Katherine Watier
Georgetown University
Public Policy Toward Network Industries
December 14, 2002
Privacy Protection: Protect Beyond Simple Digital Behavior
For the past 30 years various governmental entities both US and foreign have suggested a variety of privacy rules based on a intellectual foundation of “Fair Information Practice Principles” which includes 5 core principles of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3)Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress[KAW1]. All of the policy formulated in the US has been based on these principles and most of the policy debate in America began in earnest once it became clear that for the continued growth and development of ecommerce, customers needed reassurance that the information that they gave out online (especially information such as a credit card number) would be protected and not shared with others without consent. The current policy discussion has highlighted the stark contrast between levels of privacy protection between the online and offline world and has raised issues about developing information privacy policies that protect consumer’s digital and real life information sharing behavior.
Sensitive vs. Non-Sensitive Information & Opt-In vs. Opt-Out
There are two types of privacy that consumers are interested in having protected in an online context. Thos two types are: information which is sensitive (for example financial and health information), and that which is non-sensitive (address, age, sex). Companies that collect this information currently present two types of consent presented to a user before collecting, sharing or dispersing personal information. The first is opt-in where the user must give express permission for the information to be used, and without the user permission, no data is collected. The second is opt-out where users ask to be removed from the data collection process and if they do not take action to be removed, their data is collected.
Choice, Notice, Access and Security
Structuring the data collection process has been shaped by a legislative discussion that is based on four fair information practice principles: Choice, Notice, Access, and Security. Notice outlines the responsibility that data collectors have in disclosing their information practices before collecting consumer’s personal information. Choice represents the customer’s right to been given options in respect whether and how the information collected from them can be used for purposed beyond the initial reason for which the data was collected. Access stands for customer’s right to view and verify the accuracy of the data that is collected from them. Security is the data collector’s responsibility in relation to safeguarding the information that they collected from consumers and ensuring that the data is only used in the way in which it has been authorized by the consumer to be used. The Senate bill, S. 2201 “The Online Personal Privacy Act” Bill requires online operators to obtain opt-in consent before they collect, disclose or use sensitive information and opt-out consent for non-sensitive information.
Information Sharing Vs. Protection
Privacy protection is clearly a battle between corporate desire to collect as much data as possible that could support their marketing efforts and an individual’s desire to limit the distribution, sale and use of that information. This is not a simple dichotomy, however, for our society provides market benefits to consumers who participate in data collection efforts and limits the availability of services and discounts for those who do not share their information. The perfect example of this is the supermarket discount card where consumers who participate in the card program receive what is marketed as “discounted” products…when in reality, the products that are sold at a reduced price for cardholders are really purchasing those products at the regular price, and non-cardholders are charged an inflated price for the same good. In addition, for those consumers who participate, there is currently limited choice, notice, access or security for the information that they share – yet serious legislative discussions about information privacy to date have only recently begun to discuss how to regulate both the online AND offline use and distribution of personal information.
In defense of corporate interests, however, companies who DO have detailed personal information about their customers are able to target their marketing messages to consumer that are more likely to buy those products. With more information about the consumer, the marketing process becomes more efficient – saving the consumer time in researching products and reducing corporate marketing costs. The best example of this type of marketing model is illustrated by Amazon.com’s personalized services where users are greeted by name, offered products based on their purchasing and web browsing history, and allowed to conduct “one click” shopping once entering their credit card information once. It is clear that within Amazon’s model, the issue is not the benefit to consumers if the consumer information is used for making the Amazon shopping experience more efficient, but rather, the amount of security deployed to ensure that Amazon consumer information is only used for Amazon purchases, and consumers are notified if the data is used for other purposes. There is also a large market for the selling of consumer information to other entities, and for business (especially online business) who rely heavily on advertising revenues, the profit derived from selling consumer information can be significant.
Encompassing both benefits to consumers and corporate interests lays the philosophical argument that sharing of information has its own unique network effects. For example, products like the phone book are useful to all, but only because the vast majority of Americans have decided to release their information to be included within that product. Without a mass amount of public support for the sharing of that type of information, products (like the phone book) and the services that they provide would not exist.
The Policy Players & Policy History
Balancing the interests of individuals, corporations and the greater public good lies the Federal Trade Commission (FTC), the regulatory body that has been spearheading the online privacy debate. With it’s focus on prohibiting unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce, it has jurisdiction over monitoring and supporting online commerce and therefore the privacy issues that may impact ecommerce’s development. The policy discussion focused on protecting consumer’s personal data started in 1973 when the Department of Health, Education and Welfare issued a report on Records Computers and the Rights of Citizens. In 1980, the Organization of Economic Cooperation and Development set in place its Fair Information Practices which covered issues of: data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. In 1995, the Privacy Working Group of the National Information Infrastructure task Force issued its Principles for Providing and Using Personal Information and set out a large number of principles which provide the intellectual basis for later legislation. Also in 1995, the European Union set forth its Privacy Directive, which became a source of negotiation and ultimately provided the intellectual background for the July 2000 agreement on a Safe Harbor for US companies doing business in Europe. Meanwhile, the FTC held workshops on online privacy in 1995, 1996 and 1997, and starting in 1998, began to conduct an annual survey of Internet sites’ privacy policies in an attempt to monitor the industry’s self-regulation of personal information.
