Competition-Enhancing Enforcement in Privacy:A Remedy for the Anti-Privacy MarketChris Jay HoofnagleDirector, Information Privacy ProgramsUC Berkeley LawCWAG, July 20, 2010

Anti-Privacy Market

Companies do not compete on privacy

Users do not read policies

They assume that privacy policies are seals

Even if read, consumers wouldn’t understand them

Privacy is a secondary product characteristic

Challenge

Plaintiff suits often fail for lack of financial harmMany are “gotcha” cases anywayIndustry group promises are unenforceable

AGs can play a central role in aligning business practices with reasonable consumer expectations

Focus enforcement actions on creating clarity around key privacy terms

Third parties and information sharingOpt outConfidentialityAnonymizationThe list brokers & data provenance

And allow firms to compete under policed definitions…

What is a “third party?”

No one wants to admit to sale of information to “third parties.”

Some companies use “affiliate,” “affinity,” “partner,” or “company with products we think will interest you” to obfuscate third party sharing.

Ann Taylor Privacy Policy

Will my information be shared? To respect your privacy, Ann Taylor will not sell or rent the personal information you provide to us online to any third party.

[…]

In addition, Ann Taylor may share information that our clients provide with specially chosen marketing partners.

[…]

Residents of the State of California may request a list of all third parties to which Ann Taylor has disclosed personal information during the preceding year for the third parties' direct marketing purposes.

http://www.anntaylor.com/custserv/custserv.jsp?pageName=Privacy

What does a “right to opt out” require?

Consensus: companies should provide notices and ability to opt out.

Reality: the incentive structure rewards companies for interfering with opt out.

Real world opt outs

Sometimes require a fax to provide personal information that the company doesn’t even have—Intellius.com

Sometimes require disclosure of all addresses—Victoria’s Secret

Sometimes requires data subject to be a victim of DV—Lexis

Sometimes requires bizarre request for paper opt-out request form—Acxiom.com

Many claim they won’t accept opt outs from “third parties”

Catalog Choice.org

Nonprofit environmental group helps consumers opt out of catalogs and list brokers

Makes verifiable opt out requests

Memorializes & tracks them1.2 million households have

submitted over 17 million opt-out requests to over 2,000 companies

Some companies filter & bounce emails that contain “opt out”

Some companies mail to opt out request email accounts

“Anonymization”

GoogleSearch strings:

Stored w/ account info

IP Addresses:Last octet deleted at 9 months

e.g. 99.27.133.XXXIP address intervention makes

user “anonymous” among 250 other users

Cookies:Hashing at 18 months

MicrosoftSearch strings:

Not stored w/ account info

IP Addresses:Full deletion at 6 months

Cookies:Removed, along with other cross-session identifiers, at 18 months

The list brokers

Impulsives, matures = new sucker lists

Datran Media Case

Datran bought lists from Gratis Internet (freeipods.com)

Datran knew that Gratis promised never to sell the lists

Gratis refused to change its privacy policy

Datran bought the data anyway…

Paid $1.1M in settlement agreement

Key issue: data provenance!

List Broker Privacy: Contracts Ban Transparency

(iv) use Experian Data in any marketing communication that refers to selection criteria or presumed knowledge about the recipient.

ExperianDisclosure of Source of Licensed Data; Ad Copy. Solicitation and ad

copy used by Client or Client’s customers in connection with the Licensed Data: (i) shall not disclose the source of the recipient’s name and address; (ii) shall not contain any indication that Client or Client’s customers possess any information about the recipient other than name and address; and (iii) must be in good taste and of the highest integrity.

EquifaxYour marketing communications used in connection with any list

ordered by or for you or your customer shall not make reference to any selection criteria or presumed knowledge concerning the intended recipient of such solicitation or the source of recipients name, address, and/or telephone number;

Alesco