From: Deborah Pierce dsp@eff.org Deborah Pierce, Staff Attorney November 30, 1999 Secretary Sent Via Electronic Mail
Dear Sir or Madam, Thank you for giving us the opportunity to submit additional comments in reference to the Public Workshop on Online Profiling that was held recently in Washington DC. The Electronic Frontier Foundation (EFF) believes that several points were not adequately addressed at the workshop and therefore additional clarification is required. First, there needs to be further discussion about what constitutes "effective notice" and whether self-regulation is still the correct method to ensure that effective notice is provided to consumers. Generally, privacy advocates did not feel that the notice contained in privacy policies was effective enough to protect consumer's privacy. Marketing companies on the other hand, believed that the opportunity to "opt-out" was more than reasonable to protect privacy and still promote business needs. Second, the study presented by Dr. Alan Westin needs to be thoroughly examined to clarify some of the ambiguities presented by the data, as well as the apparent bias present in the questionnaire that was used to conduct the study. Lastly, we wish to comment on the question that was asked over and over at the Workshop, "what is the harm consumers suffer by receiving 'targeted marketing' ads?" After all, even US Department of Commerce Secretary William Daley stated in the opening address that we are a nation of "shoppers" and we like to get personalized service. Trying to reach a resolution on this issue is difficult since in general, people think that issues surrounding identity are critical, yet we as a society have not yet had a full discussion about it. Effective Notice and Self-Regulation Two of the main issues identified at the Workshop were that consumers do not always receive effective notice about how personal information is being gathered about them as they travel through cyberspace, and whether self-regulation is the proper vehicle to continue to protect consumer interests online. Many of the companies who presented in the morning discussed the types of information that they collect and the purposes for which they use this data. Some collect only information that is not personally identifiable while others collect personally identifiable information. Privacy interests are implicated even for non-identifiable personal information because as it was pointed out, triangulation is inevitable. Privacy policies for the most part have been ineffective at providing effective notice to consumers about these eventualities. They should nevertheless be regarded as the absolute baseline for privacy protection online and ideally should provide all of the protections outlined in fair information practices guidelines. Corporations that gather and use personal information should implement more comprehensive privacy policies in addition to any additional legislation that is passed by Congress or the states. Right now, privacy policies are often hard to find, and when present often contain only mere disclosures about how personal information will be used. Many times privacy policies are written in legalese, which only adds to consumer confusion. These types of privacy policies do not offer the consumer any meaningful way to protect their privacy online. So much information can potentially be tracked and collected about consumers that privacy policies must include as much information in them about data collection and uses as possible so that consumers can make an informed choice about whether they want to share information with a particular company or not. Privacy policies should also explain how consumers can access information that is collected about them. This iscritical. Without access, consumers will never know where any incorrect information gathered about them came from and how to ensure that any misadventures that they suffered as a result of the use of incorrect information don't happen again. The policies should be written in clear language so that they are easily understandable and they must be prominently displayed on the front page of the web site. The situation is similar with regard to banner ads. The US Government's Chief Counselor for Privacy, Peter Swire, commented that information from a consumer's visit to a primary web site is sent to the owner of the banner ad present on the page. People in general do not know this. Privacy policies rarely if ever cover how information is collected through banner ads. Information should be included in privacy policies or elsewhere so that consumers know how banner ads work so they can decide if they want to click on one or not. Another important question regarding protecting privacy online is who should be responsible for shouldering the burden of helping to keep private information private? It is our position that the responsibility should rest with companies who want to use data collected about individuals. Opt-out provisions do not leave the consumer in control; they inappropriately place the burden of protecting personal data on the consumer, who may or may not be net savvy. Opt-in, while more costly to business would give consumers much greater control simply because the default is that the data can't be used without permission. FTC Chairman Robert Pitofsky stated at the Workshop that he was not opposed to targeted marketing so long as the consumer remained in control. He also stated that one of the goals was to develop consumer confidence. One of the best ways to do that is to educate the consumer about data that is collected and used and then to give that consumer control over the personal information about her that has been collected. Self-regulation has not yet given consumers much control over their information. Privacy policies are not prevalent and personal information is still being collected without notice and consent. Access is often times not granted to the consumer. The harsh reality is that regulation is likely needed over and above getting corporations to draft better privacy policies. There must be a mechanism to constrain corporations from gathering as much information about consumers as they can just because technology provides an easy means to do so. More thorough privacy policies, and regulating data gathering processes may help to bolster consumer confidence and therefore make people more inclined to participate in electronic commerce. Study: "Personalization and Privacy: What Net Users Want
How "Targeted Marketing" Harms Consumers Consumers suffer real harm as a result of the use of targeted marketing. It is not the ads per se that harm the consumer, but the use of all of the individual pieces of personal information that were gathered and combined in order to put together a specific targeted ad. The harms that people suffer as a result of the targeted marketing process are numerous. Some of the harms include electronic redlining; particularly when companies are able to match online and offline data into one file. Identity theft cases are increasing resulting in more cases of destroyed credit ratings, people being turned down or fired from jobs or being falsely arrested for crimes they did not commit. When people realize how much personal information is being gathered and used to construct profiles they may be less inclined to post to newsgroups and less inclined to seek out information, especially if that information is of a sensitive nature. As mentioned before in our previous comments on profiling, the 10th Circuit Court recently found that corporations have a First Amendment right to "consumer proprietary network information" (CPNI) that trumps a consumer's privacy right in that same information. That means every phone number that a consumer calls and the duration of that call whether it is to a particular doctor or psychologist, or friends and relatives, are available for marketing purposes and can be used to create a better profile. It has often been said that people are stripped naked on the Internet and that we should get over the fact that we have no privacy on the Internet. This viewpoint does not take into account the harm that befalls consumers as well as society as a whole. If people are fearful that they are being tracked without their knowledge and that this information is shared with others without their permission, people tend to conform to accepted or "normal" behavior. Taking away an individual's uniqueness is a way that people can be broken down. We have many examples of this in our society. Soldiers are given identical haircuts and uniforms so that they all look the same. Their individuality has been taken from them on the theory that this makes better soldiers. The same is done to inmates at prisons; their identity is taken from them so that they become easier to manage. There have been countless news articles in the press recently that illustrate the consequences of looking or acting different than what is considered "normal." Students have been suspended or expelled from school for no other reason than because they have blue hair, wear black clothes or because they have web sites that school authorities don't approve of. Some students fight back with lawsuits, but we do not know how many others break down and conform their looks or actions to what is accepted in order to avoid being suspended or expelled. The use of profiles to determine who should receive a certain advertisement for a particular service and who should be excluded from the pool promote conformity among consumers. Sameness is not what makes our culture so vibrant. It is our uniqueness that makes it possible for many new ideas to flourish. For these reasons we must put in place mechanisms to protect personal information online. Conclusion As stated in EFF's original comments, the proliferation of new corporate databases filled with personal information used to construct profiles and which is shared and sold without consumer notice or consent is undermining consumer privacy, with potentially severe consequences. Lack of controls on how information is shared or sold contributes to the decrease of privacy for consumers. The continuing loss of privacy due to better abilities to profile without any more privacy protections being put in place harms individuals by inhibiting them from participating in commerce and society. Self-regulation as the only means to protecting consumer privacy on the Internet is not realistically the best method to protect privacy. Ultimately, we will need to employ consumer education programs and legislation as well. Thank you again for allowing us to submit additional comments. Please feel free to call me at 415-436-9333, x106 if I can be of any further assistance. Sincerely, Deborah Pierce CC: HQ.DCMAIL4(MLANDESBERG) |