privacy in the age of the internet of things

Privacy in The Age of The Internet of Things

IMC 459 – IMC Law , Po l i cy & E th ics March 2015

IMC 459 Final Raissa Smarasista

2

Table of Contents The Online Panopticon ................................................................................................. 3

Internet of Things......................................................................................................... 3 How Internet of Things Benefits Individuals ................................................................................... 4 How Internet of Things Benefits Marketers .................................................................................... 4

Issues with the Internet of Things ................................................................................ 7 Dehumanization .............................................................................................................................. 7 Information Overload ...................................................................................................................... 7 Data Privacy: “If you are not paying for it, you are the product.” .................................................. 8 Protecting Yourself .......................................................................................................................... 9 Risks for Companies ...................................................................................................................... 10 Security Risks ................................................................................................................................. 10

CURRENT REGULATIONS ............................................................................................ 11 The Internet: Public or Private Space? .......................................................................................... 11 Overview on Current Regulations ................................................................................................. 12 FTC Act .......................................................................................................................................... 13 FTC Self-‐Regulatory Principles ....................................................................................................... 14 Consumer Privacy Bill of Rights Act ............................................................................................... 15

ISSUES WITH CURRENT REGULATIONS ....................................................................... 16 Laws predate rapid technology innovation ................................................................................... 16 Self-‐regulation is ineffective .......................................................................................................... 16 “Patchwork Quilt” Approach Bears Inconsistency ........................................................................ 17 Effective Implementation and Enforcement Needs Oversight ..................................................... 17 Consent: Is it Realistic? .................................................................................................................. 18 U.S. vs E.U. .................................................................................................................................... 18

Moving Forward ......................................................................................................... 19

Works Cited ............................................................................................................... 21


3

The Online Panopticon English philosopher and social theorist Jeremy Bentham came up with an architectural prison design in the late 18th century called the Panopticon, where a person in a central tower oversees many individuals in their cells (UCL, “The Panopticon). While this model might seem outdated, it is actually how the Internet operates today. The behavior of individuals online is continuously being monitored and tracked by companies. With the development of the Internet of Things, companies in this ‘central tower’ are given even more power to monitor each aspect of an individual’s life, expanding from just their search and viewing behavior on websites to their interpersonal relationships, daily schedule, and most intimate details of their life. By aggregating information about a person from various touch points, a company can almost accurately identify a person as well as predict their behavior. A daunting thought for many, big data collection and use for marketing purposes is seen as invading consumers’ data privacy. This leads to more and more regulations set in place in order to govern how companies can acquire and take advantage of this personal information about customers. However, the current laws and regulations are ineffective in protecting the rights of consumers—there is a lack of consistent regulatory framework to define what can or cannot be done by these companies that are trying to understand their customers better. More federal privacy laws is definitely needed in order to catch up with the groundbreaking innovations of the age of the Internet of Things which pose both benefits and potential harm to consumers and companies as well.

Internet of Things Internet of Things refers to a developing scenario where everyday objects as well as people will be interconnected in a network that does not require human-‐to-‐human or human-‐to-‐computer interaction. It is “the convergence of wireless technologies, micro-‐electromechanical systems and the Internet.” (Wigmore, 2014: “Internet of Things”) An article in Forbes describes the future to be a world where everything that has the capability connect, will connect (Morgan, 2014: “A Simple Explanation of The Internet of Things). Every notion of life will be linked to the Internet—work, home, relationships, communication, health—these are just some examples of the aspects of a human’s life that will be integrated within the Internet of Things. Some might think that the world of Internet of Things is still far away, or only exist in blockbuster fantasy-‐movie worlds. However, we are actually already starting to see a lot of it take place in our society today. For example, the company Nest, created a Learning Thermostat that can be controlled by a phone. It goes further—the idea is that the thermostat can “learn” your schedule and program itself according to it, so that it has the ability to turn off heating once you leave from work, and turn it back on 15 minutes before


4

you arrive back home so that when you do, your house is already warmed up. Nest had marketed this product to save costs and make life easier for users. However, when Google purchased Nest for $3.2 billion in 2014, it is foolish to think that they are just buying ‘the next cool hardware invention.” The value of nest is not in the thermostat hardware, but the interconnected network of that device to other devices—and if Google can be a part of that connectivity infrastructure, imagine the immense amount of data Google can derive from a mere thermostat in someone’s living room. According to Cisco, 99% of things today are still not connected to the Internet, but that soon will change (Cisco, “The Internet of Everything and the Connected Athlete”). An ABI Research report found that there will be 40.9 billion wireless connected devices by 2020 (DeClerk, 2014: “Being Smart About The Internet of Things: From Facts To Benefits”). Surely, this will change the way individuals live and interact with each other, and the ways marketers can understand and engage with their consumers.

How Internet of Things Benefits Individuals Internet of Things for individuals can be life changing. Using the previous example of the Nest Thermometer, people can start reducing their bill cost simply by letting technology learn their life pattern and adjusting to it. A lot of activities that require resources, whether it’s time, money, or effort, can be made easier with these technologies since often they do not require human-‐to-‐human or human-‐to-‐computer interaction. Communication will be made even easier, shrinking spatial distance between family and friends and interaction via-‐the-‐Internet will feel more ‘real’. Errands can be done more efficiently and effectively. With so many everyday devices connected to each other, omnipresence is no longer an impossible thing to achieve. Internet of Things can also help individuals at a macro-‐level, for example city governments can use new technologies to monitor traffic real-‐time, and connected devices can even go further to decrease crime rates and increasing the efficiency of a city’s infrastructure. With so many technology companies riding the wave of the Internet of Things, we can imagine that the benefits will be impressive. However, it is worthy to note that sometimes the benefits for humans are not necessarily “material”, and it may be just an added ‘cool factor’. For example, many people have yet to understand the benefit of wearable devices such as Google Glass—it seems like it is not doing any particular function, but it received a lot of hype simply because it was a novel idea that had the coolness factor.

