Information Privacy

Kathy S. SchwaigKennesaw State University

September 25, 2003

Four Types of Privacy

Informational Privacy Anonymity, confidentiality

Physical Privacy Ambush journalism, peeping Toms

Decisional Privacy Abortion rights, assisted suicide

Proprietary Privacy Publicity rights

Definitions of Privacy

“Modes by which people, personal information, certain personal property and decision making can be made less accessible to others.” Anita L. Allen 2001

“The right to be left alone.” Warren and Brandeis, 1890 “Claim of individuals, groups or institutions to determine for

themselves when, how and to what extent information about them is communicated to others.” Turner and Dasgupta, 2003

“The desire of consumers to control the disclosure and subsequent use of personal information.”

The Tension: Benefits vs. Concerns

Benefits to consumers: access to credit and financial services shopping choices and educational resources.“The perception of privacy infringement is ultimately shaped

by the issues of value and control. The perception of a consumer that knowingly provides personal information in exchange for a free PC is very different from a consumer having personal information unwittingly gathered and sold to third parties.” (Dennis, 2000)

Privacy Good for Business: Chris Larsen, CEO of E-Loan: “It’s good business practice.

Advances in technology are great, powerful and scary. We need a knockout blow against privacy fears that will benefit the consumer and the economy.”

Business Perspective

“The Importance of knowing what people are doing online, what they are purchasing, and what they are likely to do in the future is of the utmost importance to organizations.” (Hinde, 1999)

Privacy concerns hold economic ramifications. Studies reveal that privacy issues are the single greatest concern of Internet users and that privacy concerns represent the single most prominent reason for not shopping online (Hoffman, et al., 1999; Udo, 2001)

Privacy Calculus

“From a business perspective, privacy is really about making the consumer comfortable disclosing his/her personal information needed for relationship marketing. This involves simultaneously communicating to the consumer the benefits of disclosure and providing assurances that disclosure of personal information is a low-risk proposition.” (Culnan, 2000)

Concerns

Loss of control Misuse of information Risk to physical privacy Risk of economic injury/identity theft Unwanted intrusions into daily life Smith (1996): access, collection, secondary

use, errors

Attitudes Toward Privacy (Turner and Dasgupta, 2003)

Privacy Fundamentalist: 17% Pragmatic: 56% Marginally concerned: 24%

Why Privacy is Important

Personhood, individuality, personal and social relationships, autonomy; information is relationship currency

Workable Societal Objective The “ presumption of privacy” is not

absolute….must often be weighed against other considerations such as public health and national security (9/11).

Post 9/11

British Airways Terrorist Information and Prevention System (TIPS) Trusted Traveler USA Patriot Act (Uniting and Strengthening America by

Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001)/data mining

Total Information Awareness (DOD): “Detect and Deter” Cost to Companies

Compliance: Bell South, privacy policies Non-compliance: Western Union

Post 9/11

“Almost every country that changed its laws to reflect the environment following 9/11 increased the ability of law enforcement and national security agencies to perform interception of communications and transformed power of search and seizure and increased the type of data that can be accessed” Waak, 2002

Legislation

Cable TV Privacy Act of 1984 Children's Online Privacy Protection Act of 1998 Consumer Credit Reporting Reform Act Driver's Privacy Protection Act Electronic Communications Privacy Act (ECPA), revised February 1994. Electronic Funds Transfer Act Electronic Signatures in Global Commerce Act, July 2000. Fair Credit Reporting Act, 1970 Amended 1999. Family Education Rights and Privacy Act Financial Services Modernization Act of 1999 (AKA Gramm-Leach-Bliley) Freedom of Information Act 1974 Privacy Act of 1974 Right to Financial Privacy Act (RFPA) 1978 Telecommunications Act Telemarketing and Consumer Fraud Act

Three Ways to Regulate

Government Industry (self)

Legislation: defining the appropriate rules Enforcement: initiation of enforcement when

rules are broken Adjudication: whether or not the company

has violated the rules. Consumer

Self-Regulation

“Governments of the industrial world, you wary giants of flesh and steel…on behalf of the future, I ask you of the past to leave us alone…you do not know our culture, our ethics or the unwritten codes that already provide our society more order than could be obtained by any of your impositions”

John Perry Barlow “Declaration of the Independence of Cyberspace”

Self-Regulation

Self-regulatory Regimes Network Advertising Initiative Privacy Leadership Initiative Online Privacy Alliance Platform for Privacy Preferences IBM Institute and Privacy Management Council Trustee, BBB Online Industries developing principles and practices that reflect

the consensus on the best approaches. “Letting the Fox Guard the Hen House”

FTC’s Agenda

Creating a National Do Not Call List Increasing Enforcement against SPAM Helping victims of identity theft Stopping Pretexting Encouraging accuracy in Credit Reporting Increasing enforcement on COPPA Enforcing the Telemarketing Sales Rule Restricting the Use of Pre-acquired information Enforcing GLBA Enforcing privacy policies Holding Workshops

Need for Online Privacy Leadership

Remarks of FTC Chairman Muris

“More legislation could increase consumer confidence” “Could ensure consistent regulation of collection

practices across 50 states” “We need more information about how legislation will

work , what it will cost, and benefits or “acres of trees” will die!”

“Challenges of new legislation are daunting…. Application of access and security is daunting”

“Should we limit to online practices” “More law enforcement rather than laws?”

Concept of Fair Information Practices

Notice/Awareness: consumers should have notice of an organization's online information practices

Choice/consent: consumers should have a choice about the use and dissemination of information they reveal, usually through an opt-in or opt-out mechanism

Access/Participation: consumers should have access to the information businesses collect about them to help ensure accuracy and completeness

Integrity/Security: consumers should have the personal information collected about them adequately secured from outside parties and from corruption of the data

Enforcement/redress: consumers should have a way to ensure that businesses and organizations comply with these core privacy principles either through external regulation (audits ) or certification programs

Our Study

Reviewed the Privacy Policies of the Fortune 500 to ascertain the extent to which these sites post privacy policies that reflect fair information practices.

Final Thoughts

Sites post privacy policies but they typically do not fully reflect FIP

Most policies have confusing and often ambiguous wording

FTC has promised greater accountability