Who owns your personal information — you or the business you share it with?
It’s a fundamental question that gets to the heart of whether existing privacy protections are too strict or not strict enough.
It also addresses matters of accountability when data go astray, as was the case this week when a major credit card processing company said as many as 1.5 million card numbers may have been stolen by hackers. I wrote on Tuesday about the lack of adequate disclosure rules when people’s privacy is violated.
Today let’s look at whether your name, address, birth date and other sensitive data can be reasonably considered yours in an age when we’ve all been reduced to computer bits, and when personal info has become a commodity to be bought and sold by marketers and merchants.
“Businesses will often treat such information as assets,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, an advocacy group. “For many businesses, it’s their primary asset.”
Yes, he’s talking about you, Facebook. And you, Twitter. And to only a slightly lesser extent he’s talking about Google, Amazon, Apple and other tech giants that know more about users’ online habits than users may know themselves.
“Companies won’t say it directly in their privacy policies, but they want people to concede that when you give the company your information, the company owns it and can do what it wants with it,” Rotenberg said.
Facebook’s grudging adoption of stricter privacy rules is illustrative of the situation.
The company makes most of its money from ads that target its more than 845 million users based on the personal information they divulge on the site. Facebook earned a profit of $668 million last year and could be valued at $100 billion or more when it goes public next month.
In November, the company settled with the Federal Trade Commission over allegations that it misled users about the handling of their personal info. The site shared with others tidbits that users had deemed private, the agency said.
Facebook also allowed advertisers to obtain personally identifiable information when a user clicked on an ad on his or her Facebook page, the FTC said. And it said Facebook shared user info with outside developers.
Mark Zuckerberg, Facebook’s head honcho, acknowledged in a blog post that the company had made “a bunch of mistakes.” But he said Facebook was addressing the problems and that it takes users’ privacy very seriously.
Most businesses say the same, even though their privacy policies often contain provisions for sharing customers’ data with third parties (read: marketers who pay for access to you), and even though customers are routinely forced to “opt out” from such sharing rather than more respectfully being asked to “opt in.”
“The reason they prefer ‘opt out’ is because they know no one would ever opt in,” said Ioana Rusu, regulatory counsel for Consumers Union. “Who would go into their privacy settings and say, yes, please track me?”
To provide more privacy online, the FTC is proposing that browser developers and websites give people the ability to block efforts to track their online activities. It also wants businesses to include more privacy protections in their apps, and to be more open in how people’s data are used.
“If companies adopt our final recommendations for best practices — and many of them already have — they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy,” Jon Leibowitz, chairman of the FTC, said in a statement.
For example, Google has built an “Incognito” mode into its Chrome browser, and Mozilla has developed a “Do Not Track” function for its Firefox browser for Android devices.
But here’s the thing: It’s up to individual companies to decide whether to voluntarily adopt such measures, and how rigorously to enforce them. In other words, the Internet industry would regulate itself.
The FTC also wants Congress to enact laws giving consumers the right to know what sort of information private-sector data brokers are amassing about them. Such companies create files on millions of people based on information from public databases and other sources, and then sell those files to marketers and other business interests.
Consumers should indeed be able to find out what’s being bought and sold in connection with their names, so lawmakers should act on the FTC’s proposal. But I’d take this whole thing a big step further.
I propose a law explicitly declaring that a person’s personal information belongs to that person, not to the companies it’s shared with. Aside from whatever uses are required for routine order fulfillment, no use of anyone’s information would be authorized without that person’s upfront consent.
Businesses of course would be gob-smacked by the very thought of losing control over customers’ data, and would no doubt fight aggressively to maintain the status quo. The depth of Facebook’s pockets would become clear very quickly.
But they had their chance, and they’ve repeatedly let us down. Now they have to win back our trust.
“When consumers give companies information, they’re not giving them a license to do whatever they want with it,” said Rusu at Consumers Union.
At least that’s how it’s supposed to be. All evidence to the contrary notwithstanding.
David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5. Send your tips or feedback to firstname.lastname@example.org.