Developing an approach towards consumer privacy and data security

Polly Turner-Ward

By NCL Google Public Policy Fellow Pollyanna Sanderson

This blog post is the first of a series of blogs offering a consumer perspective on developing an approach towards consumer privacy and data security.

For more than 20 years, Congressional inaction on privacy and data security has coincided with increased data breaches impacting millions of consumers. In the absence of Congressional action, states and the executive branch have increasingly stepped in. A key part of the White House’s response is the National Telecommunication and Information Administration (NTIA) September Request for Comment (RFC).

While a “Request for Comment” sounds incredibly wonky, it is a key part of the process that informs the government’s approach to consumer privacy. The NTIA’s process gathers input from interested stakeholders on ways to advance consumer privacy while protecting prosperity and innovation. Stakeholder responses provide a glimpse into where consensus and disagreements lie among consumer and industry players on key issues. We have read through the comments and in this series of blogs are pleased to offer a consumer perspective.

This first blog focuses on a fundamental aspect of any proposed approach to privacy and data security: the scope. Reflecting risks of big data classification and predictive analytics, one suggestion by the Center for Digital Democracy (CDD) was to frame the issues according to data processing outputs. This would cover inferences, decisions, and other data uses that undermine individual control and privacy. However, focusing on data inputs, there was consensus among many interested stakeholders that privacy legislation must cover “personal information.”

The Center for Democracy and Technology noted that personal information is an evolving concept, the scope of which is “unsettled…as a matter of law, policy, and technology.” Various legal definitions exist at the state, federal, and international level. The Federal Trade Commission’s (FTC) 2012 definition defines it as information capable of being associated with or reasonably linked or linkable to a consumer, household, or device. Subject to certain conditions, de-identified information is excluded from this definition. To help to address privacy concerns while enabling collection and use, many stakeholders agree that regulatory relief should be provided for effective de-identification techniques. This would incentivize the development and implementation of privacy-enhancing techniques and de-identification technologies such as differential privacy and encryption. Federal law to avoid classifying covered data in a binary way as personal or non-personal. An all-or-nothing approach requiring irreversible de-identification is a difficult or impossible standard.

In an attempt to recognize that identifiability rests on a spectrum, the EU’s General Data Protection Regulation (GDPR) excludes anonymized information and introduces the concept of pseudonymized data. These concepts demand federal consideration, having been introduced to United States law via the California Consumer Protection Act (CCPA). The law should clarify how it applies to aggregated, de-identified, pseudonymous, identifiable, and identified information. To be considered de-identified data subject to lower standards, data must not be linkable to an individual, risk of re-identification must be minimal, the entity must publicly commit not to attempt to re-identify the data, and effective legal, administrative, technical, and/or contractual controls must be applied to safeguard that commitment.

While de-identified and other anonymized data may be subject to lower privacy standards, they should not be removed from protection altogether. In their NTIA comment, the CDD highlights that third-party personal data, anonymized data, and other forms of non-personal data may be used to make sensitive inferences and to develop profiles. These could be used for purposes ranging from persuading voters to targeting advertisements. However, individual privacy rights may only be exercised after inferences or profiles have been applied at the individual level. Because profiles and inferences can be made without identifiability, this aspect of corporate data practice would therefore largely escape accountability if de-identified and other anonymized data were not subject to standards of some kind.

This loophole must be closed. Personal information should be broadly defined to address risks of re-identification and to capture evolving business practices that undermine privacy. While the GDPR does not include inferred information in its definition of personal information, inspiration could be taken from the definition of personal information given by the CCPA, which includes inferred information drawn from personal information and used to create consumer profiles.

Our next blog  will explore “developing an approach for handling privacy risks and harms.” In its request for comment, the NTIA established a risk and outcome-based approach towards consumer privacy as a high-level goal for federal action. However, within industry and society, there is a lack of consensus about what constitutes a privacy risk. Stay tuned for a deep dive into the key issues that arise.

