- having "reasonable" procedures to promote data accuracy
- allowing consumers "reasonable" access to their own personal information in databases
- having "reasonable" security for consumer data
- building privacy protections into everyday business practices
- having a button on internet browsers that lets consumers "opt out" of any information collection that would be used for targeted advertising
Let's consider these recommendations and their impact on both marketers and consumers.
The "Reasonable" Provisions
I'll start with the first three recommendations as a group: "reasonable" procedures to promote data accuracy, "reasonable" access to your own information, and "reasonable" security. It's hard to get past the idea that these are "reasonable" ideas, until, of course, we consider that the ambiguity of these recommendations drastically limit not only their implementation, but their enforcement as well. Granted, the level of ambiguity is not unlike prior privacy-related recommendations, whether made by the FTC or by industry coalitions, but the results would seem to be similarly destined for a future of considerable privacy invasion.
Indeed, these "reasonable provisions" raise more questions than they answer. The first, actually, is the one I initially was most fond of, because it focuses on process rather than only on outcome. Why is this good? Because processes lead to outcomes, and outcomes can be highly dependent on the quality of processes. Of course, ambiguous processes likely lead to ambiguous outcomes, and an online environment that is constantly evolving its processes will be very unlikely to be effectively or efficiently legislated considering the significant lag between problem generation and legislative solution (not to mention the significant gap between industry expertise and political lack thereof).
Allowing consumers access to their own personal data is an excellent idea, but allowing them only "reasonable" access may be problematic. Consider the case wherein the nature, format, or method of data collection is claimed by an online firm to contribute significantly to its differential competitive advantage. Thus, the firm claims that the disclosure of the nature, format, or method of its collected data may cause irreparable harm to the firm's ability to function profitably and attend to the market it serves. Would this then exempt the firm, at least in part, from allowing consumer access to information? It's quite possible that consumers will have access to some information, but not all.
As for security, my guess is that "reasonable" security of consumer data is far less rigorous than, let's say, U.S. government security for classified documents. And the recent WikiLeaks debacle has illustrated considerable flaws in that system. Who's to say that the next set of leaks won't be all your personal health, financial, and/or internet browsing information?
Everyday High Privacy
The FTC's recommendation that online firms build privacy protections into everyday business practices is a noble one to be sure. In fact, it's likely that smart firms will heed this advice in an effort to avoid negative press if a sizable privacy breach occurs. But again, ambiguity of process and ambiguity of outcome combine to limit the impact of such a recommendation. And how much of a culture of privacy protection can a firm truly build when one of the firm's main objectives is to invade privacy in order to facilitate more effective targeting?
The "Track Me Not" Button
The concept of a web browser button that would stop invasive tracking procedures is admirable, but how would it really work? As the FTC explains, it would be somewhat like a persistent (permanent) cookie that lets online firms know that you don't want your behavior tracked if such tracking will be used for behavioral advertising. But what about all the other uses of data, such as for product development or process research or benchmarking? Wouldn't these uses be exempt from the no-tracking requirement? It's like wearing a wedding ring to signal that you're off limits, but it only has meaning on the third Thursday of every month.
The True Future of Privacy Protection
Of all the innovation in the world (and there's quite a bit), the most demanding is legislative innovation because it simultaneously has to serve multiple parties with diverse and often opposing interests. Not enough privacy and people feel violated and quality of life suffers. Too much privacy and firms can't operate as effectively, thus prices rise and quality of life suffers. And what about the various market segments that desire varying levels of consumer privacy?
When it comes down to what can and cannot be legislated efficiently, the most straightforward answer is to make disclosure and access the foundations for privacy protection. As the FTC has made clear in the past, disclosure must be clear and conspicuous, particularly for material (substantially important) terms of any agreement between the firm and the consumer. In addition, access to one's own personal information that is held by a firm should be far more than just "reasonable." It should be complete and absolute. Period.
There might be many who would say that this isn't enough, but the truth is that it's far more than consumers currently have, and would do much to maintain both industry growth and consumer well-being.
Here's to sensible legislation.
Anthony