Research is one of the cornerstones of good public relations practice. It is enshrined in our PR education, and, as anyone who has read an undergraduate PR textbook knows, research is the first step in the PR campaign process known as RPIE. Currently research in public relations is being affected by the popular phenomenon of big data, a research practice that uses large amounts of information, such as communication or purchase histories, to gain insight into human behavior and beliefs. Big data is unique in that the aggregate amount of data is so large that organizations need special analytics to store and analyze the data. The power of big data has been discussed in terms of its “V’s,” which according to Jain (2016) is: “volume,” “velocity,” “variety,” “variability,” and “value.” Each of these V’s speak to the larger point that big data’s power is predicated on obtaining a variety of large composite of information that is analyzed at a fast rate to provide insights that ultimately help organizations.
Big data can have big benefits. It allows for in-depth analysis of patterns within behavior, and it provides a level of insight that is valued by academia and industry alike. Big data is widely used in a variety of businesses, and its insights into behavior can result in increased profits. Because of the benefits of big data, there has been investment in big data research and infrastructure. However, big data research is coming up against legal issues of privacy, government regulation, international access, and increased criticisms of digital information gathering. Because of this, the role (and potential power) of big data may change, which will inevitably affect research in public relations.
Because PR practice is informed by research it is important for practitioners to know the legal issues surrounding research practice. This is perhaps even more important for issues in big data, because legal regulation suggests regulation not only includes how big data is gathered, but how it is used.
U.S. Federal Regulation of Big Data
Federal regulation of big data is done through a variety of statutes. To fully appreciate privacy in the United States it is important to note there is no one unified federal privacy law. Rather, privacy regulations come in the form of separate statutes and agency regulations. Some of the most well-known privacy laws are Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPPA. This statute protects patient information and controls the type of patient data that can be released. HIPPA pre-dates the big data movement (although it has been updated as late as 2013 in the Omnibus bill), and because of that the data in big data is restricted to conform to HIPPA regulations. Similarly, the Family Educational Rights and Privacy Act of 1974 (FERPA) regulates the privacy records of students in schools. This act also places limitations on data that can be obtained and used by third parties.
While federal statutes like HIPPA and FERPA regulate certain types of data, federal law surrounding big data goes further than mere collection. In 2016 the Federal Trade Commission (FTC) issued a report on big data that said big data use had the potential to harm low-income and “underserved communities” because it could be used to exclude those communities from “credit and employment opportunities” (p. i). The FTC noted that organizations using big data need to be aware of the regulatory limits that are in place, such as the Fair Credit Reporting Act (FCRA), the Federal Trade Commission Act (FTCA), and equal opportunity laws.
The FTC’s analysis focused on one particular aspect of big data usage, credit offerings. This is appropriate because big data is frequently used to determine purchase decisions, and consumer behavior is often used as part of the data set. Using big data to create promotional material to target specific audiences may be a violation of the law. The FTC noted that big data might be used to exclude certain populations from credit opportunities because companies that use big data may use social media usage, zip codes, or purchase histories to determine if credit should be extended to a certain consumer. Similarly, the FTC noted that laws such as the Equal Credit Opportunity Act, which is enforced by the FTC, disallows targeted promotions for credit opportunities to a select group of individuals based on a “protected characteristic” (FTC, 2016, p. iii). For instance, if big data suggested a particular geographic area was a good target area for credit offers then that could disproportionately impact a group based on protected class such as race, religion, national origin, sex, marital status, age, or the receipt of public assistance. Setting aside the focus on credit offers, this FTC analysis shows something deeper about how regulation may affect big data. Instead of focusing on the data collection itself, the FTC report suggests in the future there could be federal investigations and potential lawsuits over discriminatory use of legally gathered research (FTC, 2016).
To help organizations navigate the legal issues of discriminatory use of big data, the FTC gave some suggestions. Among these recommendations the FTC focused on use of big data in organizational decisions. The four recommendations focused on data set representativeness, biases within big data analysis, predictive power of big data, and biases that result from inherently discriminatory collection of data (e.g. using big data on distance from a job to determine employment contracts).
