
Federal Trade Commissioner Rebecca Kelly Slaughter
suggested Tuesday that the agency's approach to privacy could result in new scrutiny of business models that rely on harvesting data -- including behavioral targeting.
"Can we move away from
the outdated notice-and-consent model to govern questions surrounding personal data, and instead turn our focus to the underlying business structures and incentives that are anchored in indiscriminate
collection and application of personal data to fuel data-driven business models such as behavioral advertising?" she said at the agency's annual PrivacyCon. "It is this underlying incentive
structure that has caused so many of the harms and privacy risks we’re here to discuss today."
advertisement
advertisement
She also floated the idea that companies should collect as little personal information as
possible.
"Rather than focusing on opt-in versus opt-out, and whether privacy policies are clear enough, I believe we should be discussing the concept of data minimization," Slaughter
said.
Some privacy advocates have long argued that companies should only collect the amount of data necessary for a specific purpose, and then only use the information for that purpose.
FTC technologist Erie Meyer signaled in a separate speech that the agency plans to crack down on privacy violators.
“We're going to make sure that data abusers face consequences for
their wrongdoing,” she said.
Meyer added that privacy violators should be required to “disgorge algorithms that were juiced by ill-gotten data.”
The agency has
already forced at least one company, facial recognition enterprise Everalbum, to shed algorithms that were derived from data. In that case, Everalbum allegedly developed the algorithms
from photos and videos that users had uploaded to a photo storage app.
Meyer also said that companies shouldn't be able to come into compliance simply by “papering over
questionable conduct.”
In the past, the FTC has resolved some privacy prosecutions by requiring companies to develop and post comprehensive data policies.