To Be or Not to Be — Is it Truly Anonymized Data? | Ethics Issue Alerts | Industry Insights | All MKC Content | ANA
Ethics Alert Series

To Be or Not to Be — Is it Truly Anonymized Data?

Share        

Background:

In recent years, consumer privacy has garnered a lot of attention and scrutiny from legislators and regulators. There have been many discussions and viewpoints expressed with regards to providing consumer choice (opt-in vs. opt-out), how best to provide transparency in your companies' policies/practices, and to ideally respect and honor consumers marketing preferences.

The latest alarm has been sounded by the Federal Trade Commission (FTC) regarding business practices involving anonymized data. The FTC has recently announced that it will go after companies that make false claims about "anonymizing data." The FTC cites significant research suggesting that anonymized data can often be re-identified and easily linked back to a particular individual. According to the FTC, it is not enough to say that your company uses anonymized data — you cannot make this claim if you are collecting enough data points that would allow you to re-identify the data and the person it's associated with.

In one study, researchers were able to uniquely identify 95% of a data set of 1.5 million individuals using four location points with timestamps. Why has this issue surfaced now? It is not a new issue but there is heightened concern over identifying the location of users which could be used improperly for sensitive health-related issues, such as reproductive rights resulting in potential significant harm to the user.

Kristen Cohen, acting associate director of the FTC's Division of Privacy and Identity Protection, has stated that "companies making claims about anonymization should be on guard that these claims can be a deceptive trade practice and violate the FTC Act when untrue... additionally if you over-collect, indefinitely retain or misuse consumer data then you can expect to hear from the agency." (MSN.com) The FTC will consider this to be a deceptive trade practice and will seek to enforce this under Section 5 of the Federal Trade Commission Act, the Safeguards Rules, Health Breach Notification Rule and/or the Children's Online Privacy Protection Rule.

This is an ideal time to pull together your internal team to review your privacy policy and your company information collection and use practices. Be sure to properly articulate what data you are collecting, how and why you are using and sharing it and that you are properly categorizing and identifying this information. You should also have systems in place for consumers to access data, and to provide and revoke consent for the use of data. Review the resources below to help guide you in this analysis:

Resources:

Examples of Anonymized Data Being Linked Back to Users:

Netflix contest: challenged contestants to create an algorithm that was 10% better than its current algorithm in predicting viewers' movie ratings. The data was anonymized but when compared to data from IMDb.com, researchers could identify the users based on their rankings. Netflix stopped this contest based on privacy concerns. (Forbes India)

Social media connections: researchers were able to correctly identify approximately 30% of users with profiles on Twitter and Flickr based on their direct connections. (Forbes India)

Examples of Companies Misusing Data:

(MediaPost and The National Law Review):

TikTok for alleged violations of wide-ranging data protection laws including the federal Video Privacy Protection Act for disclosing personally identifiable information about the videos people watch, and Illinois law regarding biometrics for allegedly collecting peoples' faceprints without their consent, resulting in a required change in the company's data and privacy practices moving forward.

Ad exchange OpenX for alleged COPPA violations and collecting location data from users who opted out, resulted in a $2 million settlement.

Kurbo/Weight Watchers for alleged COPPA violations and indefinitely retaining sensitive consumer data, resulting in $1.5 million in civil penalties, and an order to destroy any models or algorithms developed using children's personal information.

CafePress for its alleged failure to implement reasonable security measures, data retention practices, and respect consumers' deletion requests; resulted in a fine and instructions for the company to minimize its data collection practices.

Flo Health for alleged issues over data collection and use such as over-collection, indefinite retention, misuse, and improper sharing of consumer data, including allegations that the company shared app users' health information with third-party marketing and analytics services despite representations that the company would keep such information private.

Guidance and Principles:

"Legitimate advertisers should always strive to treat consumers fairly and with respect and to use ethical advertising practices," says Jordan Abbott, Chairman of the ANA Ethics Review Committee.

ANA offers marketing principles and guidelines to assist marketers in applying a common sense set of standards regarding providing transparency and choice in your privacy policy and how to treat sensitive information such as health-related information. Please review the following ANA guidelines:

III. TRANSPARENCY, ARTICLE 2. PRIVACY POLICY

Entities should make their data practices available to consumers in a prominent place...should be easy to find, read, and understand...how they can exercise choice regarding use of personally identifiable data and include the scope of data practices, collection, use and sharing, etc.

IV. CHOICE, ARTICLE 3. COMBINATION OF CONSUMER DATA AND DIGITAL IDENTIFIERS

An entity that combines consumer data with digital identifiers for marketing on non-affiliated digital properties should provide consumers with choice with respect to such practice by that entity.

IV. LIMITATIONS ON THE USE OF DATA FOR CONSUMER DATA-DRIVEN MARKETING

Data used for marketing should not be used for the following purposes:

Health Care Treatment Eligibility — determining adverse terms and conditions for or ineligibility of an individual to receive health care treatment.

VII. COMPLIANCE WITH LAWS, REGULATIONS AND CODES (IN GENERAL AND HEALTH)

Where applicable, entities should comply with the Health Insurance Portability and Accountability Act (HIPAA).

ARTICLE 5. LOCATION-BASED MOBILE MARKETING

Marketers sending location-based mobile marketing messages to recipients should inform individuals how location information will be used, disclosed, and protected so that the individual may make an informed decision about whether or not to use the service or consent to the receipt of such communications. Location-based information must not be shared with third-party marketers unless the individual has given prior express consent for the disclosure.

ANA Center for Ethical Marketing mediates consumer inquiries. If a company or a consumer believes a marketing promotion or practice is questionable and may warrant a formal review by the ANA Ethics Review Committee which receives and investigates consumer complaints, consumers and companies may file a complaint.

You may view our current and past reports for listings of companies that the Committee has found to be out-of-compliance. Our first step in the process is to reach out to companies with the complainant's concerns and request an investigation and response. The Committee's leading role is to bring awareness and education regarding industry standard practices. It is our experience that most companies resolve the matter fairly quickly. The Committee will only publicize its findings if the company has either responded that it will not come into compliance with industry standards or does not respond at all to repeated attempts to resolve the issue.

If you are interested in knowledge-sharing and connecting with other ANA members about this issue and marketing and ethics, there are different opportunities to get involved:

  • ANA Ethics Review Committee: This committee reviews and recommends actions on marketing and ethics complaints and educates companies and consumers.
  • ANA Ethics Policy Committee: This committee reviews pending activities at the federal and state levels; learns about best practices and key topics and provides input into guidance on related ethical standards and compliance issues.

If you have questions or want to get more involved in marketing and ethics, please contact ethics@ana.net. We look forward to collaborating with you in our shared efforts to ensure good business practices, consumer protection in the marketplace, and consumer trust by providing accountability.

Source

"ETHICS ALERT: To Be or Not to Be — Is it Truly Anonymized Data?" Lisa Brown Shosteck, ANA Center for Ethical Marketing, 8/31/22.

Share