Of course, data collection of big data can also have potential federal legal issues. Even before big data became a trend in research the FTC has focused on user privacy issues in online commerce. The FTCA mandates that there is truth in advertising including statements about how data is used. The FTC stated that disclosures should be made to online users regarding how their data will be used and if it would be shared with third parties. In fact, privacy issues are something the FTC regularly monitors in a variety of contexts (FTC, 2017).
U.S. State Regulation of Big Data
It is tempting when following legal regulations of research to only focus on federal law. It is only natural given that federal law is the rule in all of the United States. However, one aspect of law that is frequently overlooked is state laws that regulate privacy. Frequently in the law states are the first legislatures that address issues that are later regulated by the federal government. These state laws can be influential, and some states’ laws can even become de facto national laws given the level of business conducted within their borders.
Big data is affected by state privacy laws, especially privacy laws to directly address online disclosures and record keeping. One example of a robust state privacy law is California’s Online Protection Privacy Act (CalOPPA), which went into effect 2004 and was amended in 2014. It requires websites to provide explicit privacy rights statements and allows users to know how their information will be used in the future. Other states, such as Alabama, Delaware, Oregon, and South Dakota have also begun to address privacy and data issues for employees of organizations as well (Litchfield, 2018). Of course, state laws have limitations, and sometimes these state laws can be superseded by federal regulation. In terms of big data it is important to note that big data collection and use is not just under the purview of federal statutes or federal agency regulations. States can go further in privacy regulation than the federal government, and large states, such as California and New York, are legal influencers because of their size and level of commercial activity.
International Issues in Big Data
Perhaps the most significant issue in big data is the changing privacy laws in Europe. In May 25, 2018 the European Union’s General Data Protection Regulation (GDPR) went into effect replacing the 1995 Data Protective Directive (DPD). This new law affects the E.U. and countries in the European Economic Area (EEA), and creates a new regulation for privacy in the digital age (Because of Brexit the United Kingdom has a separate Data Protection Act 2018 that mirrors the rules in the GDPR). The law has far reaching effects because it not only affects organizations within the E.U., but also applies to organizations offering goods or services to people residing in the E.U. Companies outside of the E.U. that have E.U. clientele are affected by the GDPR even though the organization is not headquartered or does not have offices in E.U. member states. However, the law has limitations. The data regulated by the GDPR is only that pertaining to individuals; it does not apply to data about organizations. In addition, the GDPR would not apply to an organization that did not directly target people in the European Union (European Union, 2018).
The privacy regulations of the GDPR are, according to Zarksky (2017), trying to “balance between the ability to engage in big data analysis to its fullest extent and the protection of privacy interests and rights” (p. 1002). The GDPR retains much of the old DPD provisions, but provides for increased fines for data storage, requires transparent privacy notices for users, mandates organizations provide notices within 72 hours of data breaches, and permits users to request deletion of their specific content. Additionally, users under the GDPR must receive certain information about how their data will be used, and users will retain the right to have their information removed and can request their data not be processed. (For more about GDPR Compliance see DiStaso and McAvoy’s IPR article here).
In terms of big data the GDPR has the potential to limit the type of data gathered by organizations. It also creates certain issues for data collection because individuals have the right to have their information removed from databases even after giving permission to have it included. However, the effect of the GDPR is debatable. Zarsky (2017) argues that the enforcement of GDPR compliance transnationally may prove difficult, and that organizations may take advantage of loopholes in the GDPR to still obtain data as before. Perhaps more importantly, the GDPR, as with any law, was written to anticipate future digital issues. Only time will tell if the law was prophetic enough to anticipate future privacy issues.
Future Issues in Big Data and the Law
Big data is an important form of research and it will be part of research for a long time. However, the legal issues affecting big data means that the practice of obtaining and using big data will evolve in the next few years.
Legal issues in big data are not just about how you gather the data, but how you use it.
This is perhaps one of the most counterintuitive legal issues in big data. Typically data collection involves the realm of privacy and proper disclosure. However, the first attempt by the FTC at discussing big data focused on improper use, not improper collection. Because of the public relations commitment to ethics PR practitioners are perhaps the best-equipped professionals to deal with the ethical dimensions of big data and its application. PR practitioners engaging with big data should be mindful of how the data is being used, and whether the data provides for inherently biased decisions. Data is used to inform, but what the ethical dilemmas in data analysis show is that it is up to individuals, not the data, to make decisions.