The author completed her undergraduate degree in law at Queen Mary University of London and her Master of Laws at William & Mary. She has focused her career on privacy and data security.

NCL calls upon state legislators to protect their residents from dishonest automatically renewing contracts

August 12, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC—The National Consumers League (NCL), the nation’s pioneering consumers and worker advocacy organization, calls upon state legislatures across the country to take action to protect consumers from deceptive automatic renewal clauses.

While automatic renewal provisions in consumer contracts, also known as negative option clauses, are billed as helping consumers avoid service disruptions, they can result in financial hardship for consumers. Dishonest companies continue to place these clauses into the fine print of contracts to mask rate hikes, renew gym memberships, generate recurring deliveries, or cause other services to renew without a consumers’ knowledge or consent.

The following statement is attributable to Brian Young, NCL’s public policy manager:

At least 22 states have some protections from automatically renewing contracts; however media reports have shown that companies are now using the guise of a ‘free trial’ to secretly roll consumers into binding contracts, sometimes after as little as a few days. Such clauses can trap consumers in expensive and unwanted contract renewals.

NCL is calling upon each state legislature to review their laws and enact comprehensive legislation. Recently enacted legislation in the District of Columbia is a model bill which requires:

  • clear disclosure of all automatic renewal clauses;
  • a consumer’s affirmative consent for free trials to be rolled over into a contract at the end of a free trial period; and
  • notification by mail, email, or another method of the consumer’s choosing, to be sent to consumers if their long-term contract is set to renew to a “month to month” or longer subscription.

Thirty-five percent of consumers have complained that they have signed up for an automatically renewing contract without realizing it. Likewise, 48 percent of consumers have had a free trial roll over into a contract without their knowledge. The time is long overdue for state legislators to step in and take action to ensure consumers are not tricked into costly and deceptive business practices.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Consumer group: Capital One breach highlights need for Congressional action on data security legislation

July 30, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242, or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC—Just one week after consumers received relief from the massive Equifax breach, yet another massive breach—this time at Capital One bank—is placing consumers at risk, yet again, of identity theft.

In one of the largest financial breaches in history, more than 100 million Capital One accounts and 140,000 Social Security numbers were reportedly compromised. As was the case in previous breaches, the Capital One breach appears to have stemmed from a third-party cloud hosting vendor that stored Capital One’s data.

The National Consumers League (NCL), the nation’s pioneering consumer and worker advocacy organization, is calling on Congress to immediately pass comprehensive privacy legislation and protect highly personal data.

“Consumers are sitting ducks if big banks like Capital One, giant hotel chains like Marriott, and credit scoring companies like Equifax don’t take the necessary steps to protect our data,” said John Breyault, NCL’s vice president of public policy, telecommunications, and fraud. “When companies like Capital One are sloppy in protecting consumers’ data, it allows hackers steal consumer information which ultimately fuels identity theft and other frauds against us.”

“More than five years after hackers compromised the personal information of nearly 110 million Target customers, criminals are still breaking through supposedly strong firewalls and stealing consumers’ personal data from companies. Any data security legislation must require that consumer data be protected with strong fines and criminal penalties for failing to do so,” said NCL Executive Director Sally Greenberg.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Feeling the pressure to go paperless? – National Consumers League

By Melissa Cuddington, NCL public policy intern

Feel forced to go digital or pay for paper bills and statements? You are not alone. Many consumers are beginning to push back against the “going paperless” trend that has become so popular among credit card and other companies that send bills to millions of consumers.

Charging for a paper bill is not a popular practice among consumers. In fact, according to a survey conduced by Toluna and Two Sides North America, 83 percent of American consumers believe that they should not be charged more as a result of opting for a paper bill. 

NCL and Consumer Action have agreed to work with “Keep Me Posted North America” (KMPNA), based out of Chicago, and yes supported by the paper industry — to raise these concerns. We happen to agree that preserving consumer choice when it comes to choosing what type of bill you receive is important. Keep Me Posted is working in the United Kingdom, Australia, and Europe. 