How Internet of Things Benefits Marketers The implication of the development of the Internet of Things is the extreme escalation of big data. Big data is defined as exceeding the traditional database software and hardware tools used to capture, store and analyze data (Franks, 2012:3) With the rise of the Internet of


5

Things, every industry will experience new data sources coming in. In his book Taming the Big Data Tidal Wave, Bill Franks noted that the definition of ‘big data’ will continuously change over time as technology innovations keep on developing (Franks, 2012:4). Currently, the amount of data about consumers produced daily is simply overwhelming. 90% of the data in the world today is generated in the last two years—explained by the fast growth of social media, online behavior tracking systems and Internet of Things. As we move forward into the future, big data will not only grow in size, but in variety and velocity exponentially. Currently, there are 30 billion pieces of information shared on Facebook each month and 90% of industries in the US have more data per company on average than the entire US Library of Congress (Franks, 2012:4). This is evidence of how impactful big data is in the world of commerce today, and the further development and implementation of Internet of Things will result in new sources of data that contributes to the exponential explosion of big data available for companies to use to their advantage. Big companies are collecting this type of data from their customer database and purchasing this data in order to understand their consumers better. However, many companies do not even know how to structure the data, considering the massive influx amount coming in every single day. Not knowing how to structure the data, much less analyzing it, poses a potential threat for companies. There is a bigger reliance to data analyzing companies, and even then the time lag between collection of data and uncovering those valuable insights is still problematic to say the least. This whole notion of “data in motion” versus data at rest is a challenge that businesses must overcome, as data is now collected and processed in real time. The challenge is to understand how to make use of this data in motion, and how to use it continuously in their day-‐to-‐day practices. Another risk is that the costs that come with big data can accelerate too fast before the company knows what to do with the data. There are four ‘V’s in Big Data that can potentially cause issues for companies: Volume, Variety, Velocity and Veracity. It is important that marketers understand how to capture and effectively utilize big data in the age of the Internet of Things to fully reap the benefits. There are two ways Internet of Things can benefit the way a company can collect and use data more effectively. Firstly, the value of Internet of Things is in integration. Companies used to collect data in silos of different channels, ranging from social media, machines or devices, their website, financial data, and customer transactions. However, often they face a challenge in how to make use of those separated databases. With Internet of Things, the data can be integrated much more easily, and in a more sophisticated manner as well. The key benefit in this new development is that companies can understand their customers and their engagement with the brand in a more holistic way. The second benefit of this data is that the interconnectivity of the Internet of Things devices allow real-‐time data in motion. Companies have the opportunity to know what is on the


6

consumer’s mind seconds after they are thinking about it. One might argue that this is already been accomplished currently with social media. However, the integration of social media as well as receiving data from other connected devices might give companies information about a person even before they themselves have thought about it. Predictive models and analytics can become even more enhanced, and yield better opportunities for marketing products to consumers in a much more reactive and personal way. Combined with more developments in geo-‐fencing and location-‐data technology, smart marketers can create and suggest needs “on-‐the-‐go” for consumers according to where they are and what activity they are doing. For example, an identifiable chip in a pair of Nike shoes can send out signals to a Nike flagship store, indicating that that customer is wearing the shoes and is nearby. Utilizing their customer database cross-‐identified with the information the company has on the customer through online behavior and the pings from the shoe, Nike then can send a message to the customer just when he walks by the store telling him about a recent promotion for socks or shoe products that go with his pair of shoes. The Internet of Things will be full of these developments that allow marketers to identify customers in real time and then create needs for them by analyzing past behavior using a variety of data sources. Artificial Intelligence systems such as Viv will also be accepted in society in the age of the Internet of Things, where customers will no longer ‘search’ for what they need to purchase, but simply let technology do that for them. Using a combination of data and geo-‐location information sources, Viv can generate suggestions on where to purchase a certain item. This presents opportunities to work with A.I. systems to increase their brand awareness and suggest items to customers before the need is realized. The Internet of Things will herald in a new wave of the “referral economy” which will significantly change the way businesses communicate and view their customers. Apart from understanding consumers, the Internet of Things will present so many new opportunities for marketers to be able to reach consumers in all aspects of their life. Advertisers used to communicate with customers when they turn on their TV and see the brand’s commercial. Then, with the developments of online advertising, marketers can display ads according to the consumer’s interests by acting on the data collected by tracking cookie technology. However, in the Internet of Things, marketing can exist ubiquitously—anywhere, anytime. When everyday objects become interconnected to the Internet network, whatever complex online behavioral advertising program done on the web today can be done in all of those objects that humans interact with. The Internet of Things will just propagate this trend of meeting consumers wherever they are, in whatever they are doing, and this is a key benefit to marketers as they can interact with consumers in real time. Another way businesses are going to change with the Internet of Things and the explosion of big data that comes with it is the rise of a personalized marketing. Marketing used to be


7

done in a mass communication style where the same message is used to talk to a company’s entire customer base. With data, companies are able to talk to consumers on a one-‐to-‐one level, and the communication content will be highly personalized based on the data that the company has on that one consumer. Alessandro Acquisiti talked about a world in the near future where companies will integrate the faces of a person’s two best friends on Facebook and use that face in an advertisement directed at that specific person. (TED, 2013: “What Will a Future Without Secrets Look Like?) Each person will see a different ad, and will then respond to it more because it feels more personal and relatable. This benefits marketers because they can tailor their message and increase the success rate of connecting with consumers by making their omni-‐channel marketing more “reactive” and personalized.

