FTC report on ‘Internet of Things’ likely to reignite debate over data minimization

27 January 2015. By Amy Miller and Mike Swift.

The debate over data minimization is likely to reignite after a report from the Federal Trade Commission on Tuesday urged companies that sell Internet-connected devices to limit how much data they’re collecting and how long they keep it.

Data minimization is a “long-standing principle” of privacy protection, the FTC said in the report, pointing to several recent policy initiatives, including the 2012 White House Consumer Privacy Bill of Rights. Large stores of data are attractive to thieves, inside and outside a company, and there’s greater chance the data could be used in ways that consumers never expected, the FTC said.

“Thieves cannot steal data that has been deleted after serving its purpose,” the FTC said, “nor can thieves steal data that was not collected in the first place.”

Risks increase as the ‘Internet of Things’ grows, the FTC said, pointing to predictions that the number of Internet-connected cars, cameras, thermostats and other household appliances will increase from 25 billion this year to 50 billion by 2020.

The FTC staff “recognizes that companies need flexibility to innovate around new uses of data,” the report said, but “these interests can and should be balanced with the interests in limiting the privacy and data security risks to consumers.”

The report also recommended that Congress enact broad privacy legislation, as opposed to legislation aimed specifically at Internet-connected devices, and provide clear rules giving consumers choices about the collection and use of their data.

The FTC’s Fair Information Practice Principles, known as FIPPs, have long held that consumers should be notified about what information is collected and how it will be used, the report said.

In a 2012 report on data privacy, the FTC said companies should toss data after it has outlived its purpose, but that retention times can be flexible. For example, a mortgage company should be allowed to maintain data for the life of a mortgage, while behavioral advertisers don’t need to keep data about someone’s online search for a hotel for an upcoming vacation.

But a difference of opinion on data retention emerged among FTC commissioners last spring. Some commissioners called not only for limits on what companies can collect, but also how long they can keep it, while others said such time limits could hurt innovation, and ultimately, consumers.

Once again, not all FTC commissioners agree with the agency’s latest recommendations specifically related to the growing number of Internet-connected devices. Republican commissioners Maureen Ohlhausen and Joshua Wright both expressed concerns with the report in separate statements.

While saying she supported the report and that it recognizes the need for flexibility, Ohlhausen also called it “overly prescriptive”. She said there’s no need for baseline federal privacy legislation, and faulted the FTC for not doing a comprehensive risk-benefit analysis of its recommendations.

“The report, without examining costs or benefits, encourages companies to delete valuable data —primarily to avoid hypothetical future harms,” Ohlhausen said.

Wright also criticized the FTC staff for not conducting a cost-benefit analysis, and criticized the FTC for issuing the report based on the results of a single day-long public workshop held in November,
2013.

“While documentary reports may serve a useful purpose in preserving a record of the workshop proceedings and the accompanying public comment process, one must recognize that merely holding a workshop — without more — should rarely be the sole or even the primary basis for setting forth specific best practices or legislative recommendations,” Wright said.

Tech industry advocates also criticized the FTC’s report, saying the agency’s staff relied on outdated privacy principles established in the 1960s and 1970s.

Daniel Castro, director of The Information Technology & Innovation Foundation’s Center for Data Innovation, said the FTC’s focus on data collection and its statement that thieves can’t steal data that isn’t collected shows that the agency doesn’t understand the industry.

“It shows how they don’t really get it,” Castro said. “If companies are collecting less data, they’re not able to innovate. That’s like telling a bank if you had less money, no one would steal it from you.”

Broad privacy legislation around data collection isn’t needed, he said. Instead, Congress should enact legislation that addresses the actual harms created if the data is misused. Companies shouldn’t be allowed to make employment decisions, for example, based on the results of data mining, he said.

“Their solution just isn’t compatible with how innovation is happening right now,” Castro said.

But speaking at a conference* in Washington on Tuesday, FTC chairwoman Edith Ramirez reiterated that companies making Internet-connected devices should minimize the amount of data they collect and delete it when it’s no longer needed, and that consumers must be given information and a choice.

One problem with the Internet of Things, Ramirez said, is “a lack of transparency.” The industry will ultimately die unless consumers have more say about the information companies collect about them, she said.

“If you want these new technologies to flourish, you need to make sure consumers understand what’s happening, what is being collected, with whom it is shared, how it’s being used,” Ramirez said. “It’s fundamental that consumers be in the driver’s seat, that they have a say.”

-With additional reporting from Leah Nylen