Identification: A mirage in the digital age.
Marketers place cookies and keylogging software on consumers’ computers to largely surreptitiously track those consumers’ purchase and browsing activities. Why do marketers do that? Because the digital age makes it pitifully easy to technologically accomplish, and marketers can turn that captured user data into more sales and a saleable commodity. In essence, they do it because they can and because there is money to be made doing it.
If a customer entered a brick-and-mortar store and the clerk told the customer, “I will let you look around our store and even buy an item or two, but only if you agree to disclose to us every website you visit for the next several years along with your physical locations in real-time, your friends’ identities and photographs, and all on-line purchases you make during that same period.” Any reasonable customer would turn around and walk right out of that store. However, in the Internet era, virtually all on-line marketers gather exactly those data and much more from all visitors and customers to their on-line stores. We have allowed ourselves – and our privacy – to be victimized by marketers empowered by the latest computer gadgetry. As President Barack Obama’s White House released in 2012 when it proposed a Consumer Privacy Bill of Rights, “it is incumbent on us to do what we have done throughout history: apply our timeless privacy values to the new technologies and circumstances of our times.”
Nonetheless, when the Obama administration released a revised Consumer Privacy Bill of Rights Act in February 2015, data privacy advocates universally objected to its blurry definition of consumer data, insufficient protections, and lax enforcement regime. In essence, that Act straddled the line between some protection of private consumer data on the one hand and enabling consumer data collection and sale on the other hand, the idea being that sharing consumer data can have a positive effect on the U.S. economy. Such a laissez-faire, even cavalier, approach to consumer data protection illustrates the government’s conflicted approach to consumer data privacy. To the extent that enhanced consumer data privacy will impede sales by any American company, the government is loathe to protect the consumer data.
Moreover, once a consumer has more-orless willingly turned over to online marketers the keys to their privacy kingdom, along with the credit card and bank account numbers, Social Security numbers, and mothers’ maiden names, the online marketers are just the first entities to possess these private data, certainly not the last. has already happened.” In that study of Ameri-Many online marketers sell their caches of pri-can consumers:
vate consumer data to other marketers. Indeed, one can hopefully differentiate between first-party data gatherers, who have a direct relationship with the tracked user, and third-party data gatherers, who purchase consumer data from first-party gatherers and mine the Internet for dozens more data points about those same users. Users’ private data, including health records, pregnancy status, HIV status, credit scores, assets, debts, purchase and browsing history are all readily available from third-party consumer data vendors. Perhaps more disturbing is that all these heretofore private data on consumers are susceptible to domestic and foreign hackers and other unintended dissemination and sharing of private facts about American consumers.
The rationale for such large-scale collection and dissemination of private consumer data is largely ex-post rationalization. The theory goes that allowing marketers to track all this private consumer data has the allegedly salutary benefit of allowing those marketers to better target its advertisements to users who are likely to be genuinely interested in the advertised products. That is why once a user engages in online cost comparisons for baby strollers, that user is subsequently inundated with popup ads from one vendor or another advertising strollers and other baby-related items. However, is that modest shopping convenience really worth the cost of all that privacy erosion? Are American consumers and their elected representatives willing to wade into the Internet and take back their consumer privacy rights?
It may be too late for that, for now, at least, because American consumers believe – and act as if they believe – that they are powerless to stem the tide of personal consumer data collection by online marketers. As one 2015 study notes, “Americans believe it is futile to manage what companies can learn about them . . . [the majority] do not want to lose control over their information but also believe this loss of control
-
49% incorrectly believed a supermarket must obtain the consumer’s permission before selling information about the consumer’s purchases to other companies;
-
69% inaccurately thought a pharmacy must have your permission before selling to others information about the over-the-counter products you have purchased;
-
65% falsely believed that if a company has a “privacy policy,” that means the company will not share consumer data with others without consumer permission;
-
91% believed it is not fair for business to collect consumer data without their knowledge;
-
71% felt it was not fair for businesses that provide free in-store Wi-Fi to collect surfing and use data from consumers using the service;
-
64% wrongly believed that clearing cookies on a cellphone prevented marketers from tracking the user;
-
84% want to be empowered to control what data business collect from them online; but
-
65% report that they have come to accept that they have little control over what marketers can learn about on-line consumers; and
-
only 18% of all Internet users have activated a “do not track” feature to prevent online marketers from tracking and logging their consumer information and activity.
If one examines these results, it appears that those consumers who are more aware of the depth and breadth realities of online data collection by marketers are the most resigned to the inevitability of that data collection. The most informed have given up.
