Data Minimization: Limiting the Scope of Permissible Data Uses to Protect Consumers

Introduction: Purpose Limitations & Primary and Secondary Purposes Under an FTC Unfairness Rule

This is the second in a series of blog posts about EPIC’s proposal for a data minimization standard to limit commercial surveillance and protect consumer privacy. As explained in our previous post, data minimization is the standard for limiting the collection, use, transfer, and retention of personal information to that which is reasonably necessary. Our first blog post in this series discussed the reasonable consumer expectation framework for data minimization. This post explains why the Federal Trade Commission should promulgate a rule that prohibits secondary out-of-context data uses with limited exceptions and why it is important to limit the uses of personal information to certain narrow purposes.

The FTC’s Advanced Notice of Proposed Rulemaking (“ANPR”) regarding commercial surveillance and data security provides the FTC an opportunity to rein in these harmful out-of-context uses. In promulgating a privacy rule, the Commission should be guided by the core principles that have been the foundation of consumer privacy protections for decades, the Fair Information Practices, which include: (1) Collection Limitation; (2) Data Quality; (3) Purpose Specification; (4) Use Limitation; (5) Security Safeguards; (6) Openness; (7) Individual Participation; and (8) Accountability. In order to put these privacy principles into action, the FTC will need to use its unfairness authority to restrain business practices that cause substantial harm to consumers, that are not reasonably avoidable, and that are not outweighed by countervailing benefits to consumers or competition.  

As EPIC explained in our comments on the FTC rulemaking, out-of-context secondary uses cause substantial harm to consumers and should be curtailed. In order to determine the scope of data uses that cause substantial harm to consumers, the Commission will need to evaluate which data uses primarily serve the interests of consumers as they interact directly with businesses in the online ecosystem. To the extent that the Commission determines that certain limited secondary uses either serve the interests of consumers or have substantial countervailing benefits, it should allow data uses for those narrow secondary permissible purposes. A privacy rule that imposes a data minimization standard in this way will not only be consistent with the FIPs but will also fit clearly within the scope of Commission’s unfairness authority.

Secondary Uses Cause Substantial Harm

Consumers are constantly tracked online while using the internet and their devices which subjects consumers to far-reaching data collection. As explained in our previous blog post, data processing is often “not directly in service of fulfilling a consumer’s request,” including out-of-context secondary uses of data that regularly exceed the scope of reasonable consumer expectations. Not only is this data collection and use harmful in itself, but it also necessarily subjects consumers to downstream security risks and privacy harms. The unfair, systemic overcollection and misuse of personal data leads to “invasive, discriminatory targeting that violates the privacy and autonomy of consumers.”

In the course of our daily lives, our personal information is automatically collected, processed, and transferred, some of which is for a permissible, expected purpose and some of which is for unexpected out-of-context purposes. For example, a map application will need to collect and use your location information to provide you with directions, a primary and expected purpose. Your personal information, however, will often be used in unexpected out-of-context ways unrelated to why it was collected. For example, a map application may collect and use your location information to provide you directions and then share your location information with a data broker to profile you with targeted advertisements, or it may store your location information for longer than necessary, subjecting that information to a data breach. There may also be some necessary purposes for the collection and use of personal information that a consumer might not be aware of or expect. For example, some of your personal information may be collected and used for fraud prevention or other security measures, which helps to ensure that transactions are safely effectuated. A well-crafted data minimization standard would allow for companies to continue to collect and use personal information for primary and secondary uses that benefit the consumer.

Secondary uses of data can be harmful not only because they violate the core privacy principle that personal information should be used within the context of the primary purpose for which it was collected, but also because they are used to justify broad collection and indefinite retention of sensitive data. For example, a banking application may collect a customer’s account information and IP address when a customer logs into their account to maintain an audit log for authentication and data security purposes. The bank does not need to store this information for the purpose of logging in, but it will need to store the information for the purpose of ensuring that the customer is signing in with a familiar IP address. This purpose is unlike most third-party tracking online in which companies use cookies and pixels to collect and process information about consumers on unrelated websites. For example, Facebook places a pixel on a news website and a consumer clicks the “like” thumbs up button so that she will see that content on her Facebook feed. Facebook collects, uses, and retains personal information about her indefinitely for purposes wholly unrelated and unknown to showing her that content on her feed. Without a data minimization standard that limits secondary uses, companies will simply collect as much data as they can and keep it indefinitely to use for future unrelated purposes. These future secondary uses may provide profit to the business, but they don’t benefit consumers. This may raise significant future competition risks as a small number of dominant firms amass vast troves of personal information that they control, raising the entry barrier for smaller firms. These uses do not provide the consumer with any benefits that outweigh the harmful practice of overcollection of personal information and out-of-context secondary uses.

