The Competitive Enterprise Institute and the National Consumer Coalition hereby files comments on and a request to participate in the Federal Trade Commission’s upcoming public hearing on "Consumer Privacy Issues Posed by the Online Marketplace."
CEI is a non-profit, non-partisan free-market research and advocacy group. We have long been involved with commercial free speech issues, and we work on privacy and Internet issues as well. The NCC is a coalition of consumer organizations interested in expanding consumer choice in the marketplace.
There are some central issues which must be resolved before discussing the FTC’s specific questions.
What is "privacy"?
With all of the discussion of privacy of commercial data on the Internet, it is strange that noone has actually defined the term. The tendency is to rely instead on an "I-know-it-when-I-see-it" approach. Supreme Court Justice Lewis Brandeis said that privacy is the "The right to be left alone - the most comprehensive of rights, and the right most valued by a free people." Others say privacy is a result of living in a large society where people do not know each other’s reputations and are not able to impose social constraints on others’ behavior. "Privacy grows as the number of strangers grows," wrote Steven Nock. "Privacy is one consequence, or cost, of growing numbers of strangers."
The confusion surrounding the term privacy leads one to conclude that "privacy" is like a Rorschach ink blot – different people read different things into it. "Whenever an invasion of privacy is claimed, there are usually competing values at stake." In this sense, privacy is not a right, it is a preference.
Much of what people want in the name of "privacy" is that which they could actually achieve through traditionally understood conceptions of property rights and freedom of contract. But when "privacy" itself is set forth as an amorphous, floating concept, it in fact threatens property rights and freedom of contract. It is this substitution of an ill-defined "privacy right" for well-defined rights that threatens the Internet.
What is the distinction between commercial data collection and government data collection?
The restraints placed on government actions on the Internet are rightly and necessarily stricter than those placed on companies and individuals. Restraining government action underlies our entire political system, for the government has unique powers of coercion. Since government may fine, imprison, and (in capital cases), execute citizens, there must be very strict conditions under which government may collect information about citizens.
Unfortunately, government has been less than exemplary in this realm, and has repeatedly pushed the boundaries of acceptable behavior. For example, one bill currently before Congress (H.R. 118) requires the Attorney General to "acquire data about all stops for routine traffic violations by law enforcement officers." The data include "identifying characteristics of the individual stopped, including the race and or ethnicity of as well as the approximate age of that individual." The irony of calling in the government to protect privacy on the Internet when it so cavalierly ignores it in other realms is rich.
On the other hand, companies cannot impose an agenda on private individuals the way the government can. When they try to, there are civil and criminal laws there to stop them. Despite rhetoric about the "power" of large corporations, all marketers can really do is try to persuade people to buy their products. They do this through advertising.
Why is data collection so important for the Internet?
People have repeatedly demonstrated that they are not willing to pay for content on the Internet. Advertising Age magazine recently reported that only 25% of people polled were willing to pay to subscribe to online publications. Many subscribers to content freely share their passwords with others. "If Web sites can’t figure out how to halt the free-for-all, a promising revenue source for on-line businesses may be threatened."
Therefore, in order to develop, web sites will increasingly depend upon advertising for support. Indeed, "for most [Internet search] engines, advertising has accounted for more than 90% of total revenues. Advertising will continue to be the primary source of income for Yahoo! (and other search engines) as they set up local content ventures." America Online has found it necessary to put advertising in chat rooms to raise extra revenue (which was lost when AOL introduced its flat rate monthly user fee).
At the same time, advertisers are still very hesitant about advertising on the Internet. "Where are the marketers?" asked one Advertising Age editorial. The editor of Out magazine’s web page, now defunct, was quoted as saying, "advertisers aren’t clamoring to get on the Web – we have to beat them up to get on the Web" (emphasis in original). Anything which makes it harder for advertising to work will have direct effects on the quality and content of the Internet, a very serious harm to Internet users. In addition, it will likely raise the cost to consumers of using the Internet.
Is the issue "privacy," or is it really marketing?
