A. Establishing the value of personal information to consumers
1. Personal information collected via the Web has tremendous value.
"Through database marketing, firms can now generate surprisingly detailed personal profiles. When such data are overlaid onto specific transactional data generated by cyberspace transactions — what we read, what we view, what we buy, to whom we speak — a rich and telling portrait of the individual is possible [psychographic profiling].... Such portraits pose a synergistic threat to privacy — synergistic in that the privacy threat of the profile is greater than the sum of the privacy threats associated with each individual bit of information considered in isolation."[1]
The collection, aggregation, and analysis of private data realizes its inherent value to data brokers and other public and private organizations.
The consumer dossiers compiled by data broker Acxiom include "your age, race, sex, weight, height, marital status, education level, politics, buying habits, household health worries, vacation dreams."[2]
a. Acknowledging the value of personal information, do ownership rights transfer when the data is collected?
b. Do the consumer "sellers" intend to pass title to their private-data property?
c. Have they waived their right to prevent unfettered publication of the data? Have they lost dominion and control over the data?
d. Short of not transacting with the data collector, do consumers have an option to retain dominion and control over the data? Do they have a right, Constitutional or otherwise, to such an option?
e. Do consumers have a right to enter into a contract with data collectors that provides them with valuable, bargained-for consideration in exchange for use of their private data?
2. As personal information becomes more valuable, the potential damage to individuals for misuse of their private data increases.
Courts haven't yet recognized the need to protect this personal asset. To date the courts have ruled that personal information has no value to consumers when it is collected.
"[T]he defendants [pharmacies] neither sold information entitled to legal protection nor made any misrepresentations on which the plaintiffs justifiably relied regarding the way that consumer information would be handled. In addition, the information the defendants sold to third parties does not carry a compensable value to the plaintiffs or constitute an invasion of privacy."[3]
The Steinberg decision cites several other cases that reached the same conclusion:
"La Court v. Specific Media, Inc., No. 10-1256, 2011 U.S. Dist. LEXIS 50543, 2011 WL 1661532, at *4 (C.D. Cal. Apr. 28, 2011) (noting that the defendant's practice of collecting the plaintiffs' web browsing histories could not give rise to a finding that they suffered injury, and rejecting the argument that the practice 'deprived [them] of this information's economic value'); In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005) (finding that the personal information of individual airline passengers has no 'compensable value in the economy'); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 525 & n.35 (S.D.N.Y. 2001) ('[A]lthough demographic information is valued highly... the value of its collection has never been considered an economic loss to the subject.... [W]e are unaware of any court that has held the value of this collected [demographic] information constitutes damage to consumers or unjust enrichment to collectors.')"[4]
Likewise, the federal court has ruled that the Electronic Communications Privacy Act[5] doesn't apply to the information Web-service users volunteer — implicitly or explicity — to the sites.
"[Title II of the Electronic Communications Privacy Act, 18 U.S.C. § 2701 et. seq.] in no way outlaws collecting personally identifiable information or placing cookies, qua such. All that the Web sites must authorize is that DoubleClick access plaintiffs' communications to them.... Therefore, we find that the DoubleClick-affiliated Web sites consented to DoubleClick's access of plaintiffs' [consumers'] communications to them."[6]
"Although the users' requests for data come through clicks, not keystrokes, they nonetheless are voluntary and purposeful. Therefore, because plaintiffs' GET, POST and GIF submissions to DoubleClick-affiliated Web sites are all 'intended for' those Web sites, the Web sites' authorization is sufficient to except DoubleClick's access under § 2701(c)(2)."[7]
DoubleClick's collection and reuse of consumers' private information was also found to be exempt from the Wiretap Act.[8]
3. "If an individual's personal information has a value at the moment it is shared, how do you determine that value?"[9]
Stanford University Professor Jerry Kang identifies three sources of value for personal information: 1) avoiding embarrassment, 2) constructing intimacy, and 3) averting misuse.[10]
What is collected: 1) identity, 2) computer configuration, and 3) browsing history.
Identity information is collected via authentication (user ID and password), reverse-index domain name or e-mail address, national lookup databases, cookies and other tracking technologies, as well as by cellular, GPS, and other location-reporting services. It is also provided by government agencies via their public databases.
4. Not only do data brokers know a lot about us, they know a lot about hundreds of millions of people, so the ocean of information available to their sophisticated data analyzers is vast.
This improves the accuracy of the organizations' predictions about our future behavior. It also enhances the value of the data in both raw and processed forms. Bigger data pools and more sophisticated data-analysis tools combine to increase the potential value of the information.
