General

The White House Big Data Report: Highlights for Industry

Published: May. 12, 2014

Updated: Oct. 05, 2020

On May 1, the White House released the findings of its 90-day study on how “Big Data” is transforming every facet of modern life. The report seeks to respond to one fundamental, farsighted question: how will Big Data transform the way people (and institutions) live, work, and interact?

The report makes six specific policy recommendations:

1. Advance the Consumer Privacy Bill of Rights

The report proposes that the Department of Commerce consult with stakeholders and draft legislation implementing the Consumer Privacy Bill of Rights.

2. Pass National Data Breach Legislation

The report calls on Congress to create a national standard for data breach notification along the lines of the Administration’s May 2011 proposal.

3. Extend Privacy Protections to non-U.S. Persons

The report calls on the Executive Branch to apply the Privacy Act of 1974 to non-U.S. citizens where practicable, which was among the recommendations of the President’s Review Group on Intelligence and Communications Technologies.

4. Ensure Data Collected on Students in School is Used for Educational Purposes

The report calls for restrictions on the use and sharing of information about students, particularly when gathered in the course of school activities. Similar legislation was recently passed by the California Senate.

5. Expand Technical Expertise to Stop Discrimination

The report calls on federal agencies to develop new technical expertise for identifying applications of Big Data that have a discriminatory impact on protected classes of persons.

6. Amend the Electronic Communications Privacy

The report calls on Congress to amend the Electronic Communications Privacy Act (“ECPA”) to apply a uniform standard for government access to records of electronic communications stored by providers.

Highlights for Industry:
  • Regarding online advertising, the report notes that many advertisers have provided privacy tools for consumers, but suggests that few users are aware of or understand the transparency and control features available to them. However, the report notes that “it is . . . possible that most of the public is not very bothered by personalized ads when they enjoy a robust selection of free content, products, and services.”
  • The report is somewhat critical of EU regulation of online tracking, explaining that “many European company websites now obtain a one-time explicit consent for the use of cookies—a solution that is widely acknowledged as clunky and which has been criticized in some circles as not providing the user the meaningful choice about privacy first envisioned by the [E-Privacy] directive.”
  • The report also notes the difficulty of developing a standard for responding to web browser Do Not Track signals. While noting that there may be growing interest in technical means for consumers to control collection of information about them, the report suggests that present inconsistency in how sites respond to DNT signals is muddling consumers’ expectations.
  • Companies that collect information about consumers’ offline activities drew special attention. The report suggests that, unlike online advertising companies, these companies provide consumers with little transparency or recourse to understand or contest information collected or inferred about them. The report also notes that the absence of a self-regulatory industry portal providing transparency and control for consumers “can be particularly harmful to victims of identity theft who have ongoing errors or omissions impacting their [predictive] scores and, as a result, their ability to engage in commerce.”
  • Companies using predictive scoring for marketing purposes (rather than eligibility, which in some cases would be subject to the Fair Credit Reporting Act) should be prepared for increased regulatory scrutiny of their practices, both with regard to the accuracy of predictive scores and whether the scores are proxies for membership in a protected class.
  • Providers should be pleased with the report’s language regarding ECPA modernization, although the report notably did not explicitly propose a uniform warrant requirement, leaving open the possibility for an exemption for federal agencies without the power to obtain a warrant.
  • A nationwide data breach notification standard would simplify compliance for companies that experience breaches, but state attorneys general can be expected to oppose any federal standard that they consider less comprehensive than that currently on the books in their states.

The report has received a lukewarm response from industry and privacy advocates, with some companies and groups expressing frustration with the report’s perceived emphasis on commercial practices at the expense of meaningful reform of government practices. The president of the Computer & Communications Industry Association said, “Frankly, channeling public outrage over NSA overreach into the debate around commercial privacy regulation is irresponsible.” Kevin Bankston of the Open Technology Institute asked, “Was this process ultimately a distraction that has needlessly taken focus away from the debate over how to rein in the National Security Agency’s massive surveillance programs?”