Introduction: Purpose Limitations & Primary and Secondary Purposes Under an FTC Unfairness Rule
This is the second in a series of blog posts about EPIC’s proposal for a data minimization standard to limit commercial surveillance and protect consumer privacy. As explained in our previous post, data minimization is the standard for limiting the collection, use, transfer, and retention of personal information to that which is reasonably necessary. Our first blog post in this series discussed the reasonable consumer expectation framework for data minimization. This post explains why the Federal Trade Commission should promulgate a rule that prohibits secondary out-of-context data uses with limited exceptions and why it is important to limit the uses of personal information to certain narrow purposes.
The FTC’s Advanced Notice of Proposed Rulemaking (“ANPR”) regarding commercial surveillance and data security provides the FTC an opportunity to rein in these harmful out-of-context uses. In promulgating a privacy rule, the Commission should be guided by the core principles that have been the foundation of consumer privacy protections for decades, the Fair Information Practices, which include: (1) Collection Limitation; (2) Data Quality; (3) Purpose Specification; (4) Use Limitation; (5) Security Safeguards; (6) Openness; (7) Individual Participation; and (8) Accountability. In order to put these privacy principles into action, the FTC will need to use its unfairness authority to restrain business practices that cause substantial harm to consumers, that are not reasonably avoidable, and that are not outweighed by countervailing benefits to consumers or competition.
As EPIC explained in our comments on the FTC rulemaking, out-of-context secondary uses cause substantial harm to consumers and should be curtailed. In order to determine the scope of data uses that cause substantial harm to consumers, the Commission will need to evaluate which data uses primarily serve the interests of consumers as they interact directly with businesses in the online ecosystem. To the extent that the Commission determines that certain limited secondary uses either serve the interests of consumers or have substantial countervailing benefits, it should allow data uses for those narrow secondary permissible purposes. A privacy rule that imposes a data minimization standard in this way will not only be consistent with the FIPs but will also fit clearly within the scope of Commission’s unfairness authority.
Secondary Uses Cause Substantial Harm
Consumers are constantly tracked online while using the internet and their devices which subjects consumers to far-reaching data collection. As explained in our previous blog post, data processing is often “not directly in service of fulfilling a consumer’s request,” including out-of-context secondary uses of data that regularly exceed the scope of reasonable consumer expectations. Not only is this data collection and use harmful in itself, but it also necessarily subjects consumers to downstream security risks and privacy harms. The unfair, systemic overcollection and misuse of personal data leads to “invasive, discriminatory targeting that violates the privacy and autonomy of consumers.”
In the course of our daily lives, our personal information is automatically collected, processed, and transferred, some of which is…