When Facebook bought online messaging service WhatsApp in February, it raised some unexpected concerns about big data and privacy. WhatsApp built its user base on the premise that it would not collect user data for the purposes of marketing. Facebook, on the other hand, has a very different business model, which relies on analyzing user data to deliver targeted ads.
In March, the Electronic Privacy Information Center and the Center for Digital Democracy filed a complaint with the Federal Trade Commission (FTC) on behalf of WhatsApp users, stating that the privacy practices of Facebook are incompatible with the expectations of WhatsApp users.
"WhatsApp built a user base based on its commitment not to collect user data for advertising revenue," the complaint states. "Facebook routinely makes use of user information. The proposed acquisition will therefore violate WhatsApp users' understanding of their exposure to online advertising and constitutes unfair and deceptive trade practices."
It's unclear what the outcome of the complaint will be or if the FTC will take any action. But the Facebook-WhatsApp deal shows that not all online data is created equal, and businesses that are looking to get into the customer analytics game need to think about where their data comes from.
The state of big data privacy law
There are relatively few laws concerning data privacy. There is the Health Insurance Portability and Accountability Act (HIPAA), which mainly lays out security standards and practices for healthcare data. The Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act) includes a privacy rule that requires financial institutions to explain their privacy practices to customers and give customers an opportunity to decline to have their data shared with other institutions. But beyond health and financial data, there are no specific laws governing commercial data collection or use.
The big thing for corporations is they need to know what data they have, they need to know where it came from and they need to know what rules they've agreed to with respect to that data.
Timothy Keller, partner, law firm Lindquist & Vennum
But as the Facebook-WhatsApp acquisition makes clear, businesses can still find themselves in hot water for their data gathering practices. There is a significant gray area in established law that courts and regulators are trying to clarify.
Timothy Keller, a partner at the Minneapolis-based law firm Lindquist & Vennum, said lawmakers and regulators haven't done a good job of wrapping their arms around new technological developments, which is partly why data privacy laws are unclear.
Established case law gives companies wide leeway when it comes to data collection and analysis. Keller pointed out that several individuals have tried to sue companies for violating privacy policies. But courts have consistently ruled in these specific cases that any violation of privacy policies did not result in actual damage to the individual. Additionally, any single person's data alone has no value on its own; it is only valuable in the aggregate. Therefore, courts have ruled that businesses don't need to reimburse individuals for using their data.
But the FTC is stepping up enforcement of what it sees as unfair and deceptive trade practices around data collection and analysis, as in the Facebook-WhatsApp case. Keller said all of this means businesses need to follow good data governance policies. Even if there is no specific law against a particular practice, it is best to avoid the gray areas entirely.
"The big thing for corporations is they need to know what data they have, they need to know where it came from and they need to know what rules they've agreed to with respect to that data," Keller said. "Otherwise they're absolutely going to run into a problem."
The role of self-regulation
While federal data privacy laws remain murky, some organizations aren't waiting around for the waters to clear. Mike Zaneis, executive vice president of public policy at the Interactive Advertising Bureau (IAB), said consumers generally have privacy expectations that go beyond the minimum requirements of law. Also, those expectations are changing as technology evolves, and there is little chance of government regulations keeping pace with the changes, Zaneis said.
The IAB, a trade group based in New York, participates in a self-regulatory program known as the Digital Advertising Alliance. The alliance develops guidance for online marketing companies on how to use consumer data in ways that are consistent with consumers' expectations. It also produced AdChoices, which provides Internet users with a link within a Web advertisement that allows them to see what kind of information is being gathered from them and to opt out of further tracking. The feature is currently enabled on hundreds of sites.
Zaneis said the guidance and AdChoice are intended to enable the industry to navigate the unclear regulatory environment by helping consumers understand exactly how they are being tracked. That allows consumers to feel more comfortable with how their data is being used and minimizes the likelihood of complaints, he claimed.
"We all know customers don't read privacy policies, and when they do, they can't understand them," he said. "When we get into the squishy area of privacy, some people are very [concerned] and some people aren't."
Changes coming for big data and privacy laws?
The White House is currently embarked on a 90-day review of big data privacy laws, and there are presently several bills before Congress dealing with big data and privacy, including the Personal Data Privacy and Security Act of 2014 (currently before the Senate Judiciary Committee), the Data Security Act of 2014 (currently before the Senate National Security and International Trade and Finance Committee) and the Data Security and Breach Notification Act of 2014 (currently before the Senate Committee on Commerce, Science and Transportation).
Read more about big data and privacy
See how privacy considerations impact the cloud
Learn how to manage big data privacy concerns
Read about innovations sparked by big data privacy fears
But even with the attention data privacy is receiving at the federal level, few expect any movement on privacy laws in the near future. Martin Hack, president and CEO of big data analytics software vendor Skytree Inc., said new laws regulating the collection of data would be difficult to implement at this point because there is no way to untangle the issue of data ownership. Companies buy large data sets from data brokers that may have collected the information from countless sources. Determining who, if anyone, broke data collection rules in such chains would be impossible.
Regulating the use of data may be more feasible, but Hack still thinks it would be hard to get anything passed. Data collection and analysis has become an integral part of what so many businesses do today, and new regulations on use could impede economic growth.
"This might be something that has to be taken on by the government and industry at the same time, but we don't want to put too much burden on compliance," he said.
Zaneis said he thinks any new legislation would likely focus primarily on establishing data security standards, but he views new privacy regulations as unlikely. The IAB submitted recommendations to the White House in response to a recent request for information from the Office of Science and Technology Policy. In its comments, the organization said any new regulations would have to be focused on actual harms, like data breaches, in order to avoid choking economic development.
"I would say the likelihood of new [privacy] restrictions on the private sector is very slim. There hasn't been an identifiable harm that is ready-made for Congress to fix," Zaneis said.
But as the volume of data out there continues to grow and the analytics tools available for developing insights from data become more common, the need for privacy regulations may increase. Keller said the Facebook-WhatsApp acquisition shows how greater clarity in the regulatory environment could actually help businesses.
"Facebook will not be able to cope with these issues unless they can maintain those two bodies of information separately and know what they can and cannot do with their information," he said.