the President's suggestions last February 23rd. Already, the framework is being presented as voluntary criteria for businesses, rather than formal regulations.It's beginning to look a lot more like a "Consumer Privacy Bill of Suggestions" as the U.S. Federal Trade Commission today made recommendations about limiting the scope of any "Bill of Rights" emerging from
But after reviewing some 450 public comments about the president's proposed framework, FTC commissioners issued their recommendations (PDF available here). Among them was a suggestion that as long as a Web service tracked fewer than 5,000 customers per year, and was collecting non-sensitive information anyway, it may opt out of this voluntary compliance, in order to avoid the hardships that respecting privacy may impose upon small businesses.
If You're Small Enough, Perhaps We Can Trust You
"The preliminary report proposed that the privacy framework apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device," reads the FTC report this morning. "To address concerns about undue burdens on small businesses, the final framework does not apply to companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided they do not share the data with third parties."
The Commission acknowledged that many advocacy groups opposed the idea of exempting or excluding any organization of any size from participating in the privacy framework, as being too small to matter. But Commissioners then offered the hypothetical story of a company that might qualify as an exclusion: "a cash-only curb-side food truck business that offers to send messages announcing when it is in a given neighborhood to consumers who provide their e-mail addresses. As long as the food truck business does not share these e-mail addresses with third parties, the Commission believes that it need not provide privacy disclosures to its customers. This narrow exclusion acknowledges the need for flexibility for businesses that collect limited amounts of non-sensitive information. It also recognizes that some business practices create fewer potential risks to consumer information."
But that's the problem: Small businesses don't do business the same way. They use their iPads and their cloud apps to collect simple mailing lists - and in that regard, you might say they're sharing personally identifiable data with third parties. And if the cloud is the problem, the cloud may also be the solution: Services that provide data collection apps that do comply with a privacy framework, may theoretically extend those protections and principles to those dozens or hundreds of folks whose email addresses get collected for the charity picnic. It is through the collection of data from those who collect data (from those who collect data) that these "big data" databases have gotten so big in the first place.
In its response this morning, the Center for Digital Democracy - which represents private Internet interests - very politely, very daftly, suggested that part of the problem the Obama Administration may be having with this issue is that it doesn't know what it's talking about.
In a portion of CDD's statement headed, "Ensuring an Informed Discussion About the Digital Data Collection Landscape," the group suggested that an independent reassessment of the current market in data collection be launched, with the goal of opening everyone's eyes to realities such as the Web enabling big data to be collected from small sources.
"All of the participants should start from a level playing field, armed with a basic understanding of the dimensions and contours of the contemporary data collection system," stated CDD. "As the Department of Commerce, FTC, and the European Union's Article 29 Working Party recognize, the data collection 'environment' that has emerged is interconnected. One cannot easily choose a small piece of the puzzle (such as the 'low-hanging fruit' of mobile privacy) to tackle, because all types of data collection and analysis are intrinsically connected to the fundamental forces shaping privacy in the commercial digital era."
Then when deciding what issues the final framework should cover from the cornucopia brought forth by the independent reassessment, CDD puts things a little less gently: "Stakeholders should decide the topics, not the Administration."
As if to prove the CDD's point, in the appendices of the report, the FTC presented a graph depicting all the players in the grand data collection scheme. But as though bedazzled by the colored lines, for no known reason - perhaps in commemoration of the architecture of the Los Angeles airport - the Commission created this illegible 3D projection of the graph to accompany the slightly more sensible 2D version (top).
If You're Big Enough, Perhaps We Can Trust You
While the Commission was suggesting that many data-collecting entities would be too small to require any kind of regulation, including voluntary, at one point its report also implied that some entities may actually be too big. More specifically, it implied that certain corporations collect so much data that the effort required to make sense of it all for tracking purposes, exceeds the value of the information that could be extracted from doing so.
The Commission's report terminated its discussion of the bigger players with the classic "It Remains to be Seen" close: "More work should be done to learn about the practices of all large platform providers, their technical capabilities with respect to consumer data, and their current and expected uses of such data."