Focus on data privacy policy and enforcement

Highlighting public policy attention to rising expectations for consumer data privacy protections.

Key points

  • Data breach and data sharing incidents have focused attentions on consumer protection in the collection, use, and retention of consumer information.
  • Momentum is building toward federal privacy legislation, spurred by an array of state activity, including the California Consumer Privacy Act (CCPA), as well as global activity and standards under regulations like the E.U.’s General Data Protection Regulation (GDPR).
  • Utilizing the Federal Trade Commission’s (FTC) Section 5 consumer protection authority and in keeping with the focus on data sharing practices, the FTC is requiring large companies in the broadband industry to provide information on their consumer data privacy policies and practices; the information will inform the FTC’s supervisory examinations.
  • The FTC is holding hearings to assess whether changes in technology, business practices, and consumer expectations necessitate changes to data privacy laws, enforcement, and policies.

High profile data breach and data sharing incidents have placed a spotlight on how consumer data is shared and utilized. Consumers now have a heightened awareness of the value in their personal information and are concerned about its collection, use, and retention. Public policy attention is focused on enhancing data governance and consumer protection frameworks.  Recent actions are highlighted below:

  • Under FTC Section 5 authority (unfair or deceptive acts or practices), the FTC issued orders to seven U.S. internet broadband providers and related entities seeking information the agency will use to examine how broadband companies collect, retain, use, and disclose information about consumers and their devices. The requested information included:
    • Categories of data collected, why it is collected, how it is used, whether it is shared, policies regarding access, data retention terms, and whether it is aggregated, anonymized, or de-identified.
    • Notices and disclosures provided to consumers about data collection practices.
    • Consumers’ ability to opt-in or opt-out of certain data collection practices.
    • Procedures and processes to permit consumers to access, correct, or delete their data.

At present, the FTC actively enforces privacy issues through its Section 5 authority. In this regard, it has taken a case-by-case approach.

  • As part of a broader Hearings Initiative that has considered privacy issues related to Big Data, artificial intelligence, and the U.S. broadband markets, the FTC conducted a two-day public hearing with the purpose of comprehensively re-examining its approach to consumer privacy. The agency is interested in identifying gaps in its existing authority and assessing whether its current approach to supervision and enforcement sufficiently protects consumers. A sampling of the topics and questions addressed in the two-day hearing include:
    • The data risk spectrum – from de-identified data to sensitive individually identifiable data – and whether privacy protection should depend on the sensitivity of data.
    • Consumer demand and expectations, and whether privacy protection should allow for variances in consumer preferences.
    • Notice and choice, and whether consumers can be provided sufficient information to make an informed choice.
    • Access, deletion, and correction – and the extent to which consumers realize risks of information collection, aggregation, sharing, and use.
    • Accountability for data protection – and how to foster accountability in third parties that receive/use/share data.
    • Competition and innovation – and whether privacy interventions inhibit either competition or innovation, or change competition analyses.

The Hearings Initiative is designed to examine whether changes in the economy, evolving business practices, new technologies, international developments, or consumer expectations might require adjustments to competition and consumer protection law, enforcement priorities, and policy. The hearings remain ongoing, and the FTC encourages public comment through May 31, 2019.

  • An array of state activity, including the CCPA as well as global activity and standards under the E.U.’s GDPR, have spurred momentum toward federal privacy legislation.
  • The Administration, through the National Institute of Standards and Technology (NIST), is developing a voluntary privacy framework and, through the National Telecommunications and Information Administration (NTIA), is developing a set of core privacy outcomes to serve as the basis for federal actions on consumer privacy policies. (The Administration anticipates the FTC would have enforcement authority for consumer privacy except with regard to certain sector-specific laws.)  The core privacy outcomes include transparency, control, reasonable minimization, security, access and correction, risk management, and accountability.
  • A variety of states have started to introduce laws similar to the CCPA regarding consumer rights and transparency of use of consumer data. These states include Connecticut, Nevada, New Jersey, Hawaii, Maryland, Massachusetts, New Mexico, New York, North Dakota, and Rhode Island. As time passes, we are also continuing to see movement in the California legislature around potential revisions to the CCPA.
  • Representatives of global technology companies have expressed support for national standards covering data security and privacy and believe a national framework for consumer privacy is necessary.  They suggest this framework should be consistent, proportional, flexible, and encourage companies to act as good stewards of consumer information.

KPMG Perspectives

Expect increased regulatory and policy focus.  Personal consumer data abounds, and regulatory and public scrutiny of data management is increasing.  Organizations must take actions to address privacy as a business imperative, including enhancing enterprise risk controls while preparing for compliance obligations and the responsible use of data for competitive advantage.

Increase data and security controls.  Data privacy and security is an increasingly critical discipline for organizations, as data sharing, data access, and data protection risks and requirements evolve. Companies should embed data privacy and security programs throughout their organization and implement policies, procedures, and controls to manage and protect data maintained across the enterprise and held by third parties.

Drive individual consumer data and brand protections.  Customers expect authorization for, or transparency in, data sharing. Organizations must drive culture and associated business practices that demonstrate consumer choice and protection, privacy and regulatory compliance, and partner and third-party accountability and stewardship.

Plan for the long term.  Data privacy and security challenges change day to day so businesses typically do not have the capabilities in place to address real-time threats.  Rather than lag behind, organizations should be more than agile in how they support and fund privacy, security and information technology.  In addition, organizations should also remember that these threats are operational threats to all of the business; therefore, the entire c-suite is accountable for creating a customer-centric experience.

Please refer to these other KPMG point-of-view documents for additional perspectives on issues related to data privacy: 

Data Rich and Regulation Wary, Improving risk compliance in today’s data rich environment

Data Rich Governance, Keys to leading consumer data and information practices

Driving Change, The California Consumer Privacy Act

Funding technology at market speed, Learn about the need for dynamic investment in the future of IT

The Customer-Centric CIO, Customer experience should be at the top of the IT agenda