FTC Chair Edith Ramirez Talks Privacy, Data Security

20150312_153444You may now be able to change your thermostat from another continent, your fridge might know when you need to buy more eggs, and your connected TV recommends shows and movies. But is your data being used for things other than keeping your house warm, your eggs in stock, and your kids entertained — and, just as importantly — is it secure?

These were the questions put to Federal Trade Commission Chair Edith Ramirez today at the Consumer Federation of America’s Consumer Assembly in D.C.

Speaking with Ed Mierzwinski of the U.S. Public Interest Research Group, Ramirez explained that data collection is an “incredibly important area” for the FTC.

“We want to make sure that as consumers increasingly use mobile devices, that the same consumer protections apply,” she explained. “These devices can provide a lot of benefit to consumers but the challenge is that they’re also collecting a lot of info about us.”

Even if you buy a device that only ostensibly collects data for a specific, known purpose, Ramirez said you’re opening the door to that data being used for “unexpected purposes.”

“The information could be sold to a third-party data broker who might sell that info to someone else,” she clarified. She gave the hypothetical example of a device that collects info about the user eats.

“Maybe it gets back to my insurance company that I’m not eating the healthiest of foods,” suggested Ramirez. “How does that impact my coverage?”

The Chair acknowledged that we’re still in the early days of web-connected devices and many of the companies making the most interesting products in this category are new and may not have the experience or understanding to deploy proper security for the data they collect.

Additionally, said Ramirez, because so many of these devices are small in size and low in price, there are concerns about the amount of security one can build in.

“You have to put privacy-based thinking at the forefront of your product,” she advised to manufacturers and developers. “You need to think about data minimization. Do you really need it? How long do you need to keep it?”

While the FTC doesn’t introduce legislation, Ramirez said there are three important factors that any effective data security bill would need to include.

First, companies must be required to be transparent about their data practices. How is it used, how is it going to be shared, will it be resold?

Second, because companies can obscure transparency efforts by disclosing too much information or using language that is too complicated or technical, the privacy polices would need to be clear and understandable.

“Most policies we see now are opaque and unintelligible,” said the Chair.

Finally, consumers need to have control over their collected data, especially sensitive information like geolocation info and anything related to personal health.

“Consumers ought to be required to opt-in to sharing this information,” said Ramirez.

The Chair ended her brief talk with a few comments on the insidious problem of so-called “native advertising,” better known as sponsored content or advertorials — or as she described it, “content that is seemingly neutral but which is not at all independent.”

“The old principles continue to apply, regardless of the new media,” cautioned Ramirez. “If you’re advertising something you need to be clear that it’s advertising, that there’s some sponsor behind it… The information being conveyed needs to be truthful and clear and conspicuous.”