U.S Government agencies, especially the Federal Trade Commission, may become more involved with big data regulation.
The 2016 report by the FTC signals that there are more than just issues of inclusion and discrimination in big data. Given the current environment concerning privacy in light of Cambridge Analytica, Facebook, and the E.U.’s GDPR, it is a possibility that there will be tighter regulations of privacy online. In fact, within the GDPR is the E.U.-U.S. privacy shield, which monitors how data from the E.U. can be commercially used within the United States. It is important for PR practitioners to stay up to date on the legal developments of big data regulation. As mentioned above it is not just the federal government that is involved with privacy concerns. State laws are tackling some of the most important issues of online privacy, and it is important to be aware of legal trends at this level. Given the trends in privacy laws it is important for researchers (PR and others) to prepare for the potential that certain types of data may not be available in the future. As technology changes, new privacy issues emerge, and the legal rules governing privacy may become more clearly articulated by agencies and statutes.
European concepts of privacy may ultimately dictate how big data is handled in the United States.
As mentioned earlier the way the GDPR is written in way that has an effect outside of the E.U’s borders. Organizations with international users that live in the E.U. will be included in the GDPR requirements. Because the GDPR went into effect in May 2018 it remains to be seen how it will affect big data. Perhaps it will not be as severe of an impact as anticipated, but again only time will tell. However, like the U.S. federal statutes protecting patients and students, the GDPR will affect what type of information can be gathered, how it can be obtained, and what rights users have over their information.
What Does this Mean for Public Relations Practice?
Research will always remain a cornerstone of good public relations, and PR and other communication professionals will use a variety of data (big or not) in the future. Big data, like all data, has its benefits and limitations. However, it is important for a field, such as PR, that values the role of research in campaigns to recognize the legal/data/research issues on the horizon. PR practitioners should note that as the law changes so may the content of big data, and its role within an organization’s decision-making process. As the trends in privacy law show that communicating in a globalized digital world means that laws outside of a state or nations’ borders do have an affect. The law of big data does not exist as a concrete sets of rules, but as a myriad of regulations that are changing with the development of technology.
Cayce Myers, Ph.D., LL.M., J.D., APR is the Chief Legal Research Editor for IPR. He is an assistant professor in the Department of Communication at Virginia Tech where he teachings and researches public relations. Email him at email@example.com or follow him on Twitter @CayceMyers.
California Online Privacy Protection Act of 2003. Cal. Bus. & Prof. Code §§22575-22579 (2004).
Data Protection Act 2018. 2018 c 12 (2018). Retrieved from http://www.legislation.gov.uk/ukpga/2018/12/pdfs/ukpga_20180012_en.pdf.
European Union. (2018). 2018 reform of EU data protection rules. Retrieved from https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
Federal Trade Commission. (2016). Big data: A tool for inclusion or exclusion understanding the issues. Retrieved from https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf.
Federal Trade Commission. (2017). Privacy & Data Security Update: 2017. Retrieved from https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2017-overview-commissions-enforcement-policy-initiatives-consumer/privacy_and_data_security_update_2017.pdf.
Family Educational Rights and Privacy Act of 1974, 20 U.S.C. §1232(g) (1974).
Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996).
Jain, A. (2016, September). The five vs of big data. IBM Blog. Retrieved from https://www.ibm.com/blogs/watson-health/the-5-vs-of-big-data/.
Litchfield, J. (2018, May 14). Big Data Breaches Shine Spotlight on Laws Impacting Employee Data Protection [Web log post]. Retrieved from https://www.laboremploymentperspectives.com/2018/05/14/big-data-breaches-shine-spotlight-on-laws-impacting-employee-data-protection/.
The Data Protection Directive, Directive 95/46/EC (1995).
Zarsky, T. (2017). Incompatible: The GDPR in the age of big data. Seton Hall Law Review, 47, 995-1020.