Attorney General Kwame Raoul co-led a bipartisan coalition of 33 attorneys general today calling on the Federal Trade Commission (FTC) to consider harms consumers face by the prevalence of commercial surveillance when creating new rules to prevent misconduct and promote transparency and accountability involving online data collection.
In a comment letter to the FTC, Raoul and the attorneys general urge the FTC to acknowledge the heightened sensitivity around consumers’ medical data, biometric data and location data, along with the dangers that arise from data brokers and the surveillance of consumers. The coalition also asks the FTC to consider data minimization, which limits the amount of data collected by businesses to only what is required for a specific purpose, helping to mitigate concerns surrounding data aggregation.
“Americans are utilizing online applications at an increased rate, sharing sensitive information on a variety of issues that if leaked could cause substantial harm to consumers,” Raoul said. “It is vital the FTC lead to ensure consumers have trust that their interactions online are protected and private.”
According to Raoul and the coalition, consumers are often not aware that their location information is collected. In addition, consumers are often limited in options when trying to disable location sharing. The coalition highlights the sensitive nature of this information, which can reveal intimate details of daily life including where consumers live and work, their shopping habits, their daily schedules, or even whether they visited the doctor or pharmacy.
In their letter, Raoul and the coalition urge the FTC to:
- Consider the risks of commercial surveillance practices that use or facilitate the use of facial recognition, fingerprinting or other biometric technologies. Many consumers provide this information to companies for security purposes or to learn about their ancestry, but consumers are not always made aware of when their data is collected, how it is used or if it is resold for purposes to which they never meaningfully consented.
- Consider the risks of practices that use medical data, regardless of whether the data is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Rule. Medical data not necessarily covered by HIPAA is referred to as “health adjacent data,” which can be collected by many devices including smartwatches, heart monitors, sleep monitors, and health or wellness phone applications.
- Consider the persistent dangers of data brokers, who profile consumers by scouring social media profiles, internet browsing history, purchase history, credit card information and government records like driver’s licenses, census data, birth certificates, marriage licenses and voter registration information. Data brokers also use this information to create profiles of certain consumers – that can be purchased by almost anyone – based on susceptibility to certain advertising or likelihood to buy certain products. This scale of aggregation of anonymously gathered information can identify consumers and put consumers at risk of scams, unwanted and persistent advertising, identity theft and lack of consumer trust in the websites they visit.
- Consider data minimization requirements and limitations, examining approaches taken in some states that mandate businesses’ ties and limit the collection of personal data to what is “reasonably necessary” in relation to specified purposes. Limiting the collection and retention of data by businesses will improve consumer data security, as businesses will have less data to protect and less data potentially available to bad actors.