Now, we're experiencing the explosion of commerce on the Internet. Web sites are able to capture data from their visitors, and to merge that data with other information. With the exception of the Children's Online Privacy Protection Act and a smattering of state laws regulating spam, or unsolicited electronic mail, there is little regulation of data collection on the Net.
Many such sites have joined a web-branding service like TRUSTe or BBBOnline. These programs require that web sites post policies regarding their data collection and use. They also audit their members to evaluate compliance.
The full complement of fair information principles include a minimum of eight measures developed by the Organization of Economic Cooperation and Development in 1980. Added to the FTC's four principles are usually collection limitation, accuracy, openness, use limitation, and accountability. The European Union has based its Privacy Directive on the more robust set of fair information principles.
So, what are consumers' experiences on the Net concerning their privacy? I will list several themes that I've observed in talking to consumers and in following news stories about online privacy abuses in recent months.
A result of the invisibility of data capture - or as the EU would describe it, the lack of transparency in data collection - is that many consumers lack understanding of what's happening to their data. This situation is similar to the physical world, where, as I mentioned earlier, there are few cues about what is done with personal information.
We have received numerous calls from individuals who say "I want to know what's out there about me." When I press them for more details about their concerns, they describe a blurred world of large data bases containing huge amounts of information about them - not altogether untrue. They often are concerned that such unidentified data bases may contain negative information about them, which would explain why they can't find a job.
I think it's significant that these callers often use the same words "out there" and that they have almost no specific knowledge of the variety of data files that exist about them, how they're being used, and what limits to usage exist on many of these data bases.
A second theme is the potential ubiquitousness of data gathering, and the ability of data from several sources to be merged to create massive electronic dossiers on individuals. We are hearing a great deal these days about the ad-placement network Doubleclick and its ability not only to track users' clickstream as they travel from site to site, but also to be able to link the data gathered online with an offline data source. Doubleclick has merged with Abacus, a company that tracks mail order purchases of about 90 million households. At the time of the merger, the Abacus CEO told MSNBC that "the goal is to have the most complete picture of the consumer you can."
I ask nearly every person who calls our hotline if they have Net access. I want to alert them to our web site and other sites, and to specific fact sheets that can answer their questions. Of those who say they are not Internet users, the majority say, without my prompting them, that they don't want to go online because they fear that massive amounts of data will be collected about them.
This observation is borne out in survey data. A 1998 Harris poll found that of those who were not online, 70% responded that they would be inclined to start using the Net if "the privacy of [their] personal information and communications would be protected." ["New Online Privacy Survey Confirms 1997 P&AB Findings," Privacy and American Business, 5:1, March/April 1998, p.6.]
A third theme is invasion. Web sites can capture and track visitors' clickstream data by placing small text files called "cookies" onto their hard drives. Unless users are savvy enough to set their browsers to notify them about the pending placement of a cookie, it is done without the user's consent, and it's an invisible process. We now hear the word "stalking" being used to describe cookies' tracking capabilities.
A fourth theme is the fear of harm befalling Internet users - fear, for example, that their credit card numbers will be stolen. This is not far-fetched given the recent news story of the Russian hacker obtaining over 300,000 account numbers from CD Universe. Many fear that their identities will be stolen, even though this is predominately a low-tech crime. And many fear that the information that is captured will be used for other unrelated purposes.
Although it's not Internet-based, I like to use the example of supermarket buyer's club data to illustrate the potential for secondary uses of personal data. Smith's Foods, a large supermarket chain in the Southwest, has been subpoenaed by the U.S. Drug Enforcement Agency for data on specific customers being investigated for illicit drug manufacture and sale. Were they looking for high-volume purchases of over the counter medications like Sudafed? No, they were interested in learning if these individuals had purchased large quantities of plastic baggies, presumably for packaging the drugs for sale on the street - a most interesting and, to my mind, troubling secondary use of the data given the number of households that probably purchase lots of plastic bags for a variety of uses.
A fifth theme is confusion over their privacy rights. I have observed that many consumers believe they have far more protection in law than they actually do, whether it's a real world experience they are describing or an online experience. They often say to me, "There's a Privacy Act you know, and I have rights."
The Privacy Act that they are referring to is actually rather limited. It addresses what federal government agencies can do with personal information. It has no bearing on the private sector. Yet, individuals often think it applies across the board, much like the European countries' data protection laws.
What are the consequences of such experiences by consumers?
- One is reluctance to go online, as I mentioned earlier.
- Another is a desire to "mess up the system." Many individuals take great delight in telling me how they falsify information, both online and offline. This is their way of getting even in a marketplace they view as unfair.
- And another is refusal to provide information. In a 1997 Harris survey on Internet privacy, four out of five (79%) respondents who were "asked to provide information when visiting a site declined at some point to provide that information."
[Mary Culnan, "Online Survey Makes Business Case for Privacy," Privacy and American Business 4:3, September 1997, p. 11.]