---

Published: August 2010

Privacy legislation must be grounded in Fair Information Practices

Coalition: Privacy

Consumer Action signed onto testimony presented by U.S. Public Interest Research Group's Consumer Program Director at a legislative hearing examining draft legislation aimed at regulating the collection and disclosure of personal information online.

Below is an excerpt from the testimony:

Thank you for the opportunity to testify before you on the important matter of how information about consumers is collected and used by businesses in the online and offline worlds. This legislative hearing examining one bill and one discussion draft to require notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual, is very timely. Every day, the collection and use of consumer information in a virtually unregulated marketplace is exploding. New technologies allow a web of interconnected businesses – many of which the consumer has never heard of – to assimilate and share consumer data in real-time for a variety of purposes that the consumer may be unaware of and may cause consumer harm.

In this testimony, we hope to provide background on why granting consumers greater control of their personal information is critical public policy, why holding data collectors to compliance with the Fair Information Practices matters, and how the new ecology of data collection works. We will then comment on Chairman Rush’s proposal, the Best Practices Act, and on another draft bill before the full committee as circulated by members Boucher and Stearns, and how those bills approach the problem and recommendations for improvements.

Our organizations share longstanding concerns for consumer privacy and look forward to working with the committee on these matters. The committee has a long history of protecting consumer privacy on a bi-partisan basis, going back to its efforts to strengthen the 1999 Gramm- Leach-Bliley Financial Modernization Act (GLBA). As passed, GLBA provided for greater privacy protection in the financial marketplace and allowed states to enact stronger financial privacy laws, although the Energy and Commerce committee’s laudable additional goal of requiring opt-in consent for data collection and sharing was unfortunately not achieved.

SUMMARY
Consumers today are surrounded by a powerful, sophisticated and ever growing marketing "ecosystem," which collects data from and about them, offline and online, in myriad ways. Collection points include online games, mobile phones, online video, email, display ads, search, in-store transactions, and public records – all these channels are tied together increasingly in real-time updates where users can be bought and sold instantly no matter where they may be. The lesson from the financial meltdown and the new financial law should be that Congress must proactively protect consumers – not as an afterthought. Consumers throughout the country increasingly depend on digital technologies to help them address critical issues related to their finances, health, and families.

Today, the public has to maneuver through a complex array of increasingly personalized interactive services, including mobile and location-based applications, online videos, and social networks, as they seek information and engage in various transactions. Digital marketing poses new challenges to consumers, since it is able to combine ongoing data collection about individuals as they interact with entertainment or other information. The emergence of mobile and location-based marketing services, which permits the tracking and targeting of an individual in a “hyper-local” geographic area, adds a new dimension to consumer protection issues online. Beyond privacy concerns from data collection, a myriad of complex techniques used to market to consumers—including online “viral” peer-to-peer social media promotions, “smart” ads that learn about an online user so its offer can be changed in real-time, and even the use of neuroscience techniques designed to deliver marketing messages directly into one’s subconscious (neuromarketing)—are now regularly in use and can pose real harms.

DISCUSSION AND COMPARISON OF THE APPROACHES OF THE TWO ONLINE PRIVACY BILLS BEFORE THE COMMITTEE

In general, while we respect the great deal of thoughtful work that has gone into crafting the two bills before the committee, our initial comment is that they presume the validity of the current system of data collection and are built around that presumption, rather than starting from the place that we would prefer, which is a broader Fair Information Practices-based (FIPs) framework. To truly protect consumers’ privacy, we need to change the paradigm to a more consumer rights-based approach, as we have done with credit reporting, for instance. Commerce will adapt and thrive based on the parameters that public policy sets for consumer privacy.

Put another way, the bills don't track well with a citizen/consumer's rights in such a FIPs framework. The bills don’t address the massive growth in data collection, by requiring meaningful data minimization and limits to data retention, for example. The bills largely sanction the existing and worsening regime of ongoing collection, analysis and use of off- and online data, through the industry-preferred regime of notice and choice (not the full FIPs framework). While it is very clear that the Rush Best Practices bill makes a more substantial attempt to comply with more elements of the Fair Information Practices, neither bill is primarily based on a FIPs-framework. Instead, they tend to graft some FIPs rights for consumers and responsibilities for data collectors onto a system that is based on excessive information collection.

We continue to believe that the notice and choice model promotes bureaucracy but does not promote privacy. A privacy bill that actually creates some privacy will need to set strong rules that directly protect consumer privacy, or at least be more firmly based on the Fair Information Practices (FIPs) that have been the foundation of U.S. privacy policy for the past four decades. We believe that the bills should be restructured to follow the FIPs, in much the same way. The bills both make substantial contributions and include many concepts that privacy groups and FTC staff have concluded are key to protecting privacy.

CONCLUSION

We commend Chairmen Rush and Boucher, along with Ranking Member Stearns (and other members of the committee), for helping advance a much needed legislative debate about the best way to protect consumer privacy. Consumer and privacy groups recognize the important role that online marketing and advertising play, as a source of revenues for online and other publishing, and as a robust sector of the digital economy. We also recognize that data collection, online and offline, plays an important role—perhaps the most critical one---for the industry’s future.

But contemporary data collection practices, especially online, far surpass what consumers may have become familiar with on a day-to-day basis. Not only are our behaviors online closely tracked and analyzed (such as the content we like or tend to avoid; what we are willing to pay for or what we discard from online shopping carts), but consumers are confronted with an array of interactive ads purposely designed to elicit, sometimes subconsciously, greater amounts of our data. Today, as U.S. PIRG, Center for Digital Democracy and others recently filed at the FTC, so-called real-time ad exchanges auction consumers off to the highest bidder, so that they can be targeted for marketing wherever they might happen to be online. All this is done in a non- transparent, unaccountable manner, without the consumers’ knowledge or consent.

A vast, automated, and powerful data collection complex has emerged, capable of generating and continually revising a profile—a consumer X-Ray—of our habits, interests, worries, financial status, families. These applications can hone in on an individual consumer, and almost instantly create an interactive ad that continues to transform itself as it stealthily “learns” about the interests of a single consumer. Google’s recent acquisition of Teracent, one of the companies focused on so-called “Smart” ads, is just one example of why online marketing’s ability to encourage a consumer to provide data demands a rigorous framework to protect consumer privacy.

We firmly believe that the U.S. should be the global leader in creating a policy framework shaped by FIPs that greatly aids the growth of the digital marketing industry. While advances in so-called computational advertising reflect an important contribution to innovation and can help spur the growth of ad revenues, they must be guided by a framework grounded in the requirements of consumer protection in a democratic society. That’s why we—consumer and privacy groups and other concerned citizens—want to work with Chairman Rush, Chairman Boucher, Ranking Members Stearns and Radanovich—as well as Chairman Waxman and Ranking Member Joe Barton, Mr. Markey and others—to build up these initial proposals, and to work with industry, academic experts, and other stakeholders to develop legislation that is grounded in Fair Information Practices.

Lead Organization

U.S. Public Interest Research Group

Other Organizations

Center for Digital Democracy | Consumer Federation of America | U.S. Public Interest Research Group

Download PDF

No Download Available