Much of the rhetoric surrounding the privacy issue concerns the purported power of advertising. There is a decades-old strain of thought which declares that advertising is coercive and makes people buy what they do not want. This is untrue, as examples from the Edsel, to New Coke, even to Nissan (which has a great ad campaign but has seen no increase in sales) show. Unfortunately, many people do not fully recognize the very real benefits consumers derive from advertising.
Advertising’s role in a market economy is essential, and essentially benign. Advertising lets consumers know about price and quality information. It alerts consumers to the existence of new and improved products. It even saves consumers time by helping them figure out what they do not want in advance of shopping (e.g. a new car’s styling is unattractive, or it is too expensive). Curtailing advertising limits the availability of consumer information.
FTC Question 2.3: What are the risks, costs and benefits of collection, compilation, sale and use of personal consumer information in this context?
Despite plenty of speculation, there has been no demonstration of significant actual harm resulting from the commercial collection of personal data over the Internet. This is not to say that all data posted on the Internet are good. Quite the contrary. For example, the government has made it difficult, if not impossible, to live in America today without a social security number. Congress has mandated that all states use social security numbers as driver identification numbers. And Departments of Motor Vehicles have been rather cavalier about selling the data collected, including social security numbers. That is why the outcry against Lexis-Nexis, which created a database of publicly available government information, was misplaced.
The allocation of costs and benefits deriving from data collection depends upon whom you ask. Again, privacy is a preference, not a universal right. While some may not like the very idea that data are being collected about their consumption behavior, others may not care at all. Indeed, some consumers may not mind how much information about them is available, if it means they will receive only ads targeted to their particular interests. "Consumers don’t mind advertising and pay attention to it, as long as it gives them something of value."
There is a tension between the notion that all interactions on the Internet ought to be private, and the reality that people go on to the Internet to communicate in public. The reality is that going on to the Internet is like walking on a public street, with each Web page like a private store. Each Web page has the right to set up its own conditions for entry. Such policies could range from a free-for-all data collection spree, to very strict information collection limitations.
It is important to note that since advertising depends upon customer profile information, web pages which take extra steps to protect privacy might be relatively more expensive, and may have to charge a premium. If one individual prefers more privacy than another, this is a reasonable situation. It behooves Web pages to clearly define the terms of entry. As for chat rooms and newsgroups, their entire purpose is for people to communicate with each other. Therefore, people should not be surprised when third parties collect information which they have already placed in the public realm.
There are some very serious problems with the notion that consumers somehow "own" information about themselves which they have already released publicly, or through a contract with a company. Away from the virtual world, people have repeatedly shown willingness to give up their "valuable" personal data in return for such things as rebates or coupons. From product reply questionnaires to supermarket shopper clubs, people give out information all the time, often automatically. Even when it comes to the sale of magazine subscriber lists, many people know about it and often take advantage of deals offered by other magazines and by marketers of certain products.
Some say that consumers ought to be reimbursed for this sale of names. But value is subjective, and in a market economy, a good offered for sale is only worth what someone else is willing to pay for it. Companies pay for the names because it saves them the time and expense that it would take to collect the publicly available information themselves. Arbitrarily assigning a price to names, rather than having it settled by negotiation through the market, assumes that everyone agrees upon the value of a name. As discussed above, this is unclear. Artificially raising the price of a good (i.e. a name) through regulation would surely decrease demand for it. That outcome might please many privacy advocates, but it would hurt consumers in unseen ways, by limiting the availability and circulation of consumer information.
If you release information about yourself, then that information becomes part of the public realm. For example, suppose you place an engagement announcement in a local newspaper. You do not "own" that information. That is, other parties can pick it up and use it for, say, creating mailing lists of newlyweds or brides-to-be. "The power to control information about you is the power to control the speech of others."
Even when it comes to implicit contracts – the selling of magazine lists, for example – there is no reason why it is incumbent upon the magazine seller to obtain an affirmation from every subscriber before selling their names. Rather, sensitive consumers ought to pay attention to the fine print of their contracts. They can decline to contract in the first place, or establish a set of acceptable conditions, such as requesting that their names be removed from mailing lists. Since keeping names off of lists is a preference and not a right, consumers who do not like this practice have no right to impose it on everyone. What goes for the real world should apply to the virtual world.
