Self-regulation isn’t enough
Because of the lack of legal protections for online privacy, the only restrictions that govern companies’ behavioral tracking are ones that the companies create themselves. So far, self-regulation has not resulted in enough privacy protection for consumers.
Way back in 1997, the FTC recommended that websites adopt some sort of anonymous payment system: the “federal government should wait and see whether private industry solutions adequately respond to consumer concerns about privacy … that arise with the growth of electronic payment systems, and then step in to regulate only if those efforts — be they market-created responses, voluntary self-regulation or technological fixes, or some combination of these — are inadequate.” (1) More than ten years later, there are still no common, easy to use online payment systems that preserve anonymity and privacy.
In 1999, the FTC and U.S. Department of Commerce announced the creation of the National Advertising Initiative (NAI) in response to a federal investigation into DoubleClick’s plan to buy large quantities of personal data from commercial data broker Abacus Direct. About a year later, the NAI announced a set of principles for self-regulation, calling for notice of websites’ privacy practices, some ability to opt out, and “reasonable” security of data. (1) There was no real means of enforcement, however, and companies that were members of the NAI were allowed to transfer data among themselves without restriction, as long as the data was only used for advertising. Furthermore, the principles applied only to members of the NAI, and eventually membership dwindled to only two companies – DoubleClick and Atlas DMT. (1)
Another attempt at self-regulation was the Individual Reference Services Group (IRSG) principles, developed by a group of data brokers – companies that sell people’s personal information to advertisers, insurers, landlords, private eyes, and the government. (1) Members of the IRSG were allowed to sell almost any personal information to “qualified subscribers,” and consumers could only opt-out of having their data sold to the “general public,” a category that did not include any of the member companies’ typical customers. (1)
The closest the FTC has come to passing privacy legislation was in 2000, when they recommended, 3 to 2, that commercial websites and ad companies be required to comply with five basic privacy principles: notice, choice, access, security, and accountability. However, a new FTC chairman was appointed in 2001 and the FTC decided to give self-regulation another chance. (1)
Since then, websites have only increased their abilities and willingness to track people’s behavior. Cookie technology has become more powerful, and cookies are increasingly set by third party advertising sites in addition to the sites that a user actually visits. Web beacons are also used extensively so that ad networks can track people’s visits to third-party sites. Digital rights management (DRM) also poses a threat to privacy, as users are increasingly required to provide identification in order to access content. Every copy of Windows Media Player is equipped with a unique ID that makes it possible to track what content people view. (1) Additionally, more and more news sites have begun requiring the disclosure of personal details in order to view their content. In surveys conducted by the Electronic Privacy Information Center (EPIC) in the 1990s, news sites customarily did not require registration of any sort. However, EPIC reported in 2005 that 7 of the top 25 news sites require the disclosure of personal information such as name, address, and email address, and 5 require the disclosure of non-personally identifiable information such as birth date, gender, and zip code. (1) These invasions of privacy cause users to resort to creating fake identities, and this causes companies to demand information even more invasively and use commercial databases to verify that the information is true.
Another problem with self-regulation is that companies have not made efforts to inform the public about how their personal data are being collected and used. Accordingly to a 2003 Annenberg survey, 57% of Internet users believe that if a company has a privacy policy, it will not share information with other entities. (1) Additionally, a Pew survey found that 56% of Internet users could not identify a cookie. (1)
Source:
1. Hoofnagle, Chris. “Privacy Self-Regulation: A Decade of Disappointment.” EPIC. 4 Mar. 2005. 4 Jan. 2008 <http://epic.org/reports/decadedisappoint.html>.