Last month, January 28th to be exact, responses were due to the Department of Commerce Green paper originally posted in December, 2010 by the National Telecommunications and Information Administration. Our own Personal Data Ecosystem Consortium response is here.
Analysis of Responses
The responses to the Department of Commerce Green Paper fall into several groups. Predictably, business and consumer groups strongly tend to line up on opposite sides of many of the Advocacy groups who are proponents of user privacy when reviewing each of the issues raised in the DOC Paper. Many of these issues are described or implied by respondents as an “either / or,” but we know it is possible to shift the whole personal data model in a thoughtful way, and end up where users control their data and the marketplace for data can coexist in a healthy way that respects users’ data. However, here are some of the dichotomies that found in the responses:
- Individual control vs overall system guidelines
- Patchwork regulation vs harmonization / preemption
- Direct enforcement only vs encouraging indirect enforcement by other entities
- Safe Harbor vs private right of action
- Clearer notices vs. the typical privacy notices we have today on many sites that are unclear
- Machine readable notices vs. none
- Do Not Track vs no Do Not Track vs “DNT” is ill-defined
- Baseline framework for privacy and data control vs. a more involved framework
- Need more research vs need regulation now
- Contextual vs rigid regulation
- General principles and flexibility vs specific technology mandates
- Sector-specific regulation vs. general overarching regulation
- Sector self-regulation vs government mandate vs self-regulation backed by mandate
- Internet of Things
Below, we list the traditional pro-consumer and pro-business viewpoints first, then go into more detail on those proposing new ideas or technology as a “third way” out of this longstanding conflict. We’ve essentially summarized what we found across the responses.
Consumer advocacy groups
Several are technology-focused (Electronic Privacy Information Center; Electronic Foundation; Center for Democracy and Technology; Center for Digital Democracy + US PIRG; Comradity) or privacy-specific (World Privacy Forum; Privacy Rights Clearinghouse) while many are traditional, broad-focus consumer advocate or civil rights organizations (ACLU; Center for American Progress; Coalition of Child, Health and Consumer Advocates; Consumer Federation of America; Consumer Watchdog; Consumers Union; National Consumers League)
Most consumer groups support the concept of Do Not Track (some were involved in drafting it with the FTC) but a few give the details of DNT much attention in their responses.
Businesses impacted by DNT
This is by far the most numerous category of respondents. Only a few of these are individual businesses (Experian; Keller and Heckman; Quicken Loans; Reed Elsevier; The Right Audience; UnitedHealth Group); the great majority are trade associations or industry think tanks:
(America’s Health Insurance Plans; American Association of Advertising Agencies + American Advertising Federation + Association of National Advertisers + Direct Marketing Association + Interactive Advertising Bureau; American Business Media; American Catalog Mailers Association; Business Software Alliance; Computer and Communications Industry Association; CTIA – The Wireless Association; Catalog Choice; Centre for Information Policy Leadership; Coalition of Trade Associations; Consumer Data Industry Association; Direct Marketing Association; Entertainment Software Association; Financial Services Forum; Future of Privacy Forum; Global Privacy Alliance; Information Technology and Innovation Foundation; International Pharmaceutical Privacy Consortium; Internet Advertising Bureau; Internet Commerce Coalition; Management Association for Private Photogrammetric Surveyors; Marketing Research Association; Mortgage Bankers Association; National Business Coalition on E-Commerce and Privacy; National Cable & Telecommunications Association; Net Choice; Network Advertising Initiative (but makes technical argument); Online Publishers Association; Online Trust Alliance; Retail Industry Leaders Association; Securities Industry and Financial Markets Association; Software and Information Industry Association (doc missing?); State Privacy & Security Coalition; Tech Policy Institute; TechAmerica; US Chamber of Commerce; US Council for International Business)
Many of these businesses are heavily involved in “Business As Usual” of tracking individual’s personal data and feel concerns about regulation sharply, fearing that additional regulation will heavily impact or even destroy their business (mostly those which are constructed solely to stalk users’ data). Most call for controlled-impact, flexible regulation and self-regulation, though some argue against new regulation completely or defiantly assert everything they are doing is good for customers.
A few do not mention Do Not Track at all because their concerns are independent of it, such as Business Software Alliance (piracy).
Large, diversified businesses
This includes some of the largest web and software companies (eBay; Facebook; Google; IBM; Intuit; Microsoft; Yahoo!), phone companies (AT&T; Verizon), and a few others (Walmart; General Electric; Visa).