The customers for this data are advertisers, vendors, and organizations of all types. The data's value is derived in large part from its source: us. Yet we cede this important commodity, unknowingly and involuntarily, with almost every transaction we make. Unknowingly because even the collectors don't comprehend the varied uses they will find for the data. Involuntarily because consumers agree to the services' terms of use without understanding what exactly they are agreeing to, and couldn't understand because the services do not disclose with any precision how the personal information will be used. How can you voluntarily acquiesce to an agreement that is inchoate and open-ended?
Data collectors that offer "free" services, such as Google and Facebook, argue that we exchange our personal information for the right to use their services. Likewise, businesses such as supermarkets and drug stores that collect information about consumers' buying history via reward cards or other methods claim participating consumers are compensated through lower prices and other benefits.
They offer a counter-argument: by blocking the free flow of information, commerce is inhibited because personal information becomes more difficult to collect.
However, including consumers in the collection process could make data brokerage more efficient by improving accuracy (self checks), allowing more precision, and potentially broadening voluntary collection of consumers' personal information in exchange for valuable consideration. Private data would then be protected under contract principles in addition to privacy statutes.
a. How can vendors prove their assertion that their customers realize the value of the personal data they provide through lower prices and improved products and services?
b. If the claim is true, does it justify not allowing consumers to opt-out?
c. If consumers opt in to providing their personal information, can they negotiate contracts with the vendors to memorialize the exchange and apply contract protections?
[1] Jerry Kang, Information Privacy in Cyberspace Transactions, Stanford Law Review, Vol. 50, p. 1239-1240, 1998.
[2] Mapping, and Sharing, the Consumer Genome, Natasha Singer, New York Times, June 12, 2012.
[3] Steinberg v. CVS Caremark Corp., 899 F. Supp. 2d 331 (E.D. Pa. 2012), 337.
[4] Id. at 340.
[5] 18 U.S.C. § 2701
[6] In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497, 510-511 (S.D.N.Y. 2001)
[7] Id. at 511.
[8] 18 U.S.C. § 2511(2)(d).
[9] Kang, supra, at 1212.
[10] Kang, supra, at 1212.
B. Establishing consumers' right to control dissemination of personal information
"Through database marketing, firms can now generate surprisingly detailed personal profiles. When such data are overlaid onto specific transactional data generated by cyberspace transactions — what we read, what we view, what we buy, to whom we speak — a rich and telling portrait of the individual is possible [psychographic profiling].... Such portraits pose a synergistic threat to privacy — synergistic in that the privacy threat of the profile is greater than the sum of the privacy threats associated with each individual bit of information considered in isolation."[1]
The collection, aggregation, and analysis of private data realizes its inherent value to data brokers and other public and private organizations.
The consumer dossiers compiled by data broker Acxiom include "your age, race, sex, weight, height, marital status, education level, politics, buying habits, household health worries, vacation dreams."[2]
a. Acknowledging the value of personal information, do ownership rights transfer when the data is collected?
b. Do the consumer "sellers" intend to pass title to their private-data property?
c. Have they waived their right to prevent unfettered publication of the data? Have they lost dominion and control over the data?
d. Short of not transacting with the data collector, do consumers have an option to retain dominion and control over the data? Do they have a right, Constitutional or otherwise, to such an option?
e. Do consumers have a right to enter into a contract with data collectors that provides them with valuable, bargained-for consideration in exchange for use of their private data?
2. As personal information becomes more valuable, the potential damage to individuals for misuse of their private data increases.
Courts haven't yet recognized the need to protect this personal asset. To date the courts have ruled that personal information has no value to consumers when it is collected.
"[T]he defendants [pharmacies] neither sold information entitled to legal protection nor made any misrepresentations on which the plaintiffs justifiably relied regarding the way that consumer information would be handled. In addition, the information the defendants sold to third parties does not carry a compensable value to the plaintiffs or constitute an invasion of privacy."[3]
The Steinberg decision cites several other cases that reached the same conclusion:
"La Court v. Specific Media, Inc., No. 10-1256, 2011 U.S. Dist. LEXIS 50543, 2011 WL 1661532, at *4 (C.D. Cal. Apr. 28, 2011) (noting that the defendant's practice of collecting the plaintiffs' web browsing histories could not give rise to a finding that they suffered injury, and rejecting the argument that the practice 'deprived [them] of this information's economic value'); In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005) (finding that the personal information of individual airline passengers has no 'compensable value in the economy'); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 525 & n.35 (S.D.N.Y. 2001) ('[A]lthough demographic information is valued highly... the value of its collection has never been considered an economic loss to the subject.... [W]e are unaware of any court that has held the value of this collected [demographic] information constitutes damage to consumers or unjust enrichment to collectors.')"[4]
Likewise, the federal court has ruled that the Electronic Communications Privacy Act[5] doesn't apply to the information Web-service users volunteer — implicitly or explicity — to the sites.
