The Gramm-Leach-Bliley Financial Modernization Act of 1999 requires that financial institutions provide privacy notices to consumers at least once a year (or sooner if the privacy policy changes). Since this provision went into effect in July 2001 people tend to receive these notices in the summer. Yet when was the last time you read the privacy policy of your bank?  For most people, the answer is probably “never.” Consumers generally don’t like reading fine print and often find it confusing. (Although to address the complexity issue, the Federal Trade Commission (FTC) created a Model Privacy Form for banks to use to communicate privacy information more effectively to their customers.) Yet regardless of the apparent apathy of most customers towards the privacy policies of their financial institution, banks dutifully send out these notices every year as required by law.

The Gramm-Leach-Bliley privacy notices illustrate how misguided privacy regulations tend to be in the United States. Rather than provide any actual benefit to consumer privacy, they just serve to raise costs. And the costs of all of these privacy notices add up. According to a 2009 report from the FDIC, approximately … Read the rest

On May 26, the new EU-mandated “Cookie Law” will go into effect in the UK.  This law requires that websites give users the ability to opt-out of all tracking. The UK and Ireland took this a step further and require users to opt-in.  Website owners in the UK that fail to comply with the law will face fines up to £500,000.

What does this mean for Internet users? In practical terms, it means users will now start seeing pop-ups or splash screens that require them to give consent to receiving cookies before they can access a website that uses cookies (which is the vast majority of websites on the Internet).  Not only will this annoy users and slow them down from visiting sites, but after seeing this on every single website they visit, users will likely grow accustomed to these notices and click “Accept” without giving it a second thought.  After clicking a few thousand of these, the law will likely have conditioned most users to accept any privacy notice they receive. So much for the strategy of teaching users to be more privacy aware…

Over time, I also wouldn’t be … Read the rest

This week the FTC released its much anticipated report on consumer privacy, “Protecting Consumer Privacy in an Era of Rapid Change”. The report is an update to the preliminary staff report released in December 2010 which laid out the FTC’s proposed framework for privacy. In the new report, the FTC lays out a set of principles for consumer privacy and calls on Congress to implement privacy legislation using the framework laid out in this report.  While the report does provide a comprehensive discussion of many of the major privacy challenges, too often the report sides with privacy advocates at the expense of competition and innovation.

One important change in the new report is that the FTC has proposed that its privacy framework apply to all commercial entities that collect or use consumer data, except those who collect data on fewer than 5,000 consumers.  The FTC exempts small businesses from the privacy framework because of the potential burden that would be imposed on them. However, larger businesses would face similar burdens and these costs would ultimately be passed on to consumers.

Read the rest

Various news outlets recently published articles discussing an emerging trend in hiring practices where employers are asking potential employees for their social network or email account credentials so that they can review the potential hire’s private online profile. Not surprisingly, many people have objected to this practice, noting the intrusiveness of the request and the inherit coerciveness of asking for this information during a job interview. In response, Sen. Blumenthal (D-CT) announced yesterday that he was planning to introduce legislation to prohibit employers from asking potential employees for their social network login credentials.

Privacy activists often argue that government should concern itself with the mechanics of how the private sector manages data rather than prevent harmful uses of data, as the Blumenthal legislation attempts to do. However, this is like asking legislators to write laws that restrict how people move their arms and legs, rather than writing laws that prohibit assault and battery. The reality is that privacy regulations, no matter how well-intentioned, cannot guarantee privacy or prevent accidental disclosures or theft of personal data. As I have argued before, legislators should focus on restricting uses of data that harm individuals (e.g., credit discrimination), rather than restricting particular technologies or practices (e.g., behavioral targeting). Instead of fruitlessly trying to lock down data, legislators should focus on creating protections to minimize or eliminate harm to consumers if private data becomes public.

Read the rest

Last year the media was abuzz as people counted down the days to May 21. Harold Camping, a Christian radio broadcaster, had gained notoriety for his prediction that not only the Rapture was coming, but that he had nailed down the exact date. Commentators on TV, in newspapers, on the radio and on the Internet were all watching with a mixture of skepticism and anticipation to see whether this would indeed be the advent of the End of Days or whether Camping would be proven an undeniable fraud.

We have seen a similar build-up of anticipation over the past month as privacy advocates have engaged in collective handwringing over the announcement from Google that it was going to update and simplify its privacy policy on March 1, 2012. I’ve already discussed in a previous post why this change helps users and is in line with suggestions made by the FTC to make privacy notices clearer and more standardized. But groups like the Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) have actively been campaigning against the changes and have portrayed the new policy as a threat to users and the Internet as we know it. Millions of users, they claimed, will have their privacy violated or harmed in some way with the new policy. European regulators have even asked Google to postpone implementing the changes because of their concerns. Come today, as the new Google privacy policy goes into effect, we will find out if these privacy prognosticators were unheeded prophets or merely charlatans.

Read the rest

Last week the Wall Street Journal published an article accusing four online advertisers—Google, Vibrant Media, Media Innovation Group and PointRoll—of using special code on web pages to circumvent the privacy settings in the Apple Safari web browser for the purpose of “tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.” The Safari web browser is used by approximately 7 percent of desktop Internet users and 24 percent of mobile users. Google responded in a statement by saying, “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.” Google also disabled the code in question.

Read the rest

Changes over Google’s proposed privacy changes need some clarification. Google has not made any radical changes to its privacy policies. Google still does not sell personal information to third parties. Google is not collecting more or less information than before. Google still does not have people in its company reading through people’s email or search history. And Google still offers users the ability to control their data through various tools including the Google Dashboard, an opt-out feature for personalized ads, and the Data Liberation Front which allows users to export data from Google services. More importantly, users can simply opt to not use Google products. As great as Google is, there are plenty of alternatives if users choose to leave

Read the Rest

I read an article in the Washington Post today by Michael Rosenwald which took up a theme I blogged about earlier: at least half the problem with online advertisers is that when they track you they do such a crummy job of actually sending relevant ads and offers your way.

Imagine if you knew as much about me as “they” do: what sites I visit, what I do when I go there, what I buy online.  Don’t you think you could come up with some decent ideas about what to pitch to me?

Rosenwald tried to completely open up his preferences by going directly to ad network sites and checking and unchecking preferences: flowers, but not cars, gadgets but not cars.  Please, Lord, anything but cars!

His results?

There were, however, signs of relevancy. In my day-to-day surfing, I noticed a striking increase in the number of gadget and computer ads. I noticed flower ads. I noticed about a 20 percent decline in car ads. Did I also still see ads for beauty products? Yes. Did I also see ads for Goldman Sachs? Yes. Did those ads annoy me?

… Read the rest

Notably, Facebook has created many privacy options around this feature. These include the following:

• Users are notified when they are tagged.
• Users can untag themselves from any photo.
• Users can only tag their friends.
• Users can disable the “Tag Suggestions” feature so that their name will not be suggested automatically.

Some individuals may dislike the change, but … Read the rest