and legislators to step in.
David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.