In short, the risks of this data collection by companies are overstated. The one exception is when collected information falls into the hands of the government. For example, an ice-cream shop culled names of eighteen-year-olds from the store’s birthday club and sold the list to the selective service. For these customers, going into an ice-cream shop mean induction in the army.
The costs and benefits of data collection are different for every consumer. Regulation would only institutionalize a set of preferences, rather than uphold rights. It might be that companies ought to be more explicit about their information collection policies. However, those companies which do take extra steps in this regard frequently tout it. In short, those consumers most concerned about data collection already have one way of satisfying that preference, without resorting to government intervention.
FTC Question 2.16: How widespread is the practice of sending unsolicited e-mail? Are privacy or other consumer interests implicated by this practice? What are the sources of e-mail addresses used for this purpose?
Unsolicited e-mail is very similar to junk mail. Many people find it annoying, but enough people like it and take advantage of it to allow the practice to continue. E-mail marketers often harvest names through data mining – collecting e-mail addresses from newsgroup posts and chat rooms. It is clear that many consumers do not like this, but it is not clear why this practice is illegal, as opposed to simply irritating.
As previously noted, people who venture out into those chat rooms and newsgroups are going out into public. E-mail put out into these areas is public property, much as an engagement announcement would be. Therefore, someone collecting lists of names and sending out junk e-mails is acting perfectly legitimately. There is no way for a data collector (or even another participant) to know in advance who would like to hear about something or not. The combination of what is wanted and what is unwanted is different for everyone.
Many people object to the costs of paying for unwanted e-mail (e.g. charges per e-mail received, line charges incurred while using the e-mail function). That is perfectly understandable. But if you do not wish to be put on a list, the responsibility is yours to avoid it. Fortunately, there are already options available. Most of the major Internet providers – AOL, Prodigy, CompuServe – already have banned junk mailings. The provision of what some see as a valuable service is perfectly legitimate as well. AOL also permits people who participate in chat rooms to use up to five false names. With the ease of finding anonymizers to surf the Web, "going incognito" has never been so easy to do.
As the Washington Post aptly noted, "Psychologically, the more interesting question is why folks who long since gave up the attempt to stop mass telemarketing or ordinary delivered-to-the-door junk mail find it so much more immediately threatening to receive mail that can be deleted at the touch of a button."
FTC Question 2.18: What costs does unsolicited commercial e-mail impose on consumers or others? Are there available means of avoiding or limiting such costs? If so, what are they?
The wording of the question suggests that the FTC believes that the primary cost of unsolicited e-mail is "privacy." Once again, "privacy" is a preference. Therefore, junk e-mail is a cost only to those who personally object to data collection. It might be useful to look at this situation in a different way.
Restricting data collection reduces the possibility of target marketing. Perhaps some consumers would be happy to receive e-mail relating only to their particular interests. As target marketing becomes more accurate due to data collection, it would actually reduce the amount of unwanted e-mail. Sailing enthusiasts would not receive gardening catalogs, gourmands would not receive home improvement information.
In addition, clamping down on data collection will hurt smaller companies and non-profits, who might find this data collection useful in finding new customers or members. Well-known groups such as the ACLU receive a great deal of publicity and exposure in the general media; how many other small free-speech groups would like to find people interested in their work via the Internet?
One of the biggest objections to data collection is its awesome speed. But this is not a sufficient basis for regulation; it is an extension of objections to data collection in general. Combing a phone book manually or by computer is essentially the same; the latter just takes less time. Use of data collection technology makes information cheaper and more available to a variety of groups, from non-profits to associations dedicated to one or another hobbies or interests.
At a minimum, the FTC should insist on a real and significant showing of harm resulting from commercial data collection, rather than rely upon claims of consumer irritation. The FTC should be extremely cautious in regulating the free flow of consumer information. Any regulations are bound to have unforeseen effects. For example, the European Privacy Directives have made it very difficult to exchange employee information between branches of the same company located in different countries. Instead, the FTC should confine itself to policing fraud and investigating any actual injury. As Esther Dyson put it, "The goal is a market in privacy practices. That will result in constantly improving standards rather than rigid ones set by law, and in decentralized, speedy enforcement" (emphasis in original).
Advice on Consumer Privacy Issues.Read more