What's Missing from This Picture? Privacy Protection in the New Millennium
By Beth Givens, Director
To the National Association of Attorneys General Annual Conference (www.naag.org)
Thank you for the opportunity to speak to you today about consumer privacy. I am honored to be invited to speak.
Just a few words about the Privacy Rights Clearinghouse before I begin my presentation:
The PRC is a nonprofit consumer information and advocacy program based in San Diego California. We were established in 1992 with grant funding from the California Public Utilities Commission.
We have operated a consumer hotline since then. I am convinced that the role of gathering data from the marketplace, which is essentially what we do when consumers contact us, is a vitally important part of consumer protection. I'm happy to talk about consumer education and consumer feedback during the question & answer period if you are interested.
In the few minutes that I have this morning, I will present three vignettes that I have called "What's Missing in This Picture." These are:
- Legislative Action in the Face of Strong Public Opinion Polls
- Critical Analysis of Industry Assertions
- Meaningful and Understandable Privacy Policies
What's Missing #1: Legislative Action in the Face of Strong Public Opinion Polls
These are quite extraordinary times. Poll after poll, even those conducted by industry, are showing unprecedented concern by the general public over the loss of their privacy. Here are just a few of the findings: www.privacyrights.org/ar/invasion.htm.
- One of the most compelling surveys was the Wall Street Journal poll conducted in the Fall 1999. Americans were asked what they feared most in the new millennium. Privacy came out on top (29%), substantially higher than terrorism, global warming, and overpopulation (no higher than 23%).
- In a 1999 Lou Harris-IBM Consumer Privacy Survey, comparing Americans to respondents in European countries, 94% of Americans think personal information is vulnerable to misuse. And 78% claim they have refused to provide requested data to a business because they believe it is too personal.
- The Lou Harris-Alan Westen privacy polls have been conducted each year since the early 1970s. Thanks to Robert Ellis Smith's excellent book Ben Franklin's Web Site (p.336), here's how those numbers have progressed. Today, nearly 90% of those polled are concerned about threats to their personal privacy. www.privacyjournal.net
1970 34% concerned about threats to personal privacy 1977 47% 1978 64% 1983 77% 1990 79% 1995 82% 1997 92% 1998 88%
- A 1998 AARP survey found that 81% of respondents opposed the internal sharing of customer data between corporate affiliates. www.research.aarp.org/consume/dd39_privacy.html
- The same poll found that 78% believe current federal and state laws are not strong enough to protect personal privacy from businesses that collect information about consumers.
But what is happening with federal and state laws, even in the face of unprecedented public support for strong consumer privacy protection. What's missing from this picture? You guessed it, pro-privacy legislation at the federal and state levels.
We all know why such legislation has failed - and I'll focus here on financial privacy legislation giving customers a right to affirmatively consent to both third party and affiliate sharing of customer data. Industry opposition to such legislation has been formidable, both in Congress and in the states where opt in legislation was introduced.
The picture painted by the many financial services lobbyists was that their industry would be severely harmed by opt-in requirements. In fact, the whole booming economy might be jeopardized if consumers are given the right to consent up front to how their customer data is going to be used by affiliates and third parties.
What's Missing #2: Critical Analysis of Industry Assertions
That brings me to my second Missing Picture vignette. Industry representatives issued White Papers by Fred Cate, a panelist today, and John Dugan, who is speaking tomorrow. These individuals and industry lobbyists appeared before numerous legislative committee hearings to make the case that the opt-in approach would harm them, harm the economy, and even harm consumers.
Here are some of the points they raised. What's missing in this picture? (1) Critical analysis of the supposed harmful effects of opt-in. And (2) effective challenges from legislators, other policymakers, and, consumer advocates to their assertions ... yes, including myself.
Here is an assertion often used by industry representatives:
"Opt-in costs more than opt-out." [Cate]
In my thinking, opt-in costs the same as opt-out. The business would provide a written notice to the customer on an annual basis and when individuals first sign up for services or add new services to their existing accounts. Such notices are provided whether the notice is opt in or opt out. One up-front notice with regular updates is all that is needed.
The financial industries have made the point that they must ask for permission each and every time they want to share customer data -- and that this is very costly. My response is that they do not need to do that.
Let's not forget something very important. "It's the new economy, stupid," to borrow a slogan from the 1992 Clinton campaign. We are living in an era in which consumers have an abundance of information at their fingertips. Financial services have many ways to introduce new services to their customers - the annual privacy notices, bill inserts, advertisements in the traditional mass media, the many specialized cable and satellite TV channels, and last but not least, web sites.
I question the need for fine-tuned personalization of solicitations without first obtaining the consent of customers to have their personal data used for such targeting. If financial institutions can make a good case for data sharing and personalization, their customers will flock to these services.
We only have to look to Internet start-up companies to see that many are not assuming that they have untrammeled use of consumer data. I'm impressed with how many of them are not even asking the opt-in versus the opt-out question. They are starting out with opt-in. Some have no interest in knowing the identities of those they pitch their ads and services to. They are using the anonymity model, and have developed ad delivery mechanisms that do not require knowing individuals' actual names. They simply know their consumer profiles.