Issues with the Internet of Things However, like all things in life, the potential for benefits comes with a lot of potential risks as well. Many have criticized the idea of Internet of Things as being unnecessary, or even making issues of dehumanization, data privacy and security risks even worse.

Dehumanization One of the dangers of the Internet of Things apart from the haunting issue of data privacy is the dehumanization of modern day interaction. Machines will replace what used to be done by the human hand. We see that communicating over the Internet has already replaced the way people interact with their family, friends and co-‐workers. With the Internet of Things in motion, there will be an even greater loss of human interaction and a redefining of rituals in society. Wearable technology could be a way of monitoring family members or employees—while this can be seen as a benefit to some people, society will operate in an entirely different way. There will be a loss in the traditional concept of human day-‐to-‐day interaction, and when push comes to shove, human relationships must and will be redefined. Whether it is for the better or worse, this remains to be a dark thought for many.

Information Overload Another risk that individuals face as in the Internet of Things is information overload. With so many devices connected over the Internet, humans can access information quicker and better. However, this also has the implication that there will be too many new channels to receive information from. The range of information that will be available will be expanded, along with the speed of delivering that information to people. Today, we already see a case where people are disillusioned by the overwhelming amount of information they get in a day. Recent studies show that individuals are exposed to around 3,000 advertisements per day (Lamoureux, “Advertising: How many marketing messages do we see in a day?)—not to mention other types of information that are disseminated to them. The Internet of Things


8

will make the issue of information overload much worse. This is a problem for both individuals and marketers as well, who will have a harder time finding a way to make their marketing communications stick to the consumer’s mind.

Data Privacy: “If you are not paying for it, you are the product.” The Oscar-‐winning documentary titled ‘Citizen Four’ explores the recent scandal of the NSA documents leaked by Edward Snowden regarding the data gathering activities done by the government on people’s communication. One particular quote in the movie by Tor developer Jacob Applebaum comes to mind when thinking about data privacy, even in the commercial context. “What we used to call liberty and freedom we now call privacy…and now people are saying privacy is dead.” (Poitras, 2014: CitizenFour). The risk of data privacy is something that is growing, as there is more and more data collection and online behavior tracking in accordance with the development of Internet use and technological innovation. With thousands of cookies in place in a user’s browser, and the recent developments of fingerprinting and other tracking methods in mobile and wearable devices, one cannot blame an individual for feeling like companies are invading their privacy. The fact that companies know so much about them, including the people they interact with on a daily basis, is a disturbing thought. Many have said online behavior tracking is similar to “spying” on consumers. Imagine entering a store at the mall and asking a salesperson about the price of a shirt you find interesting. After figuring out that it is too expensive, you choose to leave the store and continue browsing the mall. However, you soon realize that that salesperson is following you around, peeking at your phone, and analyzing your every move around the mall. Of course, you would find this to be incredibly invasive of your privacy, and in the real world this would not happen. However, a lot of customers do not realize that they are actually letting companies do the same thing online, by placing cookies or other tracking methods to track their online behaviors and follow them around the web. Surely, when put this way, data privacy becomes an issue that is very important for the safety and rights of consumers. First, there is the issue of data or information ownership. Who owns the data on the Internet? It is natural for customers to think that information about their geographic location, preferences, age, shopping behavior, or even credit card information is their property. However, we often forget to look at the other side. Companies who build this aggregate collection of data and information on their own software also think that the information is theirs to store and use. This is why there is a big gap between what lengths companies are comfortable using the data it has collected on customers, and what is deemed as acceptable to the users. However, in the end, personal information, no matter how it is collected, should belong to the person it is identifying. It is a daunting thought to


9

think about a company owning that information about you and using it without you having any say in it. The fact of the matter is, the data collected is actually a representation of one’s identity. It cannot be mistaken as an identity that is “up for grabs” by anyone. With the rise of the Internet of Things, data privacy will become an even more pressing issue. The growth of mobile devices, wearable devices, as well as the development of everyday objects being connected to the Internet means that there are more opportunities for companies to “peek” at people at all times of the day. For example, Under Armour, an athletic goods brand, uses the Map My Fitness mobile app to track a person’s daily behavior and how active they are, to then be able to market certain products to them. Some consumers would find this useful, or even have a “cool factor”—however, many do not realize that their privacy is in danger. There has been a lot of discussion regarding the risk that consumers are placed in in relation to the rise of digital data and the invasion of privacy. However, a lot of companies that lobby against the development of policies and regulations regarding data tracking argues that consumers are not in any material or real harm. First, the majority of consumers are not even aware of how companies are collecting data—how can they be harmed by something that they do not know? Moreover, marketers view behavior tracking and reactive marketing as being helpful for customers, instead of harming them. According to Emma Valentine from IBM Silverpop, personalization is an expectation today. Customers actually want companies to know more about them to be able to give information and services that is relevant to them. The suggested items on Amazon based on past viewing behavior is something that customers use a lot and found to be helpful.