The Harms from Secondary Uses Are Not Reasonably Avoidable by Consumers Under the Current Approach

For any privacy rule based on the FTC’s unfairness authority, the Commission has to establish that the practices it regulates are not reasonably avoidable by consumers. The current regime that allows unfettered collection, use, and retention of personal information is unavoidable for any consumer who uses the internet, and it substantially injures consumers. Traditionally, the approach has been to rely entirely on a company-driven disclosure model in which a company decides how much data is collected and how the data is used. The data collection and use practices are determined by what a company says, and companies write these policies in ways that are as broad as possible to give them unlimited options for data collection, use, and retention. As a result, policies are incomprehensible and enable the companies to make unlimited, out-of-context secondary use of data. It would reportedly take 76 work days for a person to read all of the privacy policies she encounters in a year.

In our rulemaking comments, EPIC recommended that the FTC write a rule to reflect the proper way that this type of information should be collected and limited in its use. The rule should include an overall limitation on out-of-context uses and some permissible purposes. The FTC can scope rule around uses that fall outside of what consumers expect or need when a consumer interacts with a business.

Purpose Limitation is a Common Tool in Data Privacy Frameworks

Purpose limitation is a tool that is increasingly being deployed in data privacy frameworks, and the Commission should look to these frameworks for guidance to promulgate a properly scoped data minimization rule to protect consumers from harmful commercial surveillance. Indeed, the precedent for the fair and reasonable limitation of secondary data processing takes the form of laws, proposed legislation, regulations, and enforcement actions.

Companies should not be allowed to determine for themselves what are the permissible purposes of collecting and using consumers’ personal information. Without meaningful limitations, companies can, and do, claim that they need nearly unlimited data collection, transfer, and retention periods in order to operate their businesses. Other legal frameworks already impose substantive limitations on the purposes for which companies can collect and use personal information. The EU’s GDPR requires a company to comply with one of the six legal bases provided by the regulation to process personal data. The GDPR provides that a company may process personal information when a consumer consents to such processing, usually by opting in. It also provides that a company may process personal information when such processing is necessary for the performance of a contract or “necessary for the purposes of the legitimate interests pursued by the controller[.]” Meta recently was fined for collecting and using personal information for behavioral advertising purposes after the European Data Protection Board disagreed with its argument that this use of personal information was necessary under its contract with users. In response, Meta announced that it intends to claim that collecting and using personal information for behavioral advertising purposes is a legitimate interest and such processing is therefore in compliance with the GDPR. We know that targeted advertising is an invasive use of personal information wholly unrelated to the context in which it was collected. This underscores the failures of allowing companies to decide what is a legitimate business use for processing personal information without meaningful limitations.

The American Data Privacy and Protection Act (“ADPPA”), a proposed comprehensive federal privacy bill, establishes a duty of loyalty on covered entities, including a data minimization limitation that prohibits the entity from collecting, processing, or transferring covered data unless it is reasonably necessary and proportionate. The data minimization limitation expressly provides permissible purposes for which a covered entity may collect, process, or transfer covered data. Some of the permissible purposes include: to authenticate a product or service; to fulfill a product or service warranty; and to prevent, detect, protect against, or respond to a security incident. The Commission should similarly provide permissible purposes of data uses that provide consumers with benefits.

One of the nation’s earliest privacy laws, the Communications Act, included a direct limitation on secondary uses of personal data: the limitation of sharing unlawfully intercepted communications, 47 U.S.C. § 605.

The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), includes purpose limitation and data minimization rules. § 7002 of the CPPA regulations establishes restrictions on the collection and use of personal information. The California Privacy Protection Agency explained that this “means businesses must limit the collection, use, and retention of your personal information to only those purposes that: (1) a consumer would reasonably expect, or (2) are compatible with the consumer’s expectations and disclosed to the consumer, or (3) purposes that the consumer consented to, as long as consent wasn’t obtained through dark patterns. For all of these purposes, the business’ collection, use, and retention of the consumer’s information must be reasonably necessary and proportionate to serve those purposes.”