As the Wall Street Journal reported in 2010, “One of the fastest-growing businesses on the Internet... is the business of spying on Internet users.” Moreover, why not? It is, after all, big business indeed. Recent studies suggest that buying and selling otherwise private consumer data mined from the Internet will soon top $60 billion in annual revenue in the United States alone.
We ought not to blame the Internet marketers, first-party data gatherers, third-party data gatherers, and those who purchase consumer data from them. They are just following a free market model: they are simply entering a profitable market. In reality, the regulators and legislators are the ones to be blamed. For example, the Federal Trade Commission (FTC), the federal agency most broadly charged with consumer protection, and which talks a good game (“In today’s world . . . companies are collecting, storing, and sharing more information about consumers than ever before . . . they should not do so at the expense of consumer privacy”), and has some solid policy stances (such as, “The Commission now also calls on Congress to consider enacting baseline privacy legislation and reiterates its call for data security legislation”), has largely served as the chief apologist and enabler of data privacy erosion, focusing on industry self-regulation rather than on top-down legislated limits on consumer data privacy erosion.
Even the FTC’s data privacy enforcement actions have been largely ineffective. When the FTC compelled Google and Facebook to more clearly disclose to consumers the private consumer data they were capturing and selling to others, the result was not more consumer protection but merely more dense and indecipherable privacy disclosures that most users simply click-through without reading them – and certainly without understanding them – and therefore, without truly consenting to the data privacy erosion.
To compound the problem, all of this consumer data privacy erosion is largely irreparable and likely irreversible. Once data resides on the Internet, it is very difficult or impossible to erase.
Firms routinely take snapshots of the Internet that yield the cached webpages that turn up on your browser searches. Immense amounts of these data can be stored in a very small physical space and thus easily transported, shared, and stolen. Hackers have successfully targeted data stored in banks, hospitals, stores, and even government computers. According to one source, the Pentagon and the National Security Agency each repelled approximately ten million attempted cyber-intrusions per day in 2014. Some one million new malware threats were unleashed each day of 2014 alone. In 2014, private data concerning 110 million consumers was stolen from Target, another 83 million from J.P. Morgan Chase, and another 56 million from Home Depot. The consumer data stolen from Target earned the cyber-thieves at least $53.7 million on the black market and cost Target at least $148 million. More recently, large data breaches were reported by Equifax (2017) and Marriot International (2018). And the resultant downstream consequences in cybercrime, identity theft, and even extortion based on stolen consumer data, are skyrocketing.
The digital age has ushered in an age of privacy erosion unparalleled in history. Perhaps the closest analog occurred in the nineteenth century when photography and the growth of newspapers combined to put on the front page what once was hidden in the parlor. Louis Brandeis, destined to become an Associate Supreme Court Justice twenty-six years later, wrote in 1890 about this last era of privacy erosion. En route to recommending broad adoption of a right to privacy, later-Justice Brandeis and his co-author presaged the digital age:
Recent inventions and business methods call attention to the next step that must be taken for the protection of the person, and for securing to the individual . . . the right “to be left alone.” . . . Of the desirability – indeed of the necessity – of some such protection, there can, it is believed, be no doubt. . . . The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become increasingly essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress. . . . The common law secures to each individual the right of determining, ordinarily, to what extent his thoughts, sentiments, and emotions shall be communicated to others [and each individual] generally retains the power to fix the limits of publicity that shall be given them. . . . The common law has always recognized a man’s house as his castle, impregnable, often, even to its own officers engaged in the execution of its commands. Shall the courts thus close the front entrance to constituted authority, and open wide the back door to idle or prurient curiosity?
Similarly, in the digital age, when heretofore private consumer data – through the wide open “back door” – is so freely captured, used, resold, reused, and more, for profit alone, and largely without the consent of the consumer who is the subject of the data, our right to privacy has been eroded almost beyond repair. It is past time for the FTC, other agencies, the executive branch, and Congress to step in and control this torrent of purloined consumer data. Opaque privacy waivers that consumers merely click through without understanding are no substitute for real and substantive consumer privacy protections in the digital age.
Further Reading
Federal Trade Commission Report (March 2012). Protecting Consumer Privacy in an Era of Rapid Change.
Federal Trade Commission Staff Report (Jan. 2015). Internet of Things: Privacy & Security in a Connected World.
Tobias, Sharon (Dec. 31, 2014). 2014: The Year in Cyberattacks. Newsweek.
Turow, J., Hennessy, M., & Draper, N. (June 2015). The Tradeoff Fallacy: How Marketers are Misrepresenting American Consumers and Opening Them Up to Exploitation (University of Pennsylvania, Annenberg School for Communication).
Warren, S. D. & Brandeis, L. D. (1890). The Right to Privacy. Harvard Law Review 4(5), 193–220.