Legal Issues: Data privacy, Security, and Intellectual Property
The Right to Privacy?
In the United States, we have no expressly stated right to privacy. Scour the United States Constitution’s Bill of Rights and you will see privacy is not expressly mentioned. Some case law has established right to privacy, most notably Roe v. Wade (1973), but so far a provision for true data privacy has not been mentioned. The reason for this lack of attention is based in the historical foundations of the United States itself.
Calvin Coolidge said “the business of America is business.” To prosper, business needs data. So although freedom of religion and separation of church and state were an important founding principles in the United States, also important was the freedom of commerce. The Revolution, after all, started in part over perceived unfair taxation of tea imported into the country. The 18th century was also the age of laissez-faire capitalism as articulated by Adam Smith. The idea of free trade and free markets was allowed to flourish in the newly founded United States. As we discussed in Chapter 1, data must flow along the value chain to help create value for the customer and profits for the firm. Customer information is included in that data.
For many years, data flowed freely in this country to facilitate commerce. A key element of this free flow of commerce was based on the trust that the consumer had that the data would be used in a responsible manner. However, let’s face it: things moved more slowly in the 18th century. As noted in Chapter 1, there have been trends in the last 20 years that have fueled e-commerce and digital marketing growth. The growth of the Internet and the ability to manage large-scale databases in a real-time fashion has meant that marketers have the ability to know more about us that we really might want them to know and to track our behavior online using a variety of mechanisms.
Earlier, in the context of online advertising, we talked about tracking cookies that are placed on our computer by various websites and search engines. These cookies can help by remembering our preferences when we return to a website or by delivering a targeted advertisement. On the other hand, if we don’t want the enhanced web experience, we can delete cookies or use ad blocking software on our browser. It’s rather like direct mail in concept. If we did not have data management companies cleansing data and helping firms target us, we would receive far more direct mail solicitations than we receive today and they would be of less interest to us. Similarly, if we decide not to enable cookies, we have a generic browsing experience full of ads for refinancing our mortgage and reducing troublesome “belly fat!”
Consumer Attitudes toward Privacy
Nonetheless, data privacy is an emotionally charged issue. First, consumers often confuse data privacy and data security, which will be discussed later. Emotions run high not only about data security breaches, but consumers also have negative attitudes toward marketing and fear of the government having too much information about individuals and using it in an intrusive way. When speaking about data privacy we refer to personally identifiable information (PII). Dr. Alan Westin, who before his death was a professor of Law at Columbia University, did a lot of research on public attitudes toward privacy and found that most of us were willing to trade privacy for something of value. Consumers in general want more control over their PII but aren’t sure they want to go through all the steps necessary to control information. Would you really want to tell every website with which you interact how to handle your information?
A good exercise is to look at the privacy policy of a large company like Amazon.com. Amazon’s privacy policy may be found here.84 You will see that the policy does not say that the company will not resell your information. It does say what the company will do with the information in a forthright manner and is one of the best examples of a privacy policy. Many companies that have gotten into trouble over PII have not followed their privacy policies so if the policy is in place, it should be followed.
Nonetheless, in various studies the majority of individuals feel uncomfortable with activities such as behavioral targeting of advertising, with generational differences seen. Younger consumers are more likely to feel comfortable with how data is used today to target advertising to them across various devices. The Wall Street Journal’s What They Know series has a number of articles that outline how companies use tracking tools when we use their software. The articles gained a lot of press coverage and have been influential in shaping congressional thoughts about data privacy. The WSJ documented how different mobile applications access our information in a link referenced below.85
The EU Approach
In contrast, the European Union views data privacy differently. The 1995 86 EU directive allows the data “subject” right of access to data and the right to find out about the processing of data. The European Union, while understanding that data is important to the flow of commerce, considers data about the customer belongs to the customer not the company or entity processing the data. The European Union is in the process of creating a right to be forgotten,87 which will allow entities to essentially “opt-out” of being found by search engines like Google. Stronger data privacy protection laws are also likely on the horizon.
With such differing standards, how do companies do business with the European Union? U.S. companies who comply with what are known as the Safe Harbor practices are allowed to do business with companies and consumers in EU countries. These provisions are listed as the following: notice, choice, onward transfer, access, security, data integrity, and enforcement.88
These rights under the EU directive are still just guidelines in the United States. The FTC has suggested Fair Information Practices principles which include remarkably similar categories of notice/awareness, choice/consent, access/participation, and enforcement/redress. Unfortunately, these practices are still guidelines. The FTC in its guidelines on this issue has suggested that companies design privacy into their products and service, simplify choices, and provide greater transparency for data, but so far these suggestions are just guidelines.
