State governments and federal regulators have a role to play in setting data protection regulations, so long as...
it doesn't stifle innovation, said Massachusetts Attorney General Maura Healy.
"As we encourage innovation and encourage growth, we need to protect people," she said. "We need to watch out for the real potential for big data and analytics to reflect and perpetuate illegal discrimination."
Healy's comments on data protection regulations came during a forum hosted at MIT, organized by her office. She said she and her office are primarily concerned about big data being used to target vulnerable and disadvantaged people with risky products, such as payday loans, and to set prices for products higher for certain customers, depending on where they live or their browsing habits.
Big data fundamentally shifts power away from consumers and toward businesses, Healy said. This isn't necessarily a bad thing, but for Healy, it becomes an appropriate area for government action when businesses start engaging in deceptive and discriminatory practices.
"This is a rapidly changing frontier that raises thorny issues," she said. "Our job is to help address those concerns."
The Wild West of data privacy regulations
Currently, the issue of data privacy is largely unregulated in the United States. Certain sectors, such as healthcare and finance, face restrictions on how they can use their customers' data, but beyond that, there are few rules. The situation is unlikely to change anytime soon, at least at the national level. President Barack Obama sent legislation to Congress in 2012 and again in 2015, known as the Consumer Privacy Bill of Rights, but it was never acted on. Lack of action at the national level on data protection regulations makes this a ripe field for state authorities, which are typically less divided than national ones.
"We need federal legislative leadership, and Congress is not doing its job," said Quentin Palfrey, former senior adviser for jobs and competitiveness in the White House Office of Science and Technology Policy. "The best tools for dealing with a rapidly evolving and hard-to-regulate environment are not available to us."
He said regulations passed by state legislatures and actions by state attorneys general are the second-best options for dealing with big data privacy and consumer protection issues.
But not everyone at the forum thought more regulation of the space is needed. John Doherty, vice president of state policy and products, and general counsel at the tech industry lobbying organization TechNet, said states should not get involved in regulating how businesses use consumer data. In his view, this would create a patchwork of rules that vary from state to state, which would make it difficult for enterprises to operate nationally. International businesses already struggle to comply with data privacy regulations that vary from country to country. To Doherty, more state-level regulations would only magnify this problem.
More consumer education is needed
He added that decisions about privacy issues should be left to consumers. They should be educated about how businesses collect, store and analyze their data, and make their own decisions on what they feel comfortable with.
"Laws and regulations definitely are an important framework for setting the ground rules, but if we can't do a good job of educating the customers on what's happening with their data, it's going to be a real issue," Doherty said.
The businesses represented at the forum shared this view on educating consumers. Sarah Holland, senior analyst at Google, said her company publishes its privacy policies in plain English in an effort to inform users of how Google uses their data. Certain Google services also prompt users to do periodic privacy checkups.
Dipayan Ghosh, privacy and public policy adviser at Facebook, said the social network has internal privacy teams that work with product developers and advertising teams to ensure that privacy is considered at every stage. The company also publishes its privacy practices in an effort to be as transparent as possible.
"We really see the absolute importance of trust for our users," Ghosh said. "The best way to do that is to give them absolute transparency and control about the types of data we collect and share."
Learn what data privacy regulations your enterprise needs to follow
Health privacy regulations affect more industries than you'd think
International privacy laws can make compliance tricky