In Depth

Online Privacy: Nowhere to Run, Nowhere to Hide

As news of the spread of the avian flu grows, businesses must factor in the possibility of a pandemic into their continuity planning.

By CSO Contributor

Page 3

Accepting Privacy Tradeoffs

In some ways, the debate over privacy on the Web shows amnesia about long-standing business practices and consumer behavior, said Accenture's Brodnitz. "People have been trading personal credit information for better rates on loans for years. They will give up information in exchange for higher quality or good service. Capital One broke the back of the 19.1 percent interest rate on credit cards by looking at other kinds of information."

And even before Capital One, financial-services firms had large amounts of data on their customers' incomes, debts, purchase histories and personal preferences. A credit-card issuer knows, for example, the places its customers visit and the sorts of restaurants they favor. Consumers, in essence, invite hefty invasions of their privacy for the convenience of the cards.

Brodnitz also suggested that companies fret too much about the potential downsides of protecting privacy. They worry, for example, that most customers might reject being marketed to based on their personal information. But consumers, he pointed out, like the idea of privacy more than they like to ensure the protection of theirs. "Everybody wants a privacy policy, but nobody wants to read it. What companies need to realize is that people want the ability to opt out even if they never do it."

Privacy protection isn't just an obstacle to making money, Brodnitz added. It also presents opportunities. Companies that already occupy trusted positions, like brokerages and law firms, might present themselves as protectors and brokers of private information. Consumers might authorize them to make judgments about when and to what extent personal information should be released.

But these sorts of businesses may not emerge unless federal lawmakers clarify the muddle of privacy protections in the United States. If anything, the current crazy quilt of laws can make business more costly, said Brooklyn Law School's Seltzer. "We don't have an overarching data privacy law, and companies therefore have to contend with a patchwork of federal and state laws."

Just at the federal level, companies must grapple with a variety of rules that protect privacy to differing extents. "Health-care information is strongly regulated under [the Health Insurance Portability and Accountability Act]," Seltzer noted. "Financial information has some protection, and the [Federal Trade Commission] can go after unfair and deceptive trade practices." For example, ChoicePointa Georgia-based provider of identification and credential verification services"settled with the FTC for $15 million, including $5 million in restitution to customers, for a security breach."

Without a federal privacy umbrella, individual cases mainly boil down to contracts. The ownership of a person's online profilethat is, her identity and Web-surfing behaviorand a company's ability to use it depends on the user agreements that she accepts when registering for sites. "People should be careful in signing up for these things," Seltzer warned. Provisions accepted unwittingly can come back to haunt them.