Year: 2013

I attended a recent discussion hosted by the NITA (dept of commerce) which is a continuing effort to develop a set of best practices for mobile app developers regarding the collection and use of personal consumer data. First, major congratulations to the NTIA for taking this on. As anyone knows has attended one of the meetings knows, and given all the voices that want to be heard, it’s a herculean task to facilitate the events.

Much was discussed at the meeting, such as the appropriate use of the word “should” versus “shall;” or the choice of the word “data” vs “file” vs “information; just how and when, exactly, should an app present a list of collected data elements to the user (i.e “shall” they display all data elements, or “should” they?). These issues, as I came to learn, are non trivial.

What I found most interesting, however, was a point made by one of the participants who was calling on all stakeholders to convince the FTC to take a more active role in the process. The issue is this: the best practice document, in whatever form it takes, will be voluntary. That is, no developer will be *required* to adopt it. However, the consensus seems to be that once they choose to adopt, they will be legally bound by it. That’s right — *legally bound* by it. Enforcement appears to come from the familiar section 5 of the FTC act regarding unfair and deceptive practices. Essentially, once the company *agrees* to comply with the best practices, failure to *actually* comply constitutes a deceptive practice which becomes an enforceable action by the FTC. We’ve seen this same approach regarding privacy policies (i.e. a company claims to not collect data, but then does anyway).

This raises an interesting question: given the cost of adoption, the potential liability, and absent a mandate to adopt, why would *any* firm agree to adopt it?

Well, they might choose to adopt in order to signal that they’re a good corporate citizen and ingratiate themselves in the eyes of consumers. Given that this is really just a form of self-regulation, firms may want to comply simply to stave off a stronger, more onerous form of regulation that might one day be forced upon them.

The second part of that participant’s point was that there should also be a safe harbor for those firms who choose to adopt, but somehow mistakenly goof up one of the elements. This seems like a reasonable request. The tensions are clear: policy makers want to see all firms adopt the best practice, but it is costly for them to do so. The cost comes from retooling their apps, in addition to any expected costs from litigation or sanction. So, offering a safe harbor for those firms who mostly comply reduces future expected costs.

It’s too early to anticipate the level of adoption based on the participants in the room, and the fact that the document is unfinished, but I wish the NTIA best of luck!

More information on the effort can be found at: http://www.ntia.doc.gov/other-publication/2013/privacy-multistakeholder-process-mobile-application-transparency

Law.Nyu.Edu x Dress Head Store Skater Skirt – Long And Loose Flowing Patterned

Identical patterns in two color choices are the statement this law.nyu.edu x http://www.dresshead.com/c/skater-skirts/ skater skirt makes with pizazz. You may choose from orange or blue, both having many other colors that blend and contrast throughout the skirt body with a wider waistband that slims down your figure in a graceful, stylish manner. This longer version of the simple skater skirt is lined with solid polyester material, which matches the variety of main colors. Suitable for spring and summer wear, this flowing skirt is whispery cool as it billows around your legs. Waistband style allows you to tuck in a lightweight blouse and wear with a black jacket or cardigan. This skater skirt is available in small, medium, large and extra-large, so no matter what your figure, you can find one to wear. We recommend hand washing, line dry out of the sun or tumble dry just to remove the dampness.

As a follow-up to a previous PRG post from a couple of months ago (http://blogs.law.nyu.edu/privacyresearchgroup/2012/10/you-know-what-id-like-to-learn-whats-being-collected-about-me-too/), the FTC is now also investigating the role that data brokers play in the collection, use, sale and sharing of personal consumer information. Specifically, the FTC is asking Acxiom, Corelogic, Datalogix, eBureau, ID Analytics, Intelius, Peekyou, Rapleaf, and Recorded Future the following questions (http://www.ftc.gov/opa/2012/12/databrokers.shtm, http://www.ftc.gov/os/2012/12/121218databrokerssection6border.pdf):
– the nature and sources of the consumer information the data brokers collect;
– how they use, maintain, and disseminate the information; and
– the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold.

Hopefully the answers are honest and complete.

In related news, the Consumer Financial Protection Bureau issued this recent paper describing in great detail the means by which credit bureaus obtain consumer financial information: http://files.consumerfinance.gov/f/201212_cfpb_credit-reporting-white-paper.pdf.

Some highlights:
– the top three credit bureaus (Equifax, Experion, Trans Union) collectively maintain records on over 200 million individuals
– the average credit report includes 13 line items (bank accounts, credit cards, loans, etc)
– the bureaus receive, on average, 1.3 billion updates to consumer reports from 10,000 different data providers per month
– of the estimated 40 million people who obtained copies of their credit reports, 8 million people contacted the bureaus regarding errors. That’s a 20% error rate!
– a separate report by the Policy and Economic Research Council found a similar error rate of 19% (n=2338)
– importantly, though, only about half of these errors would have affected a consumer’s credit score, and only about 2% were found to affect a credit score by 10 or more points.
– about 40% of the complaints relate to debt collection errors
– changes to credit scores are nonlinear. That is, the greater is one’s credit score, the more will negative credit information affect one’s score. E.g. the reduction in one’s credit score due to a 30 day delinquency to a credit card will reduce a consumer with a 780 fico score by 110-90 points, whereas it will only reduce by 80-60 points a consumer with a fico score of 680.

More information about FTC workshops:
FTC: http://www.ftc.gov/ftc/workshops.shtm
Related: http://files.consumerfinance.gov/f/201212_cfpb_credit-reporting-white-paper.pdf