It’s a pleasure to be here in Orlando. When I have kids, and a lot more money, I know exactly where I’ll take them.
As Representative Buerher mentioned, I am an Adjunct Fellow at The Progress & Freedom Foundation. Commissioner Swindle mentioned a survey that PFF recently issued regarding data collection and privacy policies on commercial Web sites. Almost universally, commercial Web sites now have privacy policies, and that reflects remarkable progress in that area.
One of the important findings from that study was that collection of personal information by e-commerce sites is down. There was a lot of enthusiasm in the early days of e-commerce about the value of consumer information. Advertising revenues have dropped and that enthusiasm for consumer information has waned quite a bit. Information about consumers does have value in the marketplace, but a happy medium will be found where companies probably aren’t going to want to collect everything about everyone the way we may originally have thought.
I am also the Editor of Privacilla.org, which is a Web-based think-tank devoted to privacy. And, in addition, I have a lobbying and consulting firm called PolicyCounsel.Com. None of my clients has specific privacy issues, but privacy touches nearly every public policy issue in one way or another. None of the material on Privacilla and none of what I say to you represents the views of any client, but be aware of my potential for bias, as you would be with any privacy advocate.
At Privacilla, we try to sort out the issues that, in public debate, go under the name of “privacy.” We have put forward a definition of privacy so that you, as legislators, can better address the issue directly and determine what interests you are trying to pursue.
The word “privacy” has come to be used to describe just about every concern with the modern world. That’s fine for regular people, but when we as policy-makers address these concerns, we need to be a little more precise.
Identity fraud, for example, is widely perceived as a "privacy" problem. But it is better understood as a group of crimes that thrive on the use of personal identification and financial information. Because of this widespread misperception, the crimes that constitute identity fraud go poorly enforced while Congress and many states consider things like banning many uses of Social Security Numbers. My suggestion is that the cure for the problem of identity fraud is to start putting some bad people in jail.
“Security” and “privacy” are often used interchangeably. Security is closely related to privacy, but they are very different concepts, and I think the public debate is getting better. It can only improve with Commissioner Swindle taking on the role of the United States’ representative to the Organization for Economic Cooperation and Development on the security issue.
Security has to do with all the steps a business or government takes to protect its operations, data, and possessions. Privacy is just one promise that governments and businesses make to citizens and consumers. Security allows privacy promises to be carried out, but the two are not the same.
Likewise, unwanted commercial e-mail, or "spam," is an offensive intrusion into electronic communications and a serious annoyance that is often called a "privacy" problem. Spam exists in large part because e-mail marketers know little or nothing about the interests of potential customers. It is difficult to reconcile spam — e-mails broadcast to unknown people nearly at random — with the heart of the privacy concept, which is too much personal information being available too widely.
Our topic is “who should lead” in terms of privacy protection: states or the federal government. Some people talk about using state legislation as a way of getting the federal government to enact national rules. I don’t think that reflects well what states were designed to do and what they exist for today. I actually went into the public policy field because of work I did on federalism in law school. I do not think it is federalism when you use state legislation only to goad action out of the feds.
A couple of weeks ago, we at Privacilla introduced a report about the state privacy torts and their role in privacy protection. We found that, through a series of privacy torts, most states provide baseline privacy protections. There’s plenty of variation among states: some have adopted only some of the privacy torts; one or two may not have adopted them at all. But the privacy torts exist and are real. Our report is far from the last word. More needs to be said about the privacy torts and all kinds of other state laws that protect privacy in various ways.
The law of contract, for example, means that we can enter into enforceable agreements about whether information will be shared or not. The law of trespass means that you can go into your house, shut the doors and blinds, and what you do remains private from any other private sector actor. There are many other laws that protect privacy by validating the privacy protecting decisions that consumers make.
Let me compare the state laws that protect privacy to the approach taken of late at the federal level. And, of course, to do that I have to address the Federal Trade Commission’s consent agreement with Microsoft announced yesterday.
Now, I’ve just talked about the privacy torts, and there’s been some very frank talk between Privacilla and the Electronic Privacy Information Center about the report we issued. I think that conversation should continue. Now I’m going to pick on the Federal Trade Commission. I previewed my thoughts to Commissioner Swindle before our talk today and he kind of just looked at me, so I don’t know if I might be in trouble with the panelists sitting on both sides of me when I go to sit back down.
The consent agreement validates the “mattress tag” theory of privacy. The wrongs Microsoft has allegedly done are 21st Century paperwork violations.
It’s becoming better and better known that consumers don’t read privacy policies very much. They use other cues to decide who to do business with, like reputation and brand. So when a company gets caught making minor misrepresentations about their information practices, it has much more to do with playing a legalistic game of “Gotcha!” than with delivering real privacy to real consumers.
Now, I’ll grant that the FTC has an obligation to enforce the law as it sees fit, and I don’t suggest that anyone there is not taking their responsibility seriously. But as far as delivering real privacy to real consumers, they are not on the right path.
I especially want to note that one of the charges against Microsoft was that they kept information about users' Web surfing for a limited period of time and made it available to their customer service representatives without making a note of that in their privacy policies. This exposes a very important point in the current privacy debate: that lots of this customer information is being collected precisely for the purpose of helping customers.
Though many companies may act like it is, I want you to know today, ladies and gentlemen, that customer service is not a crime! Information is being collected to provide customer service, customized products, and accurately targeted marketing. This is a good thing for many people.
Notice-and-choice is the dominant version of privacy at the federal level. We’ve seen it in Gramm-Leach-Bliley with financial services, and we’ve seen it in the HIPAA law for health care, but I don’t think this approach has much to do with delivering real privacy to real consumers.
Privacy gets to consumers thanks to the laws that I talked about earlier: the state torts, state contract law, trespass, and a number of other laws. States are already leading the way on privacy by validating the privacy-protecting decisions that consumers make for themselves. In fact, the only thing that will deliver privacy on the terms consumers want it is educated and aware consumers themselves. The approach to privacy that is already embedded in your states’ laws is the approach that leads the way.
All content subject to the Privacilla Public License.