"[Title II of the Electronic Communications Privacy Act, 18 U.S.C. § 2701 et. seq.] in no way outlaws collecting personally identifiable information or placing cookies, qua such. All that the Web sites must authorize is that DoubleClick access plaintiffs' communications to them.... Therefore, we find that the DoubleClick-affiliated Web sites consented to DoubleClick's access of plaintiffs' [consumers'] communications to them."[6]
"Although the users' requests for data come through clicks, not keystrokes, they nonetheless are voluntary and purposeful. Therefore, because plaintiffs' GET, POST and GIF submissions to DoubleClick-affiliated Web sites are all 'intended for' those Web sites, the Web sites' authorization is sufficient to except DoubleClick's access under § 2701(c)(2)."[7]
DoubleClick's collection and reuse of consumers' private information was also found to be exempt from the Wiretap Act.[8]
3. "If an individual's personal information has a value at the moment it is shared, how do you determine that value?"[9]
Stanford University Professor Jerry Kang identifies three sources of value for personal information: 1) avoiding embarrassment, 2) constructing intimacy, and 3) averting misuse.[10]
What is collected: 1) identity, 2) computer configuration, and 3) browsing history.
Identity information is collected via authentication (user ID and password), reverse-index domain name or e-mail address, national lookup databases, cookies and other tracking technologies, as well as by cellular, GPS, and other location-reporting services. It is also provided by government agencies via their public databases.
4. Not only do data brokers know a lot about us, they know a lot about hundreds of millions of people, so the ocean of information available to their sophisticated data analyzers is vast.
This improves the accuracy of the organizations' predictions about our future behavior. It also enhances the value of the data in both raw and processed forms. Bigger data pools and more sophisticated data-analysis tools combine to increase the potential value of the information.
The customers for this data are advertisers, vendors, and organizations of all types. The data's value is derived in large part from its source: us. Yet we cede this important commodity, unknowingly and involuntarily, with almost every transaction we make. Unknowingly because even the collectors don't comprehend the varied uses they will find for the data. Involuntarily because consumers agree to the services' terms of use without understanding what exactly they are agreeing to, and couldn't understand because the services do not disclose with any precision how the personal information will be used. How can you voluntarily acquiesce to an agreement that is inchoate and open-ended?
Data collectors that offer "free" services, such as Google and Facebook, argue that we exchange our personal information for the right to use their services. Likewise, businesses such as supermarkets and drug stores that collect information about consumers' buying history via reward cards or other methods claim participating consumers are compensated through lower prices and other benefits.
They offer a counter-argument: by blocking the free flow of information, commerce is inhibited because personal information becomes more difficult to collect.
However, including consumers in the collection process could make data brokerage more efficient by improving accuracy (self checks), allowing more precision, and potentially broadening voluntary collection of consumers' personal information in exchange for valuable consideration. Private data would then be protected under contract principles in addition to privacy statutes.
a. How can vendors prove their assertion that their customers realize the value of the personal data they provide through lower prices and improved products and services?
b. If the claim is true, does it justify not allowing consumers to opt-out?
c. If consumers opt in to providing their personal information, can they negotiate contracts with the vendors to memorialize the exchange and apply contract protections?
[1] Jerry Kang, Information Privacy in Cyberspace Transactions, Stanford Law Review, Vol. 50, p. 1239-1240, 1998.
[2] Mapping, and Sharing, the Consumer Genome, Natasha Singer, New York Times, June 12, 2012.
[3] Steinberg v. CVS Caremark Corp., 899 F. Supp. 2d 331 (E.D. Pa. 2012), 337.
[4] Id. at 340.
[5] 18 U.S.C. § 2701
[6] In re Doubleclick Privacy Litig., 154 F. Supp. 2d 497, 510-511 (S.D.N.Y. 2001)
[7] Id. at 511.
[8] 18 U.S.C. § 2511(2)(d).
[9] Kang, supra, at 1212.
[10] Kang, supra, at 1212.
B. Establishing consumers' right to control dissemination of personal information
Copyright 2014-2015 by Dennis O'Reilly/Rag Hall -- All rights reserved.