Industry representatives often say that our economy is dependent on the free flow of information. I agree with this statement. But what they are really saying is that the free flow is of personal information. And I am not entirely in agreement with that assertion.
Again, because of the new web-based economy, there is a tremendous amount of information that is flowing into the hands of inquiring consumers. Given the numerous communications channels in use today, consumers have a multitude of ways to obtain information in order to make decisions about which products and services to use.
I think we need to challenge the industry assertion that the free flow of information that is so all important to the economy is indeed personally identifiable information. I think we can learn a great deal from the Internet start-ups that are not basing their business models on the flow of personal information.
I want to stress here that I am focusing on marketing uses of shared data. I am not talking about data sharing that is necessary for fraud prevention and account maintenance.
Here is another assertion of industry lobbyists:
"An opt-in system sets the default rule to 'no information flow,' thereby denying to the economy the very lifeblood on which it depends." [Cate]
It is not true that an opt-in system results in no information flow. Of course, information does flow for those consumers who consent to their personally identifiable information being shared with affiliates and third parties. Businesses can make very compelling cases for their "personalization" services. If they can promise privacy protection along with streamlined, personalized services, consumers will flock to their companies.
"Opt in provides no greater privacy protection than opt out." [Cate]
Fred Cate in his paper "The Fallacy of Opt-In" states that both the opt in and opt out approaches give consumers the final say about whether his or her information is used. The problem is that not everyone will receive and understand the opt out message. Under opt in, a customer's data is not shared unless the individual provides affirmative consent. That means informed consent. Without such consent, their data is not shared. But for many individuals under an opt-out system, their personal data will be shared without their having given their informed consent. Therefore, it makes little sense to assert that the privacy protection of opt out equals that of opt in.
By the way, I believe opt-out can approach the effectiveness of opt-in if a strong, ongoing consumer education campaign is implemented to make sure that consumers are aware of their opt-out options. I'm happy to discuss that further during the questions session.
"Consumers do not expect [to be given opt-out opportunities] ... when information stays strictly within the affiliated business units of a single corporate organization." [Dugan]
I think the AARP poll that I mentioned earlier provides a good rebuttal to this point. Four out of five of those polled opposed the internal sharing of customer data between affiliates.
What's Missing #3: Meaningful and Understandable Privacy Policies
Now, let me shift gears to talk about Internet privacy.
The vast majority of sites have Notice. And if the two principles of Notice and Choice are examined, only 42% of sites offer them. Where many of the sites fall down is in the principle of Access. They do not provide individuals the means to obtain a copy of the data held by the web-based company.
You are no doubt familiar with the voluntary regulation programs like TRUSTe and BBB-Online. Web sites that receive their seals of approval adhere to a set of principles established by those organizations. The FTC survey found that only 8% of the sites display a seal. Among the top 100 sites, only 42% are members of the voluntary regulation programs.
The next time you hear that industry self-regulation is successful because 90% of the most traveled websites have privacy policies, remember what is missing from this picture - that only 20% provide all four of the FTC's recommended principles, and that less than one in ten display the seal of one of the voluntary regulation programs. Based on the survey results, the FTC recommended in a 3-2 vote that legislation be passed to protect online privacy. www.ftc.gov/opa/2000/05/privacy2k.htm
But wait ... there's more (to borrow a common refrain from TV infomercials).. Let's take a closer look at those four Fair Information Principles touted by the FTC. What's missing from this picture is that they're only half there. In 1980 when the OECD, the Organization for Economic Cooperation and Development published their Fair Information Principles, they listed eight of them. In my mind, the strongest, most effective of the principles have been omitted from the FTC's list. These are collection limitation, purpose specification (secondary use), and accountability. (For more information about the Fair Information Principles, see www.privacyrights.org/ar/fairinfo.htm)
FTC's 4 Principles OECD's 8 Principles (1980) Notice Openness Choice Use limitation Access Individual participation Security Security Collection limitation Data quality Purpose specification Accountability
But wait ... there's more than just watered down Fair Information Principles that is missing from this picture. Just how easy are these privacy policies to understand? It turns out they are, for the most part, downright unreadable and confusing. A reading consultant named Mark Hochhauser (firstname.lastname@example.org) from Minnesota applied a standard reading test to ten top web sites. This was reported in the May 1st USA Today. www.usatoday.com
Doubleclick tested out at a graduate school reading level. Netscape was close behind at the 4th year of college. Excite tested at the 3rd year of college. And Yahoo, Hotmail, AOL, and Alta Vista tested out at the 2nd year of college. So much for the rest of us. Besides, even for those who do read at those levels, how many people take the time to read the privacy policies. I think the answer is "very few." I'm waiting for privacy policies to be as easy to comprehend as the nutrition labels on food packages.
In closing, I want to commend you on the work being done by NAAG and many Attorneys General throughout the country to protect consumer privacy. Thankfully, your are not missing from the picture that I have been painting for you this morning.
Thank you for your attention.