Big Data, Big Trouble? Privacy and Legal Concerns with Big Data

by Pillsbury Global Sourcing Practice

Google has figured out that I shop for a lot of children's clothing online, as my two children grow like weeds. Every time I launch a search, my banner ads link to brands that I have bought previously or similar brands that other consumers may have purchased. That is Big Data at work, as it is being used to identify other brands that I might be interested in purchasing based on shoppers with similar consumer profiles to mine. But let's say that the next banner ad I receive isn't for children's clothing, but is instead for an all-inclusive Caribbean vacation. Well, I have never searched for Caribbean vacations, why would this be turning up? Again, this is Big Data at work, because patterns in human behavior have informed Google that people with small children are likely good targets for a quick getaway vacation. This is an example of the value of Big Data in predicting individual consumer behavior based on the behavior of many.

"Big Data" is the somewhat uncreative but accurate term for the process of collecting, culling, and categorizing of data from diverse sources on a massive scale. Through the application of algorithms, companies are analyzing Big Data in order to see patterns in human behavior, and (most commonly) using it to develop targeted, individualized marketing. The primary goal of Big Data is to learn from a large body of information things that we could not comprehend when we used only smaller amounts. Recent trends point to an increase in the use of Big Data, but there are several cautionary points from a legal and privacy perspective to consider.

What are the uses of Big Data, and who uses it? The potential benefits are wide ranging, but can be categorized as follows:

How is this different than the statistical analysis that companies have been engaged in long before the advent of the Internet? Plenty of organizations have been handling and sifting through massive amounts of data for years. Why is the use of Big Data on the rise with no sign of slowing?

However, with the rise of Big Data, privacy and legal concerns have risen as well. Julie Brill, Commissioner of the Federal Trade Commission has voiced a number of concerns about privacy of consumers in the context of Big Data:
  • "De-Identifed" Information Can Be "Re-Identified": Data collectors claim that the aggregated information has been "de-identified," however, it is possible to re-associate "anonymous" data with specific individuals, especially since so much information is linked with smartphones.
  • Possible Deduction of Personally Identifiable Information: The non-personal data could be used to make predictions of a sensitive nature, like sexual orientation, financial status, and the like. FTC believes that collecting and using sensitive information requires more robust notice to the individual than non-personal information, which may not have been obtained as part of the initial consent.
  • Risk of Data Breach Is Increased: The higher concentration of data, the more appealing a target it makes for hackers, and the greater impact as a result of the breach. The notification requirements to individuals in the event of a breach vary from state to state, but it can very quickly add up to a substantial cost to an enterprise. As a result of this potential cost exposure, companies may need to invest in increased security and insurance to protect their data assets.
  • "Creepy" Factor: Consumers are often unnerved when they feel that companies know more about them than they are willing to volunteer. There is a sliding scale between tangible benefits that consumers appreciate (e.g., loyalty programs, rewards cards) and feeling that a company has stepped beyond personal boundaries (the anecdote of Target sending baby related coupons to a teenage girl before she had even told her immediate family members about her new bundle of joy still stands as the benchmark horror story of invasive marketing).
  • Big Brother or Big Data: Municipalities are using Big Data for predictive policing, and tracking potential terrorist activities. Concerns have been raised that such uses could become a slippery slope to using Big Data in a manner that infringes on individual rights, or could be used to deny consumers important benefits (such as housing or employment) in lieu of credit reports.
The general legal concerns about Big Data are just as complex as the privacy concerns. Naturally, determining which issues are of greatest concern to you or your clients is dependent on your role in the relationship - are you the data miner, analyzer, or licensee? As the laws and best practices still evolving, here are a few key issues to analyze and address when you or your clients are considering the use of Big Data:
  • What are your intellectual property rights in the data? Data analytics requires copying the data, so you will need to ensure that your ownership or license rights are sufficiently broad to cover the intended use with clear ownership rights in the data and any derivative work that is created from the data.
  • Who bears responsibility for inaccurate data? If a party relies on a pattern developed as a result of analyzing inaccurate Big Data, which party bears responsibility for the results? Since Big Data's very nature relies on a massive volume, there is almost always going to be some degree of inaccurate information included.
  • Have you obtained the appropriate level of consent from the individual? Make sure that any consent that you have obtained from the individual to use data covers your intended purpose, including licensing that information to another party. As a best practice, advocate for full disclosure to the individual about your use of their data.
The legal risks engendered by using Big Data are also complicated by the myriad of state and Federal laws that are staking out regulatory territory with regard to privacy issues. While Congress mulls over a standard Federal law to address data breach notifications, there are a number of privacy related Federal laws that address the use of certain types of data and end users, such as HIPAA and the Children's Online Privacy Protection Act. As noted above, the FTC has been vocal about its concerns with Big Data use, and has provided its own guidelines on data collection, including calling upon data brokers to provide consumers with more transparency on the use of their data. In addition, States are also weighing in with their own privacy laws (e.g., the California Online Privacy Protection Act). Finally, there are multi-country issues, as data privacy laws vary tremendously from country to country, with the EU imposing more onerous restrictions than the U.S. and higher burdens on companies in the event of a data breach.

Big Data can tell us many things, one of which is that perhaps we are not the mad cap, free spirits we might think ourselves to be. Our behavior in the aggregate is predictable. The benefits of deriving behavior patterns in Big Data are many, and there is the potential for even more as data analytics becomes more commercially available and commonplace. When considering the use of Big Data at your enterprise, advocate to 1) define clear ownership in the data with data collectors and individuals, 2) establish transparency to the individual with regard to the purpose and use of data, 3) tap into resources to monitor for State and Federal regulatory changes, and 4) avoid "creeping out" your customers.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Global Sourcing Practice | Attorney Advertising

Written by:

Pillsbury Global Sourcing Practice

Pillsbury Global Sourcing Practice on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.