Even in the United States today, there are regulations regarding the privacy of PII as it relates to children under the age of 13 (Children’s Online Privacy Protection Act, COPPA), the Gramm-Leach-Bliley Act for the disclosure of financial services data usage and the Health Insurance Portability & Accountability Act (HIPPA) which gives patients greater control and access to health records. The United States has decided that in these three areas at least, some government regulation and control is necessary. Whether there will be more control in the future in the United States depends on the legislative process and the concerns of consumers in this area. The Internet Advertising Bureau (IAB) and other trade groups have also introduced principles for self-regulation of online advertising and tracking.89 Consumers can look for an Advertising icon which indicates compliance to get a sense if they wish to do business with a particular site.
Security and Intellectual Property Issues
The issue of data security is related to data privacy because consumers often confuse the two concepts. It seems hardly a month goes by without hearing about some type of data breach at a major company or a virus that has compromised our PII. In addition, the practices of phishing (e-mails attempting to collect PII), pfarming (websites that look real but are not), and spoofing (imitating another person or site) are also threats to the integrity of our personal information. With more transactions being carried out online and over mobile networks that might not be secure, the danger to our information increases. Identity theft continues to rise and the bottom line is that fraud will continue to increase and we need to take steps to protect our information. Even the simple practice of changing passwords on accounts frequently can help protect our personal information.
This topic of legal issues in digital marketing, like the other chapter in this book, could each warrant their own book and chapter. I have tried to highlight the key issues in this area and would like to conclude with a word about intellectual property. The ability to share files digitally has impacted the world of intellectual property in a major way. The entire music industry, for example, has had to reinvent itself, albeit slowly, due to the appearance of file sharing services such as Napster. Although Napster had to take down its Peer to Peer (P2P) sharing system, only to re-emerge as a paid music downloading service, the lawsuits surrounding the service paved the way for an entirely new way of looking at the music industry.
Consumers today cannot only share content with each other but also receive music on the cloud, through music services, through streaming audio and video and the like. Rights management firms try to ensure that the creators of content receive credit for their work. The Digital Millennium Copyright Act (1998) was intended to protect authors and their publishers alike by ensuring ISPs remove infringing content and that royalty fees are properly paid. However, with the ability to share information so easily on digital media, intellectual property rights, like data security and privacy, will continue to be a challenge. Some people advocate the Creative Commons approach, whereby authors can grant to the public some limited rights to their work.90 I wonder if we won’t go back to the systems popular before the modern era, where artists had sponsors to support them and did not rely on royalties for revenue.
What to Do Next after Chapter 8:
1. Think about the particular campaigns or actions you recommended for your company or another firm for Chapters 4 through 7. What privacy concerns are related to these campaigns?
2. Based on your analysis in question 1, develop recommendations for the company to protect its customer data and still facilitate business.
3. Analyze the current legislation discussed in the chapter. Does any of this apply to the situation you selected? How does the legislation apply and how will you handle the legal issues in the business?
Chapter 8 Discussion Questions:
Discussion 8.1: Intellectual property as a concept is dead because of the Internet and digital communication. Do you agree or disagree and why?
Discussion 8.2: Discuss concerns that consumers may have about the privacy of their PII. What do you think a business can and should do to alleviate these concerns?
Discussion 8.3: Pick a company and read its privacy policy. What steps do you recommend the company use to further safeguard the personal information of its customers.
Discussion 8.4: Read Amazon.com’s privacy policy as shown in the link above. What do you like about the policy Is there anything that concerns you in the policy?
Chapter 8 Glossary:
COPPA: Children’s Online Privacy Protection Act
HIPPA: Health Insurance Portability & Accountability Act
IAB: Internet Advertising Bureau
PII: Personally Identifiable Information
EU Safe Harbor Provisions: Guidelines to which companies must adhere regarding data to do business with firms in the European Union.
84 Amazon. 2014. “Amazon.com Privacy Notice.” Web site. http://www.amazon.com/gp/help/customer/display.html?nodeId=468496 (10/13/2014).
85 WSJ. 2014. “What They Know—Mobile.” Blog. http://blogs.wsj.com/wtk-mobile/ (10/13/2014).
86 European Parliament and Council. 2014. “Protection of Personal Data.” European Parliament and Council Directive. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=URISERV:l14012&from=en&isLegissum=true (10/13/2014).
87 European Commission. “ Factsheet on the ‘Right to be Forgotten’ Ruling (C-131/12).” pdf. http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf (10/13/2014).
88 Export.gov. 2014. “U.S.-EU Safe Harbor Overview, Overview.” Web Site. http://www.export.gov/safeharbor/eu/eg_main_018476.asp (10/13/2014).
89 IAB. 2014. “Self-Regulatory Program for Online Behavioral Advertising.” Website. http://www.iab.net/self-reg (10/13/2014).
90 Creative Commons. 2014. “About.” Web Site. http://creativecommons.org/about (10/13/2014).