Protecting Yourself The issues surrounding data privacy might motivate customers to want to protect their personal information. However, the real risk is even they want to protect themselves, how can they do this considering how much Internet is used in their daily life? If we think about the Internet of Things where eventually all objects that are interacting with humans on a daily basis will be connected to the Internet, thus being vulnerable for behavioral tracking, how can individuals protect themselves without giving up the Internet—something that will be increasingly vital in a person’s life? Today, we can argue that actions such as deleting cookies off of your browser, or even deactivating social media accounts might help protect an individual’s personal information from being poached by marketers. However, in the Internet of Things, it will be extremely hard or even impossible to not be totally immersed in the world of Internet interconnectivity. Then, finding the balance between protecting oneself and managing the use of the Internet will be even harder.


10

Risks for Companies There is a great risk for a company if it completely ignores the concerns of its consumers regarding data privacy issues. First, there is the ethical consideration of taking advantage of vulnerable customers who do not understand the idea of collecting and using data. Secondly, if customers do not understand the process and get suspicious, or if they feel like their privacy is being invaded, the consumer backlash would be detrimental for the business. Facebook is an example of a company that has lost members because people are becoming more reluctant to share their personal information on the social media site, after learning about how much Facebook mines their data. Furthermore, there is the risk of being investigated by the Federal Trade Commission if a company does not comply with the regulations set out for data collection and use. Building further on the ethical considerations of the Internet of Things, these technological innovations make for a slippery slope. It is hard to know where to stop, and where the ethical boundaries are, especially as competition will become more rigid and the only benchmark a company has would be whatever competitors are doing. The rate of innovation and new opportunities for behavior data tracking and potentially invasive marketing practices would be at an unprecedented level with the Internet of Things, so it is very easy for companies to get lost in it and abandon the important ethical considerations. Moreover, one of the issues for marketers that come with digital data is the tendency for insensitively grouping customers into target segments or profiles that might not be accurate, but stereotypical. Consumers can become offended and may result into a negative company image. Second, greater reliance on these automated data collection and profiling can make marketers too dependent on these stereotypical classifications, that they are communicating the wrong messages to the wrong people. There is a risk if the marketer does not look at who they are speaking to in a human context. The consumer becomes just another number, and as technology develops more and more, the definition of marketing will be fundamentally changed to becoming reliant on what the data says. This changes the way marketers do business—although some might say automated data makes marketing more effective and efficient, there are always things that technology cannot understand at a human level, such as culture, sarcastic or slang language, and deeper roots of social trends.

Security Risks Although the Internet of Things can foster interconnectivity that can make life easier for humans, it poses an extremely dangerous risk in security, for both individuals and businesses. The fact that millions and billions of objects and devices are now interconnected over a network, constantly receiving and sending data to one another, means that there is an even larger risk of information breach. In a world where the alarm clock on your phone triggers your coffee machine to start brewing a cup of coffee before you leave for work in


11

the morning, one must question whether there is a possibility of someone accessing your entire network by “hacking” a coffee machine. In theory, this is very much possible—if the coffee machine is linked to a phone and is bouncing data off one another, you can imagine how easy it would be to access contacts, photos, schedule, and even credit card information stored on that phone. Now, taking this to an extreme level—an interconnected world of gadgets, cars, home electronics, health technology, e-‐wallets, and wearables signifies a very high risk of data breach. Personal data like financial and health information is placed at risk, while there is a bigger opportunity for criminal activity as well. For businesses, the challenge that comes with Internet of Things is how to protect your company data, as well as the consumer database owned by the company. Competition will grow even more rigid, which gives more incentive for potential data breaches to occur. Although one might think that with this developing technology, companies will also benefit from technological innovations that better protect their company’s information, we cannot ignore the fact that the age of Internet of Things will be very dangerous for companies when the stakes are that high. The bigger the company’s database is, the more risk of data breach they possess. Since the data on consumers become more and more specific and intimate, companies have a responsibility to protect that data from people who might try to hack into it. Furthermore, the value of this data will increase significantly from the type of data companies have today. In the Internet of Things, the data will be so integrated and so vividly intimate to the consumer, that data security issues is only going to get worse for companies.

CURRENT REGULATIONS

The Internet: Public or Private Space? Companies are watching the consumer’s every move online. But who is watching these companies? In order to determine whether there needs to be more regulations in place to govern the way Internet of Things will impact the trend of data collection and use in light of data privacy issues, we must first determine whether the Internet is a public or private space. The Internet can be seen as the 21st century agora, a public space where people communicate and discuss their thoughts and ideas with each other. The Internet is a public space that is accessed through private computers and devices connecting with each other. One must however, question just how ‘open’ the Internet really is. Although the First Amendment protects the freedom of speech online as well, the inability of the government to restrict the content online is somewhat replaced by each individual site’s terms of service and use rules. For example, sites like Facebook and Twitter can determine what is acceptable to be posted on their site. There are numerous cases where people who voiced out “politically incorrect” statuses were blocked or banned to post by sites like Facebook. Thus, there is the question whether the Internet is a public place where people can truly say


12

anything they wish to, or if it is still governed by private entities so that it is still private, despite looking like a public place. If the Internet is indeed public, there are a couple of implications that could affect the way data privacy issues can be mitigated on a constitutional level. First, if the Internet is public, then that means all of the information published onto it is for public use, including companies. There is also the debate in light of the Internet of Things taking data from everyday objects, whether a person is “publishing” something just by turning on their toaster or washing machine. It certainly seems like that is the case as we move forward to this age of interconnectivity. However, at the same time, if the Internet is public, there is a greater pressure and ability on the government to regulate the Internet. Government regulations can be beneficial in a way that they can instill more rules regarding the commercial collection and use of data in light of data privacy and security issues. Albeit this being beneficial, we must think about the further implications if the government was given that much power over the Internet. Creating regulations is a slippery slope—if they start regulating how companies are using data, it is very possible that they will start regulating content in this online agora. On that note, we will discuss the current laws and regulations set by the government to better govern this public space so that the harm done to consumers regarding data privacy issues can be mitigated.

