1 / 17

Competition-Enhancing Enforcement in Privacy: A Remedy for the Anti-Privacy Market

Competition-Enhancing Enforcement in Privacy: A Remedy for the Anti-Privacy Market. Chris Jay Hoofnagle Director, Information Privacy Programs UC Berkeley Law CWAG, July 20, 2010. Anti-Privacy Market. Companies do not compete on privacy Users do not read policies

pabla
Download Presentation

Competition-Enhancing Enforcement in Privacy: A Remedy for the Anti-Privacy Market

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Competition-Enhancing Enforcement in Privacy:A Remedy for the Anti-Privacy Market • Chris Jay Hoofnagle • Director, Information Privacy Programs • UC Berkeley Law • CWAG, July 20, 2010

  2. Anti-Privacy Market • Companies do not compete on privacy • Users do not read policies • They assume that privacy policies are seals • Even if read, consumers wouldn’t understand them • Privacy is a secondary product characteristic

  3. Challenge • Plaintiff suits often fail for lack of financial harm • Many are “gotcha” cases anyway • Industry group promises are unenforceable • AGs can play a central role in aligning business practices with reasonable consumer expectations • Focus enforcement actions on creating clarity around key privacy terms • Third parties and information sharing • Opt out • Confidentiality • Anonymization • The list brokers & data provenance • And allow firms to compete under policed definitions…

  4. What is a “third party?” • No one wants to admit to sale of information to “third parties.” • Some companies use “affiliate,” “affinity,” “partner,” or “company with products we think will interest you” to obfuscate third party sharing.

  5. Ann Taylor Privacy Policy • Will my information be shared?To respect your privacy, Ann Taylor will not sell or rent the personal information you provide to us online to any third party. […] In addition, Ann Taylor may share information that our clients provide with specially chosen marketing partners. […] Residents of the State of California may request a list of all third parties to which Ann Taylor has disclosed personal information during the preceding year for the third parties' direct marketing purposes. http://www.anntaylor.com/custserv/custserv.jsp?pageName=Privacy

  6. What does a “right to opt out” require? • Consensus: companies should provide notices and ability to opt out. • Reality: the incentive structure rewards companies for interfering with opt out.

  7. Real world opt outs • Sometimes require a fax to provide personal information that the company doesn’t even have—Intellius.com • Sometimes require disclosure of all addresses—Victoria’s Secret • Sometimes requires data subject to be a victim of DV—Lexis • Sometimes requires bizarre request for paper opt-out request form—Acxiom.com • Many claim they won’t accept opt outs from “third parties”

  8. Catalog Choice.org • Nonprofit environmental group helps consumers opt out of catalogs and list brokers • Makes verifiable opt out requests • Memorializes & tracks them • 1.2 million households have submitted over 17 million opt-out requests to over 2,000 companies • Some companies filter & bounce emails that contain “opt out” • Some companies mail to opt out request email accounts

  9. “Anonymization” • Google Microsoft Search strings: Stored w/ account info IP Addresses: Last octet deleted at 9 months e.g. 99.27.133.XXX IP address intervention makes user “anonymous” among 250 other users Cookies: Hashing at 18 months Search strings: Not stored w/ account info IP Addresses: Full deletion at 6 months Cookies: Removed, along with other cross-session identifiers, at 18 months

  10. The list brokers

  11. Impulsives, matures = new sucker lists

  12. Datran Media Case • Datran bought lists from Gratis Internet (freeipods.com) • Datran knew that Gratis promised never to sell the lists • Gratis refused to change its privacy policy • Datran bought the data anyway… • Paid $1.1M in settlement agreement • Key issue: data provenance!

  13. List Broker Privacy: Contracts Ban Transparency • (iv) use Experian Data in any marketing communication that refers to selection criteria or presumed knowledge about the recipient. • Experian • Disclosure of Source of Licensed Data; Ad Copy. Solicitation and ad copy used by Client or Client’s customers in connection with the Licensed Data: (i) shall not disclose the source of the recipient’s name and address; (ii) shall not contain any indication that Client or Client’s customers possess any information about the recipient other than name and address; and (iii) must be in good taste and of the highest integrity. • Equifax • Your marketing communications used in connection with any list ordered by or for you or your customer shall not make reference to any selection criteria or presumed knowledge concerning the intended recipient of such solicitation or the source of recipients name, address, and/or telephone number; • Alesco

More Related