The FTC was initially willing to let the industry develop standards on its own, but after three years of monitoring the effects of that self regulation, the Commission submitted its third report to Congress that showed that 40% of the most popular websites still did not provide consumers adequate notice and/or choice in relation to sharing personal information.[1] The 2000 Survey showed that 88% of all commercial Web sties displayed at least one privacy disclosure to consumers (granted, this is up from only 14% in 1998). [2] The Commission began to realize that self-regulation was not working as successfully as hoped, and enforcement of the guidelines was still an issue. Without an eternal body regulating the behavior of these websites, there was no enforcement mechanism in place for sites that posted that they would behave in one way yet did something else with the data they were entrusted with. FTC Commissioner Sheila F. Anthony during the 2000 hearings suggested that sites that upheld their privacy statements should be awarded with a seal stating to consumers that their privacy statements have been tested and proven to be honest and not misleading. While this is a decent solution, it would still require that an external entity monitor compliance.
While S. 2201 is a substantial first step in the right direction for privacy protection, there are various issues with the language, scope and vagueness of the language within the bill. By and large, there is universal corporate concern about the scope of the legislation. As written, S.2201 would hold Amazon.com to higher privacy standards than the local bookstore. In addition, the insurance and financial industries were concerned with the double and conflicting increased regulation that the bill would impose upon their practices. Most financial institutions were also supportive of a national regulation governing online privacy, as it would override the current smorgasbord of state laws that govern commerce and privacy within different state and how it would hinder the development of ecommerce by imposing conflicting privacy policies for online and offline commerce.
The Consumers Union provided the strongest comments in support of privacy protection legislation and of the consumer right to be able to opt out from the data collection process. No part of life is left untouched by data collection activities. As Frank Torres, legislative counsel for Consumers Union testified during the hearing, “Financial and medical records, what you buy, where you shop, your genetic code, are all exposed in a privacy free-for all. Complete strangers can, for a price, have access to your most intimate secrets.”[3] Which is why privacy legislation should encompass online and offline enforcement as well as regulation.
Corporate and consumer interests are based on a valid argument. Is it really fair for consumers to be subject to two different privacy standards depending upon whether they conduct business online vs. offline? Perhaps it is time for information collected by consumer’s actions offline to be regulated and protected along with instituting online privacy protection legislation. With today’s practice of merging online and offline consumer data there is even more of an incentive to institute legislation to protect an individual’s personal information. In regard to online commerce, 92% of consumers are worried about the misuse of their information. And for those consumers that are not as focused on the use of their information offline, they should be. “An uninformed decision to deal with a vendor that disseminates personal information could have ramifications for years to come and that decision can not be retracted”.[4] It is clear that there is a need for a massive public education campaign in relation to informing consumers about the impact of their information sharing activities. Consumers need to be provided with an honest assessment of how and when data is collected about them, the range of activities that their information might be used for, and how corporate actions involving their data might impact their future. The vice president of Global Policy for Amazon.com, Paul Misener, illustrated this point clearly when he asked the Senate Committee to think about how the bill would not require some companies (those offline) to provide any protection for the “Tens of millions of American consumers with relatively low incomes and limited education backgrounds…It makes little sense to treat consumer information collected online differently from the same (or often far more sensitive) consumer information collected through other media, such as offline credit card transactions, mail-in warranty registration cards, point-of-sale purchase tracking, and magazine subscriptions.” [5]
Thomas Leary argued that the Commission should re-focus a part of its efforts toward educating customers about the benefits and potential risks associated with the collection and dissemination of their personal information. He argued that informed customers will ultimately be the more effective agents for the protection of online and offline privacy.[6] Both Misener and Leary bring up important points – the regulation of corporate action is not enough ensure complete protection of consumer information. Consumers also need to be educated about who has their data, what the privacy policy is for those corporations that possess their personal data, and how by sharing their information with that vendor their information can be used for other purposes. This focus on consumer education and corporate culpability should occur wherever commerce and information collection activities take place - both online and in the “bricks and mortars” world.
Bibliography
Leary, Thomas B. "Online Privacy Act Testimony." Washington, DC: Senate Committee on Commerce, Science and Transportation, 2000.
"Statement of Paul Misener, Vice President of Global Policy, Amazon.Com." In Senate Committee on Commerce, Science and Transportation. Washington, DC: US Senate, 2002.
Swindle, Orson. "Online Privacy Protection Testimony." Washington, DC: Senate Committee on Commerce, Science and Transportation, 2000.
Thompson, Mozelle W. "Online Privacy Protection Testimony." Washington, DC: United States Senate Committee on Commerce, Science and Transportation, 2000.
Torres, Frank & Butler, Butler, “CU Urges Congress to Help Consumers Protect Privacy”. Consumer’s Union: Press Release. April 3, 2001
1
[1]Mozelle W. Thompson, "Online Privacy Protection Testimony," (Washington, DC: United States Senate Committee on Commerce, Science and Transportation, 2000).
[2]Orson Swindle, "Online Privacy Protection Testimony," (Washington, DC: Senate Committee on Commerce, Science and Transportation, 2000).
[3]Frank Torres/David Butler, “CU Urges Congress to Help Consumers Protect Privacy”. Press Release. April 3, 2001. Consumers Union.
[4]Thomas B. Leary, "Online Privacy Act Testimony," (Washington, DC: Senate Committee on Commerce, Science and Transportation, 2000).
[5]"Statement of Paul Misener, Vice President of Global Policy, Amazon.Com," in Senate Committee on Commerce, Science and Transportation, Senate (Washington, DC: US Senate, 2002).
[6]Leary, "Online Privacy Act Testimony."
[KAW1]1Info needed here