Overview on Current Regulations A GAO report in 2013 titled “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace” looks at the current regulations and laws that touch on the issue of online data privacy, however found that there is no law at the federal level that specifically governs the collection and sale of general personal information. There are, however, several regulations in place that limits specific uses of data, however it seems like the approach taken by the US regulatory framework is a miscellany of sector-‐specific laws that dance around the issue yet does not tackle it directly. The primary laws that may affect the way data is collected and used are as of follows:

• The Fair Credit Reporting Act protects personal information that is collected by consumer reporting agencies, however it is specifically addressing eligibility of credit or employment purposes.

• The Gramm Leach Billey Act (GLBA) similarly protects the confidentiality of personal information that is given specifically to financial institutions.

• The Health Insurance Portability and Accountability Act (HIPAA) protects the confidentiality of health information of an individual. This statute actually applies to marketing purposes of an individual’s health information.


13

• The Children Online Privacy Protection Act (COPPA) protects the privacy rights of children, where parental consent must be obtained before the collection of identifiable information of a child under 13 years of age.

• The Electronic Communications Privacy Act (ECPA) protects consumers from interception of electronic communications done by third parties—for example, this law prevents an Internet service provider from selling a customer’s e-‐mail address to a data reseller for marketing purposes.

• The Computer Fraud and Abuse Act (CFAA) prohibits third party sites from collecting data from a website user when it violates that specific site’s terms of services that have been disclosed.

• The Fair Information Practice Principles (FIPP) developed in 1972 protects the privacy and security of personal information, which later on becomes the foundation of the Privacy Act of 1974 that regulates the use of data by federal agencies. However, the same treatment is not found in federal laws that apply to private sector companies.

As we can see, it handles the issue sector-‐by-‐sector—some based on industry, some based by specific practice, however there is no comprehensive or consistent law at the federal level that protects consumers from the invasive nature of data collection and use.

FTC Act One perspective is that the government is not regulating the Internet content by placing regulations surrounding issues of data privacy and security, but regulating business commerce—this of course, encapsulates how companies are collecting personal information on consumers online. The foundation of all government regulations on protecting consumers is Section 5 of the FTC act, that declares “unfair or deceptive acts or practices in or affecting commerce” as unlawful. The definition of what is “unfair” is whatever business practice that is likely to cause “substantial injury to consumers, which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition”. (FTC, 2008) Of course, one can see that even with this definition, what can be considered as “unfair practice” is entirely up to the FTC. Applying this to the issue of data privacy, the problem with this regulation is that it is not clear what constitutes as unlawful use or collection of consumer data. With the rapid development and advancement of technology, providing companies new sources of data and new ways to collect data (think mobile, chips in clothing articles, store cameras…), it is really hard for the FTC to be able to clearly define what is acceptable and what is an unfair practice. Further problems found with the FTC act being the underlying regulation for online data collection and use are related to what the FTC act


14

does not explicitly state. For example, it does not specifically state a privacy policy disclosure requirement, nor the need for consent before collecting or using data, nor does it give consumers the right to access or control their data explicitly. The fact that Section 5 is so broad may be troublesome because it fails to give consistent understanding of what qualifies as a fair and lawful use of consumer data. In light of the recent developments of Internet marketing, big data and especially the Internet of Things, the significant increase of opportunities of data collection will cause the data privacy issue to worsen, without specific and explicit regulations in place to govern it.

FTC Self-‐Regulatory Principles Although the FTC does not have statute or federal laws to outline their expectations for companies collecting and using data, In 2009, they proposed a self-‐regulatory program for online behavioral advertising in response to the data privacy issues and their desire to protect consumers. (FTC Report, 2009: “Self-‐Regulatory Principles for Online Behavioral Advertising) Online behavioral advertising refers to the collection and use of data from tracking online viewing behaviors of a computer device in order to deliver advertising based on the inferred preferences. The seven principles exist to help companies balance between the benefits that come with data collection and their ability to protect consumers. The Education principle aims to inform consumers about online behavioral advertising activities. Raising awareness on this issue is a crucial first step in rectifying the situation at hand. Although the issue of data privacy is starting to pick up, the majority of consumers are still nonchalant about the fact that companies are collecting and using their personal information. The problem is not that they do not care about it, but because they do not understand the full extent of how much personal information companies have on them. This is because there is a lack of education on what companies are actually doing with their data, which is supposedly solved by this principle. Consumers need to be educated about the options to opt in and out of different choices as well. The principle of transparency requires companies to provide information to customers notifying them of how online behavioral advertising activities are being carried out. The mechanism should involve some sort of disclosure page that gives clear, meaningful and prominent notice. After educating customers, the principle of consumer control allows customers to be able to opt out of tracking activities if they feel that their privacy is invaded. The control must also be easy to maneuver. The principle of data security requires companies to protect the data collected by a security program, which also involves de-‐identifying personally identifiable data. The problem is, there is a blurring of personally identifiable data and non-‐personally identifiable types, because it is very easy to combine non-‐personally identifiable data to identify an individual.