Purpose Limitation Fits Squarely Within the FTC’s Countervailing Benefits Analysis

As part of its unfairness rulemaking test, the FTC will also have to consider whether certain harmful data practices provide countervailing benefits to consumers or competition that outweigh their harms. A rule that prohibits secondary out-of-context data uses and provides narrow permissible purposes is particularly well suited to the FTC’s analysis. The Commission is charged with determining when there is a harm caused by out-of-context secondary uses, to what extent is the harm avoidable, and what countervailing benefits to consumers or competition do such uses provide. The Commission should ask: what data uses provide countervailing benefits? How do consumers expect their information to be used when they interact with a company online? What are necessary, but perhaps unexpected, data uses that benefit consumers?

A commercial surveillance rule should protect the rights of consumers to be free from invasive tracking and the processing of their personal data contrary to their fundamental rights. Legislators and regulators are tasked with the crucial role of finding a standard that respects the intentions and expectations of consumers but that does not require any consumer to be an expert about data collection and use.

There are a number of secondary uses or proposed legal bases that the Commission will have to evaluate based on comments and statements made during the rulemaking process. These uses fall within three categories: (1) permissible uses that are necessary or provide clear benefits to consumers, (2) limited permissible purposes which may provide some benefits to consumers but must be carefully scoped to protect consumers, and (3) impermissible purposes that do not provide countervailing benefits to consumers or competition.

In its commercial surveillance rulemaking, the FTC should promulgate a rule that prohibits secondary out-of-context data uses as an unfair business practice and should scope this rule by providing certain permissible uses that provide substantial benefits to consumers. Scoping and limiting the permissible secondary uses should be determined by weighing the benefits to consumers of such uses. The Commission could, for example, determine that certain secondary purposes as permissible because those purposes provide benefits to consumers. Such permissible purposes could include: system network maintenance; authentication; and data security.

The Commission will also need to determine how to properly evaluate secondary purposes that companies are likely to argue provide a countervailing benefit to consumers. The scope of these uses should depend on how much data is collected and how it is used. One example is loyalty programs, which may provide some countervailing benefits to consumers. There is a long history of benefits to repeat customers that involve collecting and using data in ways that are not essential to the transaction; however, some programs go far beyond loyalty and are ultimately more harmful than beneficial.

Another limited purpose that must be carefully scoped is consent. User consent may be a legitimate means to allow data processing so long as the consent is aligned with the primary purpose for which the consumer consented. In a number of privacy law frameworks, consent is treated as a permissible purpose (as an independent way to use and process data), yet time and again, we have seen that consent is obtained via dark patterns and is presented as a barrier. “Consent” is often obtained through sheer annoyance, consumer fatigue, or deception. It is often presented in a way that consumers do not understand, preventing meaningful consent and choice. This does not provide any benefit to consumers. The Commission should ensure that if consent is considered a permissible purpose, the consent much be informed and reflect consumer intention because this type of consent provides a benefit to consumers.

Another use that must be scoped properly is publicly available information (“PAI”). Data processors may obtain information from widely or publicly available sources but the Commission will need to ensure that the purpose is scoped properly to prevent processors from making inferences that may reveal sensitive information based on PAI.

The Commission should find certain purposes unfair because they do not provide consumers with benefits that outweigh their harms. The Commission should not allow companies to determine their own legitimate business interest for data collection, processing, and use. A proper data minimization standard will not give companies carte blanche to define for themselves the purposes for which they collect, use, or process data because a business claiming to have a legitimate business interest is not a basis that provides any benefits to consumers or competition. The Commission should not permit the use of personal information for behavioral or targeted advertising purposes. The Commission should ensure that personal information collected for an unrelated purpose will not be used to profile consumers in order to target them with advertisements. Similarly, the Commission should not permit the use of selling or sharing personal information with a data broker. This use provides consumers with no benefits that outweigh its harms. Finally, the Commission should prevent companies from retaining personal information for longer than necessary. These retention periods subject data to breach and other security risks and future out-of-context secondary uses, harming consumers.

Conclusion

The biggest impact that this type of rule will have is that the entities that use our personal information in out-of-context ways, such as data brokers, will be unable to profile consumers in ways unrelated to why a consumer used an online service. The rule will limit the harmful practice of brokering, selling, or sharing personal information unrelated to the primary collection purpose and accordingly limit harmful surveillance advertising. Establishing narrow permissible purposes will allow the FTC to carve out certain permissible narrow secondary uses when the Commission determines that there are benefits from those uses. This standard is particularly well suited to the unfairness test and how the Commission is supposed to craft rules.