On data privacy, Congress and agencies are both baffled

Privacy is a hot-button issue. There is a raging war today for the personal data of the average consumer, and a Maginot line has been clearly drawn by the antagonists.

On one side are marketers, advertisers, and Internet and data companies, who want unfettered access to as much personal information as possible. On the other side are consumer advocates, privacy purists and think tanks that want to limit or disallow commercial access to personal data, altogether. In the middle are consumers, who mostly want to keep getting as much free online stuff as possible, but who are clueless about the consequences. At stake are billions of dollars in revenue and profits from the retailing of rich consumer data, which are dearly valued by businesses selling everything from cars to computers.

ADVERTISEMENT

"Big data" has made its way into the popular lexicon. We have seen the global fallout when massive databases are hacked or compromised, and have questioned the government's authority to compel technology companies to share or surrender their closely held consumer data. Yet, even as new revelations unfold on the fragility and security of data, most Americans are lost in the cloud(s) when it comes to their information.

Companies in every sector are trying to reassure consumers that privacy is paramount. The advertising industry has launched an ambitious self-regulatory regime to govern online behavioral advertising practices, and consumers are now empowered to search the web anonymously. Not long ago, Microsoft made consumer privacy protection the default position for its search engine — a move eschewed by its competitors. At the same time, Google continues to collect more data on more people than any single entity anywhere in the world.

In fact, privacy has moved from the playbook of shrill consumer activists to the top of the policy agenda. In Washington, the issue spawns countless conferences, debates and organizations devoted to finding a solution. Congress and regulatory agencies seem to be baffled by divergent paths forward. Tasked with deciding the rights, the wrongs and the rules of the consumer privacy conundrum is the U.S. government.

FTC enforcement

Up to now, the Federal Trade Commission (FTC) has been the prime protector of data and consumer privacy. For decades, the FTC has shaped the privacy landscape through its balance of consumer and commercial rights, law enforcement and policy advocacy. It has embraced effective self-regulation in numerous industries, and has encouraged the adoption of strong privacy programs with independent monitors. When warranted, it has brought enforcement actions against the likes of Google and Facebook, requiring companies to obtain consumers' express consent before materially changing their data practices. It has prosecuted online advertising networks that failed to honor opt-outs, and made sure that a consumer's choice not to be tracked by advertisers is respected. It has challenged applications that set default privacy settings in a way that cause consumers to unwittingly share their personal data, and sued companies for failing to maintain reasonable data security. When it comes to enlightened policy and consumer education, the FTC has convened scores of surveys, workshops, conferences and reports on the panoply of privacy and data security issues. The FTC has set global standards and proven itself fair, nonpartisan and business agnostic. It has testified before Congress and provided thought leadership and practical guidance to other governmental agencies, including the Federal Communications Commission (FCC) and the European Union. Consumers and businesses have come to rely on the insightful instruction on the FTC website, and the volumes of plain-language reports it publishes. It is home to the federal government's largest roster of legal, economic and privacy experts. As far as privacy goes, no other agency even comes close.

Whither the FCC?

Given the FTC's stellar record on data privacy, many in Washington have questioned why the FCC now seeks to establish another privacy enforcement regime governing internet service providers (ISPs). While privacy and data security are among the most compelling policy challenges in today's world, there are doubts as to what additional capacity the FCC brings to the fore. Beyond the prospect of creating confusion, redundancy or conflicting regulations, some suggest not very much at all. And then there is the view that the FCC's claimed jurisdiction in consumer privacy is based on a dubious statutory foundation, namely that provided by Title II net neutrality authority. Plus, there is ample research to suggest that the ability of ISPs to collect and control consumer data is secondary to that of non-ISPs such as Google, Facebook and Amazon. If so, the FCC's efforts are amiss.

And what about Google?

It is not possible to discuss data and privacy without a review of Google and its unparalleled dominance in consumer data. The breadth and depth of information amassed by Google, alone, surpasses everything collected by all retail, financial, media, healthcare, telco, communications, utility, entertainment and nonprofit firms combined. Oh, and that goes for the U.S. government, too. Over 38 states, plus the District of Columbia, along with Australia, Germany, Spain, the U.K. and several other nations have investigated Google's search and data collection practices.

A few years ago, the FTC launched an exhaustive investigation into Google's practices. Despite a high-level staff recommendation to pursue an antitrust law suit, the commissioners of the FTC decided against such action. Today, the wisdom and rationale for that decision are being questioned, and Google is once again under scrutiny. 

Among the many questions are these:

  • Are we comfortable with the aggregation, analysis and auctioneering of data about our habits, households, health and holdings?
  • Do we mind that our personal associations, interests, travel, readings, mail, phone calls, searches and purchases are stored and maintained by one dominant company?
  • Is it OK that every single email correspondence and search query is scanned and stored by a company that owns, aggregates or hosts more Internet content than any other single entity in the world, including the federal government?
  • Are we troubled by the ability of a big company to integrate disparate data to compile the most comprehensive profiles imaginable, and to what use?

And now ...

In a world where "the Internet of things" is an emerging reality, the challenge for policymakers is to develop a set of rules that balance the consumer's right to privacy against the marketer's well-established, constitutionally protected, right to commercial speech. What complicates this task is that consumer data are typically collected through techniques and technology unseen and unknown to the average internet user. A growing array of sophisticated analytic tools allow Google, Yahoo and Facebook to watch us wherever we go by tracking our searches, scanning our email, cross-referencing our contacts and using the data to deliver ads based on our online behavior. When we blithely consent to the collection of our personally identifiable information as a condition of free and continued use, a social contract is formed and the veneer of privacy fades.

But this cozy compact is beginning to fray. Today's digitally conscious consumers expect and demand more control over their own data. They want to determine when, where and how they interact electronically with banks, stores and advertisers. Even though collected data can inform innovation and improve services and transparency, choice and consent are the consumer mandates of the day. And all politics and turfism aside, that should be the guiding principle for a prudent U.S. policy on privacy.

To be clear, I believe most companies are learning to be careful and responsible when it comes to the respect and protection of consumer privacy. But there are those exceptions that do not play by the rules. And when the rules on privacy are ambiguous, neither corporations nor consumers will benefit.

Hoffman is chairman of Business in the Public Interest and adjunct professor at Georgetown University. He is a former congressional and FCC lawyer and member of the National Advertising Review Board.