This specific issue is of significant importance when it comes to the work that NCL does on behalf of consumers and promoting their best interests in the marketplace. The campaign is currently working to represent more vulnerable consumers: seniors, low-income populations, the disabled, and those on Indian Reservations and in rural areas who may not have access to broadband. Charging them $3.50 or more because they choose a paper bill is just plain wrong. We believe anyone who chooses a paper bill should not have to pay for it. 

This consumer issue also has relevance to the increasing occurrence of digital fraud in the United States. According to a 2017 survey done by the Competition Bureau in Canada, digital fraud is increasing at a rapid rate. From 2011 to 2016, digital fraud increased significantly from $4.95 billion to $7.95 billion. This paperless trend is increasing the likelihood that consumers are the victims of telemarketing and Internet fraud. 

It is important that consumers, especially elders and those in low-income and rural areas have the option to receive a paper bill without incurring additional costs. For many Americans, $3.50 x 12 months is extra money they don’t have — and multiply times several bills and it really adds up. Additionally, the option of receiving a paper bill is seen as a more convenient and secure form of payment. In fact, 78 percent of people keep hard copies of important documents at home, because they believe it is the safest and most secure way to store their information (Two Sides North America, 2017). 

We believe this is a good coalition and one that will push hard to preserve consumer choice and do away with the odious practice of charging consumers who can least afford it for the convenience of a paper bill.

The role of technology in meeting consumer demands for product info – National Consumers League

Entering the grocery store, more than 40,000 products are right at your fingertips. As our Food Policy Fellow Haley Swartz has written about previously, choice overload and the “tyranny of too much” are increasingly common for consumers in grocery store aisles.

In an age when nutrition, health, and product safety are major consumer priorities, it becomes increasingly important to know what are in the items you purchase, and how they compare to the many other options on the grocery shelf.

Transparency itself is in high demand, as some have even called it the must-have ingredient for successful food companies in the modern era. Substantial consumer research data also indicates consumer demand for industry transparency, particularly in food and beverage manufacturing. The 2016 Label Insight Food Revolution Study found that 71 percent of consumers believed product transparency influences their purchasing decisions at the grocery store. A July 2017 survey found even more striking results, that 70 percent of purchases were influenced by transparency content.

A more recent survey from May 2018 found that if consumers were provided with additional information about a product, 80 percent said they would be more likely to buy it. In fact, more than two-thirds of respondents said that their interest about the information on product labels has increased over just the past two years.

Shoppers across the country are hungry for detailed information about what is in a product, why it is there, how it is produced, and what impact it has on the environment and their health. This call for more product information could be a result of the increasing complexity of food manufacturing, occurrence of allergies in the United States, and heightened awareness about the effect food has on our health.

A variety of tools aim to help anxious consumers wade through the noise to find the information they seek. But product packaging is becoming increasingly complex, enough so that some have called it a “competitive piece of real estate.” Only some of the information consumers want can be available directly in sight during grocery shopping experiences or when they are at home making out their shopping lists.

One tool that answers this question is SmartLabel, a digital disclosure tool which makes more information than can ever fit on a label available to consumers. SmartLabel works using a smartphone to scan barcodes or QR codes on food, beverages, personal care, and household products in the grocery store. Once the barcode is scanned, a SmartLabel website page provides detailed information about a range of things: ingredients, nutritional facts, allergens, usage instructions, third-party certifications, such as Kosher, and other information such as whether a food contains genetically modified organisms (GMOs). The information can also be found by going to www.smartlabel.org on a computer while you’re at home.

As of June 2018, SmartLabel is being used on nearly 28,000 food, beverage, personal care and household products in grocery stores, with many more products on the way.

The National Consumers League food policy team applauds the grocery manufacturers and retailing industry for responding to consumer demand and working to create a way for consumers to find more transparent information about the products they are purchasing. We hope that the industry will continue to roll out similar initiatives that promote the best interests of consumers and respond to demand in the marketplace.