15

The principle of Material Changes states that companies must obtain a customer’s consent before making a policy change in the way they collect or use data. However, sites like Facebook seem to reset customer’s privacy settings every time they update the software version—in my opinion, this is Facebook trying to circumvent having to obtain the customer consent. Once the customer resets their privacy settings, Facebook already captured all the data in that person’s account. One must question whether this is ethical, as the meaning of consumer control is lost with these circumvention techniques. The sensitive data principle protects the data privacy of children, aligning the compliance requirements with that of COPPA, as well as protecting sensitive information like financial and medical records. Finally, the accountability principle calls upon entities to help monitor the Internet for implementation of these principles and to report for non-‐compliance. Some might argue that these principles are invading too much into how the business is operated, and some might say that it is not doing enough to protect the rights of consumers to their privacy. However, it is a great start—it shows that both consumers and companies are starting to be aware of the underlying issue at hand. Albeit not being perfectly inclusive of all problems that come with data, if it is implemented, there will be a great positive change in society. Therefore, the challenge does not lie in understanding the issues that underpin these regulations. The challenge is in compliance accountability and enforcement; as well as adjusting the regulations according to recent development of the Internet of Things. These are just some of the considerations that should be explored more by the FTC, in order for the privacy regulations to have any sort of meaning.

Consumer Privacy Bill of Rights Act The Obama administration proposed a Consumer Privacy Bill of Rights Act in response to the data privacy issues that are starting to be heard at the government level. This bill aims to protect the privacy rights of American consumers by giving a basis of data-‐processing requirements for companies that use and collect data. The bill proposed a rule where industries must set codes of conduct in how they are to fairly collect, use and share information about consumers, and then the FTC will make sure that these codes of conduct are sufficient. Companies must give consumers more control on how their data is being collected and used, giving them access to the information and this amount of control should be in proportion to the privacy risks involved. This is proof that the concern for consumer data privacy is developing, and that the government is already trying to do something to make sure the issue does not exacerbate in the future. However, privacy advocates claimed that this is actually a setback, because this bill actually gives companies the ability to define what is acceptable and what is unfair in terms of how data can be used and collected. If they have the power to determine this standard, they might override state statutes that are


16

actually more useful in protecting privacy (Singer, 2015: “White House Proposes Broad Consumer Data Privacy Bill”).

ISSUES WITH CURRENT REGULATIONS There are a couple of issues with the current regulations that deal with online data collection and use. After reviewing these issues, it is clear that there needs to be more legislation at the federal level to protect the rights of consumer’s privacy especially as we move towards the Internet of Things, where the risks that data privacy and security issues pose are multiplied exponentially.

Laws predate rapid technology innovation First, the current regulations are simply outdated and not applicable to the newest technology innovations that are consistently pushing the boundaries of data privacy concerns. (Sableman, 2014: “United States: The U.S. Data Privacy Debate In A Nutshell”) For example, the Internet as a communications carrier is dealt by the 1934 communications act that was used to regulate the telegraph, and further laws from 1860s, which essentially was formed to regulate freight trains back in the olden days. However, it seems like an unfathomable concept to equate something as progressive and potentially invasive like the Internet with a freight train. It poses the question whether the current laws in place are decades behind of the rapidly changing technology landscape today. The main issue with the current legal framework that deals with data privacy is that it does not consider the implications that newer innovations contribute. If there is a hard time regulating privacy rights in the Internet today, how much harder would it be to regulate in the near future, when health information from a chip in “smart active gear” connects with credit card transaction history, and information about the top three friends you hang around with the most? The Internet of Things poses unique threats to consumer privacy, and therefore must be considered in a different manner. For example, the growth of mobile devices introduces the new challenge of protecting a consumer’s geographic location data. There is currently no privacy law that addresses mobile applications and the collection of location-‐based data except COPPA that only applies to children. There is also no privacy law at the federal level regarding mobile payments, which is a big way of collecting and consolidating financial data, causing significant potential harm to consumers. If the law does not accommodate the newly developed ways companies can take advantage of consumers’ personal information online, then it is far from being meaningful in protecting consumers.

Self-‐regulation is ineffective The FTC have outlined self-‐regulatory principles for ‘best practices’ in online behavioral advertising, and different institutions and associations such as the Digital Advertising Alliance has also made guidelines for companies to follow. These principles are a great


17

improvement from the vagueness of the statutes and law, however one must question whether the whole notion of self-‐regulation bears any real merit in tackling the problem of data privacy. If businesses are supposed to regulate themselves, defining what is ethical/legal, and are supposed to be accountable on their own, the consumer is left out from the picture. Although the principles give companies guidelines on what the FTC may deem to be an unfair or deceptive practice, thus giving some grounds on enforcing fairness in the industry, the fact that it is self-‐regulated as opposed to regulated by law on a federal level may create inconsistency in interpretation and gives a lot of opportunity for circumventing the fragile framework of self-‐regulation.

