competition-enhancing enforcement in privacy: a remedy for the anti-privacy market
DESCRIPTION
Competition-Enhancing Enforcement in Privacy: A Remedy for the Anti-Privacy Market. Chris Jay Hoofnagle Director, Information Privacy Programs UC Berkeley Law CWAG, July 20, 2010. Anti-Privacy Market. Companies do not compete on privacy Users do not read policies - PowerPoint PPT PresentationTRANSCRIPT
Competition-Enhancing Enforcement in Privacy:A Remedy for the Anti-Privacy MarketChris Jay HoofnagleDirector, Information Privacy ProgramsUC Berkeley LawCWAG, July 20, 2010
Anti-Privacy Market
Companies do not compete on privacy
Users do not read policies
They assume that privacy policies are seals
Even if read, consumers wouldn’t understand them
Privacy is a secondary product characteristic
Challenge
Plaintiff suits often fail for lack of financial harmMany are “gotcha” cases anywayIndustry group promises are unenforceable
AGs can play a central role in aligning business practices with reasonable consumer expectations
Focus enforcement actions on creating clarity around key privacy terms
Third parties and information sharingOpt outConfidentialityAnonymizationThe list brokers & data provenance
And allow firms to compete under policed definitions…
What is a “third party?”
No one wants to admit to sale of information to “third parties.”
Some companies use “affiliate,” “affinity,” “partner,” or “company with products we think will interest you” to obfuscate third party sharing.
Ann Taylor Privacy Policy
Will my information be shared? To respect your privacy, Ann Taylor will not sell or rent the personal information you provide to us online to any third party.
[…]
In addition, Ann Taylor may share information that our clients provide with specially chosen marketing partners.
[…]
Residents of the State of California may request a list of all third parties to which Ann Taylor has disclosed personal information during the preceding year for the third parties' direct marketing purposes.
http://www.anntaylor.com/custserv/custserv.jsp?pageName=Privacy
What does a “right to opt out” require?
Consensus: companies should provide notices and ability to opt out.
Reality: the incentive structure rewards companies for interfering with opt out.
Real world opt outs
Sometimes require a fax to provide personal information that the company doesn’t even have—Intellius.com
Sometimes require disclosure of all addresses—Victoria’s Secret
Sometimes requires data subject to be a victim of DV—Lexis
Sometimes requires bizarre request for paper opt-out request form—Acxiom.com
Many claim they won’t accept opt outs from “third parties”
Catalog Choice.org
Nonprofit environmental group helps consumers opt out of catalogs and list brokers
Makes verifiable opt out requests
Memorializes & tracks them1.2 million households have
submitted over 17 million opt-out requests to over 2,000 companies
Some companies filter & bounce emails that contain “opt out”
Some companies mail to opt out request email accounts
“Anonymization”
GoogleSearch strings:
Stored w/ account info
IP Addresses:Last octet deleted at 9 months
e.g. 99.27.133.XXXIP address intervention makes
user “anonymous” among 250 other users
Cookies:Hashing at 18 months
MicrosoftSearch strings:
Not stored w/ account info
IP Addresses:Full deletion at 6 months
Cookies:Removed, along with other cross-session identifiers, at 18 months
The list brokers
Impulsives, matures = new sucker lists
Datran Media Case
Datran bought lists from Gratis Internet (freeipods.com)
Datran knew that Gratis promised never to sell the lists
Gratis refused to change its privacy policy
Datran bought the data anyway…
Paid $1.1M in settlement agreement
Key issue: data provenance!
List Broker Privacy: Contracts Ban Transparency
(iv) use Experian Data in any marketing communication that refers to selection criteria or presumed knowledge about the recipient.
ExperianDisclosure of Source of Licensed Data; Ad Copy. Solicitation and ad
copy used by Client or Client’s customers in connection with the Licensed Data: (i) shall not disclose the source of the recipient’s name and address; (ii) shall not contain any indication that Client or Client’s customers possess any information about the recipient other than name and address; and (iii) must be in good taste and of the highest integrity.
EquifaxYour marketing communications used in connection with any list
ordered by or for you or your customer shall not make reference to any selection criteria or presumed knowledge concerning the intended recipient of such solicitation or the source of recipients name, address, and/or telephone number;
Alesco