FTC’s Ramirez: New tech’s complexity leaves privacy basics unchanged

Online privacy issues have grown exponentially more complex in recent years with the growth of mobile and IoT technologies and big data, but consumer control and consumer consent need to stay center-stage, Federal Trade Commission Chairwoman Edith Ramirez said.

Online privacy issues have grown exponentially more complex in recent years with the growth of emerging technology and big data, but consumer control and consent need to stay top of mind, Federal Trade Commission Chairwoman Edith Ramirez said.

“I believe that consumer control remains paramount,” she told a luncheon audience at the Technology Policy Institute in Aspen, Colorado, Monday.

“Many consumer devices and appliances – from your Fitbit to your fridge to your thermostat – are silently talking to one another, collecting data, and transmitting that information to various third parties,” Ramirez said. These new technologies were threatening the traditional consent model of privacy and creating challenges to policymakers and consumers alike.”

“In a world of connected devices, consumers often do not know which companies are doing what,” she explained adding that a mobile device was made by a manufacturer, run by an OS, connected by a carrier and populated with apps.


“Given the multiplicity of actors involved,” she asked, “how can consumers possibly understand where their information is going and what it is going to be used for? And does this complex ecosystem allow companies to pass the buck to avoid accountability for privacy and security failings?”

As result, she said, “we hear with increasing frequency the claim that technological innovation and big data have rendered certain fundamental tenets of privacy, particularly the idea of consumer consent, outdated and ill-suited for today’s digital world. I disagree.”

One way the FTC was seeking to meet the challenge was by broadening the definition of Personally Identifiable Information, or PII. Because of the proliferation of data sources, even anonymous data could be de-anonymized, by cross checking it with other information sources.

“We now regard data as personally identifiable when it can be reasonably linked to a particular person, computer, or device,” she said. “In many cases, persistent identifiers, such as device identifiers, MAC addresses, static IP addresses, and retail loyalty card numbers meet this test.”

She said device manufacturers and other consumer-facing companies should improve customers’ “ability to manage and express their privacy preferences” through things like “set-up wizards and settings menus … as well as dashboards where consumers can revisit and modify their choices.”


She called on behind-the-scenes companies like ad networks and data brokers to respect consumer preferences and avoid using technologies and practices — like so-called “supercookies” — designed to get around or obviate them.

Technological innovations like data tagging are another way of meeting these new challenges, she said. “Under this approach, consumer preferences could attach to and travel with data. This could be particularly useful as data is passed from consumer-facing entities to data brokers, ad companies, and others.”

Finally, Ramirez urged the growth of what she called “privacy intermediaries … to facilitate communication of privacy preferences between consumers and businesses” through things like feedback loops and rating systems.

“Imagine a privacy app that allows me to create an account, specify what information I would like to share, and have companies compete for my business,” she said.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts