Handling consumer data

- In this area, we are talking about customer analytics and the legal protections for customers in the US, mostly with respect to privacy and security of data about them and how that data is used appropriately or not in the ways that affect their lives. In this video, I'm going to introduce the Federal Trade Commission's role in this area and highlight two laws that have been used to protect consumers and also provide you with two case examples. The Federal Trade Commission is the federal agency charged with protecting consumers under the Fair Credit Reporting Act. The Fair Credit Reporting Act applies to companies known as consumer reporting agencies or CRAs that compile and sell consumer reports, which contain consumer information that is used for credit, employment, insurance, housing, and other similar decisions. CRAs must implement reasonable procedures to ensure maximum possible accuracy of consumer reports, and provide consumers with access to their information and the ability to correct errors. This is an area concerning the relationship between law and technology where we see the law being stretched to apply to technological advances. Data brokers might not otherwise consider themselves subject to this or any other law that protects someone else's customers, but based on the enforcement actions taken by the FTC, they are now on notice. For example, the FTC entered a consent agree with the online data broker Spokeo. Spokeo assembles personal information from hundreds of online and off-line data sources, including social networks, and merge that data to create detailed personal profiles, including names, addresses, age, hobbies, ethnicities, religion, and mark these digital biographies for use by human resource departments in making hiring decisions. According to the FTC, Spokeo's actions made them a CRA and as such, subject to the rules of the FCRA, which they were not following. They paid $800,000 in penalties. Note too that Spokeo had tried to protect itself from the risk of having to comply with the FCRA. It included a disclaimer on its site, which claimed it was not a CRA, and that users should not use their site for credit eligibility purposes per se. This disclaimer was not effective to protect the company from FTC enforcement action. This is a good example of what is essential objective of this course with respect to regulatory law. That is, organizations and participants in data analytics and AI should not assume that existing law does not regulate them. The FCRA predates this new technology, but as this case example shows us, federal authorities can apply existing law to new ways of conducting business. Data privacy and security are top of mind for the FTC. In addition to enforcement authority for the FCRA, the FTC also uses Section 5 of the FTC Act to take enforcement actions for violations of consumer privacy rights. Section 5 is a generally applicable to most companies acting in commerce regardless of market sector. Section 5 of the FTC Act states that unfair or deceptive acts or practices in or affecting commerce are unlawful. Unfair or deceptive practices can arise when companies are maintaining large amounts of sensitive data about individuals and are not securing it for misuse. The more sensitive and complex the data, the more security should be in place. Companies can be held liable for failure to secure or for sharing or selling data analytics products to customers who may use that data for fraudulent purposes. One recent case in this area relates to the Internet of things, that all encompassing network of Internet communication connecting everyday consumer devices. TRENDnet provides cameras for consumers to conduct safety monitoring in their homes and allows consumers to access live video and audio feeds from their cameras over the Internet. The TRENDnet action was brought by the FTC because TRENDnet misrepresented its security measures to consumers and failed to use reasonable security measures to prevent unauthorized access. As a result, hackers were able to compromise the live feeds, and gain access to surveillance inside customer homes, including viewing children sleeping and playing and adults engaged in daily activities. This also allowed access to information inside the home and the potential for larger threats like robberies and other kinds of things that could happen with that information. The FTC has not issued formal rules for the new data security issues that are being created by data analytics, the Internet of things and AI, but rather uses existing law to enforce its authority through complaints and consent orders. A great resource for organizations concerned with legal compliance is the 2016 FTC report suggested as additional reading for students in this course. The report is called Big Data: A tool for inclusion or exclusion. Take a look at the list of questions on page 24 of that report, which will help you begin to roadmap legal compliance for customer concerns in the United States. What should also be on the radar of organizations and participants is forthcoming law that might be passed to address regulatory concerns in the US government in situations where no law yet exists.