Marketing information is only a small part of these companies’ business, and appearing as a moderate, responsible corporate citizen is a major concern. Typically the first part of the response praises the Green Paper and other government efforts and endorses some specific proposed regulations; then the second part gently introduces business concerns that regulations will be costly and inflexible and suggests moderating these by emphasizing flexible industry-run, industry-specific self-regulation. Often the company has its own longstanding, named strategy on privacy or on regulation in general, and includes or attaches an existing document on this strategy, some of which may not be relevant to the Green Paper topics.
Businesses and organizations selling or advocating privacy technologies
The Green Paper response is an opportunity to promote their products and concepts that address privacy/marketing problems. Their positions on the various Green Paper issues are oriented towards making a case for their product rather than following traditional business vs. consumer lines, and may appear to be mixed from that perspective. Here is a list of companies and organizations and their major products or ideas:
- BlueKai: Registry for user preferences by interest; intermediary between advertisers and websites enforcing privacy standards and preferences
- CMP.ly: Framework of readable, visual, identifiable statements and iconic images
- ePrio: “Confidential, interactive environment”: personal data store that downloads and runs verified plugins to determine which ad content to display
- Kindsight: Opt-in ad-supported security filter
- LifeLock: Standardize and color-code privacy ratings and notices
- Markle Connecting for Health: Framework for Networked Personal Health Information defining set of consistent, specific policies and practices
- Reputation.com: “MyPrivacy” dashboard to manage opt-outs
- Synaptic Laboratories: Secure cloud computing platform [e.g. could allow running a trusted personal data store in the cloud]
- Telcordia: Policy-based clearinghouse system. Also advocates central privacy clearinghouse/gateway
- TruEffect: Enables advertisers to personalize ads by using marketing data they already have
- TRUSTe: Certification and dispute resolution
- US Association for Computing Machinery: Advocates dataflow-based lexicon, enhanced privacy risk models to provide better decision support framework
- World Wide Web Consortium: Advocates protocol and security standards for user access to data; machine-readable impact assessments; research on purpose specification technology
We would also fit into this category, though we don’t offer a product but rather advocate a Personal Data regime:
- Personal Data Ecosystem: where users control the sharing of their data, through Personal Data Stores and various apps, marketplaces for data (akin to marketing and advertising as it is conducted now in order to find leads for businesses), and personal RPFs and other requests for goods and services from users (more akin to someone requesting a sale from the sales department of an entity).
Major themes in the products and concepts include:
- Standardizing and automating rating systems
- Enabling users to specify privacy and marketing preferences for websites and advertisers to follow
- Personal data stores allowing users to self-manage data; personalization rules are brought with the data to its use, rather than vice versa; applications and marketplace interactions for user’s data; open standards and interoperability for personal data.
Responses tend to showcase ideas from the academic’s own research.
- Doty: UC Berkeley School of Information: Machine-readable policies
- Goldfarb and Tucker: Regulation of ads will drive sites to more commercial and annoying content; privacy regulation will impede competition with large incumbent firms;
- Hirsch and Rubenstein: NYU and Capital U. law schools: Enforceable voluntary codes of conduct are a useful middle ground between self-regulation and government regulation. Carrots and sticks needed to motivate code development.
- Hoke: Cleveland Marshall College of Law: Ban contracts of adhesion
- Hoofnagle: Berkeley Center for Law and Technology: B2C privacy policies have slippery language on sale of personal information to third parties, but B2B contracts prohibit it with certainty.
- Kang: UCLA Law: Creating a new intermediary Privacy Data Guardian that maintains Privacy Data Vaults for clients.
- Nissenbaum, Farrall and Brunton: NYU: Transparency and opt-out alone are ineffective; need opt-in, research on detailed sector-specific regulation, technology solutions
- Sprague: U of Wyoming: There is precedent for a more expansive concept of PII. The FTC recently embraced a more expansive definition of “personal information” in its 2008 Consent Order. Actually reading all privacy policies would take 201 hours/year.
- Information and Privacy Commissioner of Ontario (Canada): Global Privacy Standard; Privacy by Design
- GS1 Global Public Policy: Interoperability with Europe; Internet of Things
- John Nugent: Opt-in
- Joel Ruiz: Private right of action
If you’d like to take a look at our spreadsheet looking at all the submissions, here it is.