Require Express Consent to Collect Data

The FTC framework also suggests companies be required to obtain “express content” when collecting “sensitive data,” such as health and other data regulators might deem most subject to abuse.[i] Given the use of a wide range of data for profiling of the financially vulnerable online, such explicit consent should extend to almost all data collected by data platforms beyond the most basic, publicly accessible data about individuals.  Detailed and explicit “opt-in” consent should be required for any use of user data with specific express consent required for any change or new use of the data in the future. 

While data platforms may express worries that such consent rules will deter use of their services, the very reluctance of consumers to invest the time to complete the process of giving such consent would actually serve a positive purpose in encouraging big data platforms to create economic incentives for users to do so.  Tight "opt-in" consent requirements create in my view a "friction" point where people stop and may negotiate a better price for their data.   By jumpstarting a real market for user data, it would open up more space for new companies to compete on incentives at that point of friction and potentially encourage all data platforms to either better protect privacy or share some of the profits of the industry directly with users.  Limiting such an opt-in requirement for sharing data to larger, dominant players could avoid the problem that general opt-in requirements might lead to users favoring large players to avoid the transaction costs of dealing with multiple, smaller players for their online needs. [ii]

[i] FTC Protecting Consumer Privacy report. at viii.

[ii]  See James Campbell,Avi Goldfarb and Catherine Tucker, Privacy Regulation and Market Structure, Working Paper, December 9, 2011 at 2, http://ssrn.com/abstract=1729405 (arguing that general privacy rules favor larger companies)