CTIA recently was among dozens of commenters responding to the National Telecommunications and Information Administration (NTIA)’s request for input on the big data and privacy report put forth by the White House Office of Science and Technology, as well as the President’s Council of Advisors on Science and Technology report on technology, privacy and big data.
“Big data analytics is part of the most recent wave of technological innovation that promises tremendous benefits to consumers and society across a range of industry sectors,” CTIA said. The group cited several examples of wireless operators’ use of big data and analytics, including the analyzing of aggregated customer call information to identify confusing menu options and monitoring of dropped call logs in real time in order to locate and prioritize outages.
Among CTIA’s positions on big data and privacy:
- CTIA said its members support federal legislation on data security and breach notification. This is an area were current legislation varies from state to state on whether or not users must be notified if their personal information is compromised.
- If legislation on consumer electronic privacy is proposed to Congress, CTIA said its members “encourage the administration to clarify and appropriately limit the type of data that legislation would cover.” CTIA says that legislation “should not cover network data that carriers use to protect their network and improve performance,” nor should it apply to publicly available data such as census information.
- Exclude de-personalized data from any legislation, so long as companies continue to follow best practices in anonymizing data so that it cannot be reasonably linked back to specific individuals.
- Include a flexible “responsible use” framework and not mandate specific accountability mechanisms in legislation.
CTIA said that reasonably anonymized data is highly unlikely to be re-identified and presents a low level of risk due to the time, effort and expense involved in re-identification efforts.
“If legislation or regulators require perfect anonymity, consumers will not enjoy the potentially transformative social and economic benefits of data driven innovation,” CTIA said.
Notifications for consumers are increasingly more complex than traditional “notice and choice” rules account for, CTIA noted, with the usage of data likely to evolve over time.
“Companies are expected, at the time of data collection, to give consumers notice of (among other things) the data they collect, the purpose for which they collect it, and the entities with whom they will share it,” CTIA said in its comment. “Companies are expected to use the data only for those purposes for which they collected the data, and they are expected to offer consumers choices about how their information may be used for secondary purposes.
“One of the defining characteristics of data-driven innovation, however, is that companies will not always be able to predict at the time of collection all of the possible beneficial uses of data that they may discover in the future. In addition, non-consumer facing companies that increasingly obtain large amounts of consumer data are not in a position to interact directly with, and provide notice and choice to, consumers. … Requiring companies to contact consumers to update their consent each time they use data for a new purpose similarly could prevent companies from launching new services. In addition, frequent notices in the context of ubiquitous data collection and big data analytics likely would be unhelpful, burdensome and intrusive to customers and would impede the delivery of the data-driven products and services consumers want,” CTIA concluded, arguing instead in support of a “respect for context” approach with an attitude of transparency and individual control.
“As the White House Privacy Blueprint explained, the ‘respect for context’ principle allows changes in the relationship between the consumer and the company ‘over time in ways not foreseeable at the time of collection,’ and enables ‘adaptive uses of personal data [that] may be the source of innovations that benefit consumers.'”
Companies should be able to infer consent based on a user’s request for certain services, and to improve those services, CTIA said, adding “as companies develop new products and services, including those that relate to the Internet of Things, it may be necessary to find new ways to disclose data practices that matter to consumers.”
CTIA went on to suggestion that consumers understand that an app that gives suggestions for restaurants that are close by needs access to the subscriber’s location information.
“It would not be desirable to the consumer to receive just-in-time notice and choice before the app accessed geolocation data for the purpose of providing recommendations, as such notice would create unnecessary friction in the user experience and over time desensitize the consumer to any valuable consumer protection,” CTIA said.
Read the entire pdf of CTIA’s comments here, and see more comments on the topic here.