10 Important Questions about Privacy as we head into 2013

January 03, 2013

Saira Nayak
Director of Policy, TRUSTe
@sairanayak

Photo Source

In 2012, privacy went mainstream.

Issues that were previously the sole province of policy wonks became part of the national discussion: the Petraeus-Broadwell scandal (email privacy and ECPA reform), relaxed FAA restrictions resulting in the use of drones by law enforcement (limits on government surveillance, more ECPA reform) and the very successful role of big data and microtargeting in the 2012 elections (OBA compliance anyone?).

As we start 2013 with privacy firmly ensconced in the national consciousness, important questions – about how privacy policy and enforcement should be framed- remain unanswered.

Here are the questions we think will continue to loom large for consumers, industry and policymakers in 2013:

1. Should law enforcement be required to get a warrant before accessing my emails and texts?

The Petraeus-Broadwell episode demonstrated how easily the government can gain access to electronic communications (texts, email) without an individual’s knowledge or permission. Shortly after the story broke, legislation requiring a warrant for access to an individual’s electronic communications advanced with bipartisan support in the House and Senate. The bill should have a good chance this year, but that all depends on whether privacy will have visibility and bipartisan support in the 113th Congress.]

2. Should the phone company or Google Maps get my okay before tracking my location?

Senator Franken seems to think so. In 2012, his location privacy protection act, which advocates getting consent for collecting or sharing location data and also bans mobile apps that “secretly” monitor location, advanced in the Senate. It is expected that Senator Franken will re-introduce the bill in the 113th Congress and the prospects for passage are good. Perhaps Congress will be forced to do something, given the visibility that location privacy has right now.

3. Will privacy be an enforcement priority for the FTC?

For this answer, we need to see who will lead the FTC’s privacy efforts in 2013– both as chair of the agency and head of its consumer protection bureau (given the recent and imminent departure respectively of David Vladeck and John Leibowitz). A key determinant will be how much the new chair sees privacy as a competitive differentiator[DD1] that should be addressed in a coordinated manner between the agency’s two bureaus – competition and consumer protection.

4. So …will privacy become a competitive differentiator in 2013?

Put differently, will consumers decide not to purchase a product or service from a company based on how that company handles personal info such as pictures and posts? Consumers appear to be insisting that they have some choice and control in the matter (just ask Instagram, who recently angered users over its photo use and sharing policies). Recent TRUSTe research of European consumers around “cookie compliance” indicates that the number of consumers who will choose a website based on compliance is edging upwards.(from 33% in the UK to nearly 50% in Germany[DD2] ). Additionally, research in the US reveals that approximately 90% of consumers plan to only do business with companies they believe protect their privacy online.

5. Do you own your “Personal Data”?

While we’re on the subject of choice and control, it’s good to also remember the continuing debate over who owns your personal data. Does the labor that a company puts into collecting, categorizing and using information about you, entitle them to ownership of your data? Would our answer change if it meant no more webmail and other free online services? With the growing market for personal data management (detailed in this recent NY Times article) it’s likely that this issue will come to a head soon – possibly in 2013.

6. Should there be damages for privacy violations?

Questions of ownership invariably lead to the issue of whether there should be damages for privacy violations. Until now, courts have been reluctant to find those types of damages, but two types of cases are worth noting [thanks to @PrivacyWolf (Christopher Wolf) and the Future of Privacy Forum for alerting us to these developments[SN3] ]. First, in Resnick v. AvMed, Inc., an 11th Circuit case involving Florida state law and stolen laptops, the court found damages where there was actual financial injury to the plaintiffs from the defendants’ actions. Second, two consumer class actions filed in federal courts in California (the iPhone app litigation) and Washington, privacy claims have been allowed to proceed on the theory that plaintiffs:

  • paid more for their devices than they would have paid had they known their personal information would be misused; and
  • incurred higher battery and data usage costs from the unwanted collection and sharing of their personal information

7. Will politicians continue to target constituents?

One of the most interesting privacy stories of the year was how microtargeting helped the President and other politicians win their 2012 elections. This success almost guarantees that the practice will continue into next year’s midterm elections – even as the technology becomes more refined and, potentially even more privacy invasive. Consumers – at least according to this Annenberg study – reject “tailored political advertising.” Was the 2012 election a free pass? Should politicians let us know – through notice and perhaps choice – how they plan to track our likes and dislikes for political purposes?

8. Are multi-stakeholder processes a good way create privacy rules?

The jury is still out on whether multi-stakeholder processes are an effective way to devise privacy rules (how the current W3 process unfolds under Peter Swire’s leadership will provide part of this answer). Another litmus test in 2013 will be the Department of Commerce’s multi-stakeholder process, including the current initiative around mobile transparency (in which TRUSTe is participating). It remains to be seen how these efforts will be viewed by EU data protection officials, and what significance, if any, compliance with such an industry standard would have under section 5 of the FTC Act (which punishes actions that are “deceptive,” “misleading,” or “unfair” to consumers).

9. Will EU countries enforce their cookie laws?

In 2012, there were few privacy issues that created more concern (and hurried conference calls) than the EU Cookie Directive. To date, most European countries have passed a law requiring consent before dropping cookies, or other trackers, on a user’s computer or other device. But, we haven’t seen significant enforcement of these laws, prompting compliance delays on both sides of the Atlantic. Companies are concerned about disrupting user traffic and ripping out websites to comply with a law that is simply not being enforced. Will 2013 see changes in enforcement? It’s likely. The UK ICO – who has provided guidance around its Cookie Law requirements in the past couple years – has stated that it plans to go after noncompliant sites in 2013. As has the Netherlands, which has not one, but two data protection regulators, and is already enforcing cookie compliance through automated technology.

10. What is the best way to protect an individual’s privacy while not impeding future innovation?

    Should the way be different for online or offline context?

This last question is food for thought – answering it could possibly also provide answers to the previous nine questions. Like you, I look forward to seeing how the privacy dialogue unfolds and whether we will get answers to some of these questions in 2013.

Wishing you all the best for a splendid year ahead!