“Patchwork Quilt” Approach Bears Inconsistency Looking at the previous discussion of the different sector-‐based regulations that govern data collection and use, it is clear that what is lacking is a comprehensive, consistent, and general regulation framework that protects consumer’s rights to privacy in a marketing context. What we have now is a “patchwork quilt” (Singer, 2013: “An American Quilt of Privacy Laws, Incomplete) of different regulations that are specifically directed at different industries, sectors, or consumer groups (such as children in COPPA). There are also state laws such as the Shine the Light law in California requiring companies to disclose partnerships with third party sites that share consumer data. The risk of this approach is that there are a lot of gaps in between sector-‐specific laws that allow companies to circumvent fairness in data practices. The recommendation is to reform the regulatory framework to be based on a comprehensive privacy law that fills these gaps (United States Government Accountability Office, 2013: “Information Resellers”). The benefit of this is that consumers not only have protection, but they can have consistent protection. There can be a clear understanding for both companies and consumers of the fairest and best practices of data collection and use, which will provide clear standards for the FTC to be able to regulate more effectively. On the other hand, this ‘one size fits all’ approach is criticized as potentially hampering innovation and business growth. It can be seen as the government being too invasive of what is naturally developing in commerce. A comprehensive, singular privacy law might be too inflexible for the many different requirements and unique situations that each sector or industry has. However, it seems that the potential benefits outweigh the potential risks of this recommendation, and that a comprehensive privacy law framework might be the only way law can keep up with the rapidly changing world of technology and online marketing.

Effective Implementation and Enforcement Needs Oversight One of the issues with the current regulatory framework regarding data privacy is the lack of a clear implementation and enforcement strategy. The FTC is authorized to investigate companies that seem to be violating their regulations however it seems like the FTC is still


18

relatively not enforcing the current laws to the level in which it is required. There needs to be a dedicated governmental agency for overseeing data privacy issues, as we move on to the world of Internet of Things and there will be much more violations of data privacy and security laws. The oversight agency needs to understand the technological background that bases data collection and use, and work with the FTC to implement the best practices in online commerce and increase cybersecurity for both consumers and companies.

Consent: Is it Realistic? The most important regulation is the concept of obtaining consent from the consumer before they collect data. Currently, the default is that a consumer is opting in on the data tracking service, however in theory they are able to opt out. Essentially this is the way it is outlined in the FTC Self-‐regulatory principles. However, considering that a lot of consumers are not understanding that their online behavior is being tracked, one has to question whether these consumers have given consent or not. Although there are a lot of data privacy issues and people are starting to get “creeped out” by how much companies know about them, in general people are still not aware of this practice. Or, they might be aware, but they are not aware of how much companies know about them to be bothered by it. Therefore, they will not have the education and/or the incentive to search for ‘opting out’ options for behavioral data tracking practices. On the other hand, if we are to regulate companies to ask for consent before placing any cookies, we must question how feasible this is since one website probably has 30 different cookies set in place. The key is to raise awareness on data collection practices in the public first in order for this whole concept of obtaining consent to be meaningful at all.

U.S. vs E.U. There is also the issue of aligning the data privacy regulation with other countries in the world. The EU is much more stricter in protecting consumer’s rights to their privacy, and not only do they have more comprehensive regulations set in place, they also have shown more efforts to raise awareness within citizens regarding this issue. Jan Philipp Albrecht, a representative of the European Parliament, stated that his “impression is that the U.S. Chamber of Commerce and the Commerce Department are mostly just following the interests of Silicon Valley,” as he proposed an additional right for European citizens to opt out from consumer profiling activities (Singer, 2013: “Data Protection Laws, an Ocean Apart”). Privacy advocates argue that the self-‐regulatory system in the U.S. is not sufficient because the consumers will have little control. Furthermore, the consumer protection development in the U.S. is not up to speed with the rate “invasive technologies” are developing. Many have stated that within the U.S., commerce comes before citizens. Currently, each country in Europe has a statute that clearly establishes the requirements for fair collection and use of online consumer data, and together they have formed a


19

government agency for the oversight of compliance. This independent board helps governments to implement the regulations better, and perhaps this is needed in the U.S. so that there is consistency on what is acceptable in collecting and using data (Davenport, 2013: “Should the U.S. Adopt European-‐Style Data-‐Privacy Protections?”). The key is to balance between the government’s interests in protecting the consumer as well as protecting the business commerce and innovation.

Moving Forward When thinking of our business, the law is only the minimum requirement that marketers must adhere to. The struggle for marketers is in the ethical considerations in thinking about whose interests are being served. If an “IMC” (Integrated Marketing Communications) approach is supposed to put the customer as the core of the business, are these data privacy issues something worth thinking about? One might argue that by collecting more data about the customers, marketers can better understand them, and thus do a better job in providing them with solutions and messages that really empower the customer. In a way, the proliferation of data collection and use fits right in the IMC perspective, because it allows the business to adjust to the customer’s preferences on a personal, one-‐on-‐one level. The question, however, is whether this is actually protecting the marketer’s interests and not the consumer’s. Marketers must think about protecting the consumer’s rights to privacy as a way of prioritizing the customer too. Showing that a company cares about protecting the rights of their consumers not only avoid litigation risks, but also creates more trust between the consumer and the brand. First and foremost, marketers should not only abide to the federal privacy laws, but to the self-‐regulated principles outlined by the FTC and other governing bodies. This is truly the “best practice” to make sure the company does not show bad faith to the FTC and the consumers, avoiding potential problems. Marketers must not only behave legally, but ethically. The first step is to be and stay aware. Keeping updated to the latest news about data privacy and security issues is something that marketers must do routinely, and not assume that it is only the legal/IT department’s job. It is also worth noting, however, that there must be a good collaboration between the legal and marketing team. It is imperative that marketers talk to their lawyers to understand the regulations and legal considerations that are important when planning for marketing programs. A lot of ethical boundaries are crossed when competition is rigid—instead of being tempted on what competitors are doing, marketers should stay focused on the core company values for a “conscience” to discern what is right and wrong. By no means is this an easy thing. The general consensus in the marketing world is that data collection and use is something that is a given, and that we have to adjust to the technological innovations that are developing. However, the first step to changing this behavior is for marketers to be aware and really understand these ethical considerations.


