Online privacy violations pose risks to consumers beyond purely financial losses, including the risk of embarrassment and harm to social standing, advocacy group Public Knowledge argues in new suggestions in comments submitted to the Department of Commerce.
“The most pernicious harms associated with data breach and misuse of data are not currently legally-cognizable,” the group writes in papers submitted late last week. “A data breach may expose information that could be embarrassing or cause reputational harm, undermining one’s employment or social prospects... Harms may also come in the form of Cambridge Analytica-style 'psychographics,' misinformation, or distortions of the public record, undermining public trust in U.S. democratic institutions.”
Public Knowledge's comments come in response to the National Telecommunications and Information Administration's request for input about approaches to protecting privacy. The agency said in September it wants to move away from the current notice-and-choice framework -- which often involves presenting people with lengthy privacy policies and allowing them to opt out of certain uses of their data -- to a so-called "risk-based approach."
Public Knowledge opposes the idea of a risk-based approach, arguing that privacy breaches can carry consequences beyond “legally-cognizable” risks.
“Privacy is a fundamental right, and the harm occurs when personal information is acquired, accessed, or used in a way that is unanticipated or unauthorized by the individual to whom the information pertains, regardless of the concomitant risks,” the organization writes.
Public Knowledge also urges the NTIA to reject the idea that “sensitive” and “non-sensitive” data be subject to different privacy standards.
“So-called non-sensitive information can be aggregated to reveal sensitive information, and, in fact, some non-sensitive information, in isolation, may reveal sensitive information,” the group writes. “For example, while one’s health status is frequently considered sensitive, one’s shopping history is not. If one is shopping at TLC Direct and Headcovers Unlimited, two websites that specialize in hats for chemotherapy patients, it may be trivial to infer her health status.”
A coalition of major ad groups last week urged the NTIA to take a different approach and say that some uses of data are “per se” reasonable -- including collecting “non-sensitive” data for ad purposes.
The ad industry's current self-regulatory code requires companies to get consumers' explicit consent before using “sensitive” data for ad-targeting, and to allow consumers to opt out of ad-targeting based on “non-sensitive” data. The industry's definition of “sensitive” often includes data about medical conditions, or financial account information, but not more general web browsing activity.
The Federal Trade Commission said in a 2016 staff report that “sensitive” data can include search queries, email messages, social media posts, and titles of books read or movies viewed.