OKLAHOMA CITY – Attorney General John O’Connor joined a bipartisan group of 33 attorneys general calling on the Federal Trade Commission (FTC) to consider how consumers are being damaged by the unauthorized use of their private data.
“Consumers are victims of commercial surveillance by big tech companies who watch their transactions and movements and sell their behavioral and other personal data. This is called the ‘surveillance economy.’ Data brokers compile consumer profiles and sell them in ‘audience’ bundles,” said General O’Connor. “Selling our personal data harms Oklahomans. I am calling on the FTC to promote transparency and accountability to consumers to protect our online privacy.”
In a comment letter to the FTC, the attorneys general urge the FTC to acknowledge the sensitive nature of consumers’ medical data, biometric data, and location data, along with the dangers that arise from data brokers and the surveillance of consumers. The coalition also asks the FTC to consider data minimization, which limits the amount of data collected by businesses to only what is required for a specific purpose.
According to the letter, many consumers are not even aware that their location information is being collected, and when a consumer wishes to disable location sharing, their options are quite limited. The attorneys general recognize the sensitive nature of this information, which can reveal intimate details of daily life—such as where they live and work, their shopping habits, their daily schedule, or whether they visited the doctor or pharmacy. Laws passed in states like California, Connecticut, and Virginia that restrict the use and collection of location data can provide a framework to inform the FTC through the rulemaking process.
The coalition urges the FTC to consider the risks of commercial surveillance practices that use or facilitate the use of facial recognition, fingerprinting, or other biometric technologies. Many consumers provide this information to companies for security purposes or to learn about their ancestry, but consumers are not always made aware of when their data is collected, how it is used, or if it is resold for purposes to which they never meaningfully consented.
The FTC should also consider the risks of practices that use medical data, regardless of whether the data is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Rule. Medical data not necessarily covered by HIPAA is referred to as “health adjacent data,” which can be collected by many devices—for instance, smartwatches, heart monitors, sleep monitors, and health or wellness phone applications. The letter also highlights medical information risks through examples such as the storage of health-related internet searches, or appointment scheduling information being passed to others through online tracker tools.
The attorneys general reiterated to the FTC the persistent dangers of data brokers. Data brokers profile consumers by scouring social media profiles, internet browsing history, purchase history, credit card information, and government records like driver’s licenses, census data, birth certificates, marriage licenses, and voter registration information. Data brokers also use this information to create profiles of certain consumers—which can be purchased by almost anyone—based on susceptibility to certain advertising or likelihood to buy certain products. This scale of aggregation of anonymously gathered information can identify consumers and put consumers at risk of scams, unwanted and persistent advertising, identity theft and lack of consumer trust in the websites they visit.
The attorneys general say that it is vital that the FTC consider data minimization requirements and limitations. With respect to data collection and retention, the letter encourages the FTC to examine the approach taken in the California, Colorado, Connecticut, Utah, and Virginia consumer privacy laws which mandate that businesses tie and limit the collection of personal data to what is “reasonably necessary” in relation to specified purposes. Limiting the collection and retention of data by businesses will improve consumer data security as businesses will have less data to protect and less data potentially available to bad actors.
The letter was co-led by Connecticut Attorney General William Tong, Illinois Attorney General Kwame Raoul, Massachusetts Attorney General Maura Healey, New Jersey Attorney General Matthew Platkin, North Carolina Attorney General Josh Stein, and Oregon Attorney General Ellen Rosenblum and joined by the attorneys general of Arizona, Colorado, Delaware, Washington D.C., Hawaii, Idaho, Indiana, Iowa, Maine, Maryland, Minnesota, Michigan, Montana, Nebraska, Nevada, New Hampshire, New York, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, Vermont, Washington, and Wisconsin.