In my last few posts, I’ve been focusing on how the rise of social media has forced regulators both here and in the EU to revise their definitions of personal data. With the new emphasis on data that can be “reasonably linked” to an individual, companies may soon have to extend their security controls over a broader range of consumer information. Interestingly, just as the amount and breadth of personal data is increasing, another almost opposite regulatory requirement is looming on the horizon.
In the FTC privacy guidelines report that I’ve been referring to recently, the agency’s Commissioners refer to a “right to be forgotten”. This is not a legal right in the US (yet). But the concept that data should have a natural shelf life and not be retained longer than necessary is reflected in the language of the report’s framework, which calls for “reasonable collection limits” and “sound retention policies”.
Translation: Companies should delete data they no longer need and also allow consumers to access the data and under “appropriate circumstances” purge or suppress it.
Keeping in mind that these are guidelines and best practices, there’s a great hypothetical case study in the FTC report for the mobile space. The Commissioners point out that GPS generated location data, which is often monitored and saved by smartphone apps, should be treated as identifying information. The reason? Geo coordinates can be used to re-identify customers when connected with other “disparate bits of information”.
In this particular example, the FTC suggests that mobile software companies should limit their retention of business data—say check-ins to a restaurant—and also their sharing of it with third parties.
As I’ve been pointing out, public data on the web — especially on social sites—actually expands the amount of corporate consumer data that would fall under the “reasonably linked” definition. And with this new FTC approach for retention, it means that more data is now a candidate for deletion as well.
Back at the EU, the right to be forgotten is an important part of the planned update to their Data Protection Directive. Unlike the US, it will have the weight of law as EU member countries implement the new rules over the next few years. It will give citizens the right to delete data on request.
In the US, the FTC report may provide clues as to what may be coming out of Congress. The McCain-Kerry Commercial Privacy Bill of Rights, which is currently stalled, does have provisions for data retention limits of personally identifiable information (PII) and other information that may be reasonably used to identify an individual. It also gives consumers some control over their data: they can request that PII and other information be made unidentifiable or not usable. This is less strong than the EU’s right to be forgotten, but it would still require US companies to at least find personal data and then corral it.
The writing is on the wall for US companies: those that implement the FTC best practices for data deletion will be in a much better position when either McCain-Kerry’s Bill of Rights or another law is passed that makes consumer data retention limits and deletion not just a good idea for companies, but a legal obligation.