The Federal Trade Commission (“FTC”) recently issued a report, entitled, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues (the “Report”), which is intended to guide companies involved in the commercial use of big data consisting of consumer information.
The Report can be found here:
Among other things, the Report assesses big data’s benefits and risks, applicable consumer protection laws, and broader research issues, focusing on the impact of big data analytics on low-income and underserved populations.
Of particular note, the Report warns companies involved in the use of big data analytics that the FTC intends to monitor this use under existing law, including the Fair Credit Reporting Act, equal opportunity laws, and Section 5 of the Federal Trade Commission Act (the “FTC Act”), and to bring enforcement actions as appropriate. Businesses involved in the use of big data analytics are thus well advised to review the Report closely, consider the potential liability risks, and take steps to lower those risks, which include ensuring reasonable measures are in place to protect consumer data.
As to the last point, the Report discusses the applicability of Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. An act or practice is deceptive under Section 5 if it involves “a material statement or omission that is likely to mislead a consumer acting reasonably under the circumstances.” (Report at 21.) For example, a company that violates a material promise - - to refrain from sharing data with third parties, to provide consumers choices about sharing, or to safeguard consumers’ personal information - - is likely engaged in a deceptive practice. (Id. at 21-22.) A failure to disclose material information may also violate Section 5. (Id. at 22.)
An act or practice is unfair under Section 5 “if it is likely to cause substantial consumer injury, the injury is not reasonably avoidable by consumers, and the injury is not outweighed by benefits to consumers or competition.” (Id.) A company’s failure to reasonably secure consumers’ data where that failure is likely to cause substantial injury may be an unfair practice. What is “reasonable” depends on the amount and sensitivity of the data at issue, the size and complexity of a company’s operations, and the costs of available security measures. (Id. at 22-23.) For example, the SEC has advised that companies maintaining Social Security numbers or medical information about individual consumers should have “particularly robust security measures” as compared to companies that maintain consumers’ names only. (Id. at 23.)
The sale of data to customers that a company knows or has reason to know will use the data for improper purposes may also be an unfair practice. (Id.) The FTC’s guidance strongly implies that companies selling personal information cannot simply take the word of customers as to that information’s intended use, but must pay attention to any red flags regarding potential fraud.
In light of the above, the Report sets forth questions for legal compliance. Companies already using or considering engaging in big data analytics need to consider whether they are honoring promises made to consumers and providing consumers material information about their data practices. Companies must also ensure that they are maintaining reasonable security over consumer data and taking reasonable steps to know the purposes for which their customers are using the data provided.
In sum, while the Report does not propose new law or policy, the FTC has clearly indicated that it will continue to monitor areas where big data practices could violate existing law, and bring enforcement actions where necessary. As always, businesses are well advised to ensure that consumers’ data is reasonably secured.