Regular readers of this blog know that I am not afraid of an activist government as a technology policy-maker of last resort. I recently endorsed, for example, the Obama administration’s call for a national identity standard to protect us against identity theft – a program that would start with a government-business consensus but be regulated and ultimately enforced by the government.
It’s a given that government policy-making lags a crisis or a perceived need, and this is how it should be. Rather than criticize government for being reactive, we should applaud (up to a point) the pace at which a consensus is reached only after a need for government intervention becomes clear – and hopefully as a last resort. The history of tech regulation, which goes back to the Electronic Communications Privacy Act of 1986, is clear on one thing: the government acts only when all else fails.
I think we’ve reached that point when it comes to digital privacy and the sharing of information that is gathered about us on-line. In the news this month was the story of a new bipartisan bill introduced into the Senate. It’s called “The Commercial Privacy Bill of Rights Act of 2011.” The bill is jointly sponsored by John Kerry (D-MA) and John McCain (R-AZ) and so is now commonly called the Kerry-McCain Privacy Bill.
The bill aims to ensure that the data gathering intentions of every web site are clearly disclosed to the user, who has the right to opt-out at all times; for really sensitive information, an opt-in is required. The web site must disclose the purposes to which the data will be put, and cannot use it otherwise. Any parties to whom the data is sold must also adhere to the original intention. This latter provision is strong stuff, akin to the policy in effect in the EU which prohibits the use of data in ANY way that was not disclosed to the user at the point when the data was collected.
So far so, good, right? Well, not exactly…
The bill has been widely criticized as well-intentioned but weak, and may actually tilt the playing field against the consumer in some cases. For instance, it prohibits individual users from suing firms that violate the law (only the FTC and state attorneys general can bring suit). It prevents states from passing laws that are any tougher. And most significantly, it does NOT mandate the ‘do not track’ list that was proposed by the Federal Trade Commission last year. This policy has been called for by all sorts of privacy groups and watchdogs, like the Center for Digital Democracy, the Privacy Rights Clearinghouse and so on. All of these groups said that Kerry-McCain does not go far enough.
On the flip-side, many businesses and tech leaders were quick to endorse the bill. Intel, Cisco, eBay and HP issued a joint statement supporting it, saying that it “strikes the appropriate balance by providing businesses with the opportunity to enter into a robust self-regulatory program.” I’ve seen these self-regulatory programs before, and I worry that industry support for this bill is a way of co-opting anything stronger.
Kerry-McCain is a good start but it is only a start. I’m worried that the bill will be passed and Congress will wash its hands of further attempts to really solve the problem. This has happened before, for example with the CAN SPAM Act of 2003. Of a dozen viable bills on the subject, Congress passed the most watered-down one possible. Case closed, problem never solved, at least not legally.
A ‘do not call’ list is a given in the age of telemarketing; we take it for granted and many of us depend on it to keep dinnertime relatively interruption-free. A ‘do not track’ policy on the web is a natural extension and we should all have that option. Make no mistake however: implementing it is complex and is something that must be built into every browser and adhered to by every web site. The Feds will have to go after the violators. But I want regulation with teeth in it, that accomplishes what needs to be done. The Kerry-McCain bill should be amended to include strong protections, before it becomes another well-meaning Washington stop-gap that will do nothing to hold back the tide.
3 comments:
There is a distinction that is missing from this issue. Does this law apply to all data collection or only that data that can be directly identified as coming for you. Most of the data collection that occurs on the web is of the anonymous type. It is a minority that can be tracked back to an individual.
If the opt in requirement applies to all data collection, then you be getting a pop up to opt in or out on virtually every web site yu visit. Not only will this be annoying, but people will soon click on either yes or no as a matter of course with no real thought behind the decision.
If it applies only to identifiable data collection, then the requirement will most likely work we.
Any other thoughts out there?
Dear Howard,
From Dave Gillespie
From a personal perspective, my belief is that there is SIGNIFICANT simple abuse in print (tons of catalogues) and digitally (really unwanted+ spam to me). Major abuse occurs, to me, in the form of sharing of contact data in all media, including the telephone. My belief is that there should be stringent laws and significant penalties for violators.
I am not familiar with much of the legislation, but the PA State "do not call list" is not overly effective. CatalogueChoice.com has not greatly reduced the tons of wasted print material coming to my home. AND I have found it almost impossible to "opt out" of email solicitations.
It is obvious that the direct mail marketing companies and associations have no real desire to make it easy for me to NOT RECEIVE the "critical material" they want to put in front of me.
Why should an e-tailer with whom I trust my business (or anyone with whom I do business)feel free (actually entitled)to send me anything other than the items I ordered or my monthly statement? Why should any company or organization feel free to share my mailing address, e-mail address, or phone number with anyone unless I have specifically authorized this based on an OPT IN paragraph in very large type, prominently featured in their material?
Our Country was founded on principles like "of the People, by the People and for the People." Government seems to have strayed from this at the Federal and State levels. The last time I looked, there were numerous special interest groups/lobbies for direct marketing and solicitation of consumers. My lobby is supposed to be Senators and Representatives that represent my/your/our best interests. I hardly feel that continual, unwanted and unauthorized (did not opt in) solicitation in any media is to my benefit.
"Strikes the appropriate balance by providing business with the opportunity to enter into a robust self-regulatory program." Shouldn't business be responsible without government intervention? I'm getting a bit long in tooth and I have not seen it in many instances.
BTW, my MBA is in Marketing, so I have a solid understand of the goals, principles, practices and tools. The gathering and sharing of personal data has gotten way out of hand.
Business is self-serving: a business, large or small, must look to self-preservation in its policies, actions, etc. Often, things that are not so good for people, communities, society at large, are contrary to the self-preservation of business; business seeks to gloss over the bad in its mission to keep doing business to its benefit. Government, ideally, should then step in to counter or at least ameliorate any potential damage business might do. That takes guts - elected officials have to take a stand against the very entities that often fund their campaigns, provide jobs in their constituencies, etc.
Sadly, given the current political climate and focus on re-election, government seems to have ceded this function, giving way to business doing as it pleases.
Am I being cynical?
Post a Comment