Data Privacy Rules Should Be Same Online and Off, Subcommittees Told

The collection of data that has the potential to identify a person’s views on abortion or their sexual orientation could worry people “to the point of anger,” said Consumer Protection Chairman Bobby Rush, D-Ill. He asked whether the forthcoming bill would set “perverse incentives” if it treated differently, say, data collected through warranty cards and social networking sites. Ranking Member George Radanovich, R-Calif., said he was mostly worried about offline data getting merged with that online, a practice that will “continue to grow in significance.” But Congress shouldn’t rush into legislating so as not to harm companies with good practices, he said.

Former Communications Chairman Ed Markey, D-Mass., warned that people’s lives were being turned into “products” in the era of “privacy peepers and data-mining weepers.” Wireless data should be considered as well, he said. The view that “Congress can’t keep up with new technology” is outdated, Markey said. The question is whether the privacy “values” of bygone eras should prevail. At the last joint hearing on privacy, the subcommittees largely agreed there were benefits from behavioral targeting, said Communications Ranking Member Cliff Stearns, R-Fla., one of a few lawmakers drafting the House Commerce bill. The question is “how robust” should notice and disclosure be. “If we get too much into the weeds” on which practices are legitimate on which platform, Congress could harm the Internet’s economic power, he said.

Social networks are perhaps the “greatest threat” to online privacy because they track a person’s Internet behavior daily, said Rep. Gene Green, D-Texas. The sector- specific nature of U.S. privacy laws, which govern distinct industries such as financial services and medical providers, make it crucial that Congress oversee those industries currently unregulated, he said. Facebook Director of Public Policy Tim Sparapani told us later that Green has an official Facebook page, and the company wants to show lawmakers its “commitment to enabling people to control what information they share with whom.” Rep. Mike Doyle, D-Pa., said Congress should look for a “sweet spot” between consumer and business interests, since “consumers hunger for personalization” of the sort that data-collection offers.

Legislation should focus on empowering consumers, said Rep. Steve Scalise, R-La.: “Congress should not pick winners and losers” in business. Rep. Doris Matsui, D-Calif., said revelation of the scope of data collected, its intended use and retention period should be required in consumer notices. Reps. Marsha Blackburn, R-Tenn., and Tim Murphy, R-Pa., made a quixotic request that Congress look at the prevalence of targeted ads on Web sites featuring infringing content. Rep. John Barrow, D-Ga., said he saw the forthcoming bill as a “continuation” of his effort to improve file-sharing software security under HR-1319.

Having largely outsourced its data-collection efforts, the government is just as guilty as businesses, said Chris Hoofnagle, director of information privacy programs at the University of California-Berkeley School of Law. He was a lead researcher on a recent study that found two in three consumers object to behavioral targeting (WID Oct 1 p9). Lists of databases known as “data cards” are sold without regulation, putting consumers into insulting categories such as “elderly impulsives,” and confidentiality agreements between buyers and sellers mean they're practically invisible to consumers, he said. Without regulation, invasive collection practices could “chill commerce” online, said Pam Dixon, World Privacy Forum executive director. Sensitive categories such as medical records sometimes emerge as unregulated databases because they were voluntarily given, she said. A Web site offering a list of “bad customers” -- those who disputed payment charges, such as identity-theft victims -- recently sprung up with six million names, Dixon said.

Marketing communications giant WPP can’t cater to consumer preferences without collecting data, said George Pappachen, chief privacy officer of its Kantar consultancy. Modern audiences are fragmented and spread across “overlapping” platforms, and outside the U.S., offline collection is still the norm, he said. The company is working on market models that work with the proposed self- regulatory regime that’s been developed by various industry groups in the past year, Pappachen said. Data broker Acxiom doesn’t have “one big database” that covers the whole U.S. population, but rather smaller databases for specific needs, Global Privacy and Public Policy Executive Jennifer Barrett said. It gets its records largely from public sources and voluntary surveys, and lets consumers opt out of collection from its marketing business, she said. “Online is no longer separate and distinct” as a marketing channel, though privacy is still “contextual” on each platform.

Small businesses could fall victim to new rules tailored for data brokers, said Michelle Bougie, senior Internet marketing manager for LearningResources.com, which sells educational materials and toys. They need to find interested customers, who in turn need to find “niche manufacturers focused on their needs,” which is enabled by renting lists of names or online profiles for use in targeted ads, she said. Congress should avoid legislation that creates “insurmountable advantages for larger companies who accumulate and use consumer data in their own businesses,” Bougie said. Lawmakers should take a “crawl, walk, run” approach, perhaps using the Do Not Call Registry’s opt-out framework.

Rules Could Reduce Consumer ‘Anxiety’ About E-Commerce

Witnesses agreed that any legislation should apply online and offline with some qualifications. “It can’t be a one-size-fits-all” framework, Bougie said. “Just be very cautious.” Wal-Mart Stores Chief Privacy Officer Zoe Strickland said it’s “very hard to draw a line” between online and offline collection. “Convergence would dictate that we have a broader application” of rules, Pappachen said.

Hoofnagle said his research team was “surprised” by consumer attitudes on behavioral targeting. They have “anxiety” over collection that crosses contexts, such as targeting on a work computer that comes from their home activity. He told Communications Chairman Rick Boucher, D- Va., that greater transparency in the collection process could “change that number.” Because consumers assume that many collection practices are illegal, neither an opt-in nor opt-out regime may work, Hoofnagle said. He suggested “mandatory retention ceilings” so data would expire.

Barrett told Radanovich that the self-regulatory guidelines from the industry would largely address consumer concerns. They are “a big step in the right direction and not as well known as it ought to be.” She went through a lengthy back-and-forth with Doyle over what information Acxiom may have on the lawmaker, and the different conditions under which Doyle could review and remove his information. The company has 1,500 potential “data points” for classifying consumers but the average person is only assigned 20 to 40, Barrett said. Bougie said rules should focus on specific categories of sensitive information such as medical records, which “helps level the playing field” for small businesses. Dixon said self-regulation would only work for good companies, not bad actors. Some of the most revealing information, such as that requested in Facebook surveys, could be sold downstream to database providers, she said. “Did they really truly know and comprehend the full consequences of their actions?”