Socrates is credited with the saying “the unexamined life is not worth living.” But in today’s world of tracking cookies and social media profiles, the unexamined life is starting to sound pretty good.
“Big data” is not all bad. We can use it to create algorithms to identify cancer and even notify those at risk. We can use it to make businesses more efficient in responding to consumer demand. We also use it to pay for the valuable services of online companies–we sign up for an online service in exchange for our consent to receive advertisements and share our data. In this way, data has become the currency of the internet.
Unfortunately, consumers are not always aware of the price that they are paying for online services. While surveys show that we enjoy the benefits of being tracked, those same surveys show that being tracked without our knowledge makes us more than a little uncomfortable.
The FCC enforces privacy policies for online services, but has yet to set any minimum standards for those policies. Reputable companies and trade groups have attempted to fill this vacuum with industry best practices, which, while laudable, are unenforceable.
My new paper reviews the benefits and risks of “big data,” including how online companies sell user data to data brokers as well as how we use data to help treat cancer. It then surveys current tracking methods and the legal framework currently in place to police them. It then uses regulations developed in the banking industry to suggest a a risk based, disclosure oriented regulatory framework for data.
First, any regulatory framework must adapt to the wide variety of relationships between sites and users, data types, and data uses. For example, when a user sets up an account, the user expects a more permanent relationship and the sign up process provides the opportunity for disclosures to be made. In that case, the risk that users are being tracked without their knowledge is diminished and so the regulatory scrutiny should be likewise diminished. Likewise, the kind of data gathered and the way the company uses that data may increase or decrease the risk to consumers.
Third, the UDAAP standard developed in the banking industry could serve as the standards for enforcing this regulation. These standards prohibit unfair, deceptive, and abusive acts or practices. These standards could be adapted to serve as a tool to regulate the “online currency,” data. Additionally, given the degree of separation between data brokers and consumers, a data broker registry might make good sense. We use a similar registry with money transmitters.
A successful regulatory scheme for data collection must carefully balance consumer protection with the valuable benefits that big data can provide. A risk based, disclosure oriented strategy will accomplish this goal.
*this paper was accepted for publication in the University of Dayton Law Review’s Summer 2015 edition.