20

It also helps if the marketer puts his or herself in the consumer’s shoes. To avoid the risks of data privacy and security as an individual, we have to understand the laws and regulations in place as well as our rights to privacy. For example, the self-‐regulatory principles proposed by the FTC states that websites must give consumers the option to opt out of tracking or advertisements, but the majority of people are still unaware of this option. By educating ourselves, we can better protect our rights. We must take proactive action to mitigate the amount of data privacy risk by doing what we can, because the law is slow to catch up on these issues. This includes regularly deleting cookies from our browser and using browser-‐protecting features like Tor or Incognito mode. Finally, the best way to protect ourselves is to think twice before uploading or writing anything on the Internet. We must be more selective, even if the technological developments allow us to publish so much more on the Internet these days. In conclusion, the age of Internet of Things brings both new benefits and challenges for marketers and consumers. The issue of data privacy and security will grow exponentially as big data is multiplied with the introduction of interconnected everyday objects. There will be more integration of data, which poses benefits to marketers as they can understand their consumers more, however that also brings up more ethical considerations that must be part of the discussion between companies and consumers. There are several regulations currently in place that foster the start of the discussion, however they lack a clear consistent framework on how those regulations will be implemented. If the implementation is not strong enough currently, it will stand no chance in protecting consumer rights with the further development of the Internet of Things. Therefore, there needs to be further legislation or regulation at the federal level when it comes to data privacy and security, even if the issue is still at its infancy when it comes to the general awareness of citizens. If ignored, the Internet of Things will further exacerbate the current ethical tensions between consumers and businesses.


21

Works Cited

"A Brief Overview of the Federal Trade Commission's Investigative and Law Enforcement

Authority." A Brief Overview of the Federal Trade Commission's Investigative and Law

Enforcement Authority. Federal Trade Commission, 2008. Web. 10 Mar. 2015.

<https://www.ftc.gov/about-‐ftc/what-‐we-‐do/enforcement-‐authority>.

CitizenFour. Dir. Laura Poitras. Perf. Edward Snowden and Glenn Greenwald. Praxis Films, 2014.

Online.

Davenport, Thomas H. "Should the U.S. Adopt European-‐Style Data-‐Privacy Protections?" WSJ. Wall

Street Journal, 10 Mar. 2013. Web. 03 Mar. 2015.

<http://www.wsj.com/articles/SB10001424127887324338604578328393797127094>.

De Clerk, JP. "Being Smart about the Internet of Things: From Facts to Benefits."

InformationDynamix. N.p., 20 Aug. 2014. Web. 03 Mar. 2015.

<http://www.informationdynamix.com/smart-‐internet-‐things-‐facts-‐benefits/>.

Franks, Bill. Taming the Big Data Tidal Wave: Finding Opportunities in Huge Data Streams with

Advanced Analytics. New Jersey: John Wiley & Sons, 2012. Print.

FTC Staff Report: Self-‐regulatory Principles for Online Behavioral Advertising. Washington, D.C.:

Federal Trade Commission, 2009. Feb. 2009. Web. 10 Mar. 2015.

<https://www.ftc.gov/sites/default/files/documents/reports/federal-‐trade-‐

commission-‐staff-‐report-‐self-‐regulatory-‐principles-‐online-‐behavioral-‐

advertising/p085400behavadreport.pdf>.

Goodson, Scott. "If You're Not Paying For It, You Become The Product." Forbes. Forbes Magazine, 5

Mar. 2012. Web. 03 Mar. 2015.

<http://www.forbes.com/sites/marketshare/2012/03/05/if-‐youre-‐not-‐paying-‐for-‐it-‐you-‐

become-‐the-‐product/>.

"Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and

the Marketplace." GAO. United States Government Accountability Office, 18 Dec. 2013.

Web. 03 Mar. 2015. <http://gao.gov/products/GAO-‐14-‐251T>.

Jolly, Ieuan. "Data Protection in United States: Overview." Practical Law. Thomson Reuters, 1 July

2014. Web. 01 Mar. 2015. <http://us.practicallaw.com/6-‐502-‐0467>.

Lamoureux, David. "Advertising: How Many Marketing Messages Do We See in a Day?" Fluid

Drive Media. N.p., n.d. Web. 10 Mar. 2015.

<http://www.fluiddrivemedia.com/advertising/marketing-‐messages/>.


22

Morgan, Jacob. "A Simple Explanation Of 'The Internet Of Things'" Forbes. Forbes Magazine, 13

May 2014. Web. 10 Mar. 2015.

<http://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-‐explanation-‐

internet-‐things-‐that-‐anyone-‐can-‐understand/>.

"The Internet of Everything and the Connected Athlete: This Changes... Everything." Cisco. N.p.,

n.d. Web. 10 Mar. 2015.

<http://www.cisco.com/c/en/us/solutions/collateral/service-‐provider/mobile-‐

internet/white_paper_c11-‐711705.html>.

"The Panopticon." UCL Bentham Project. University College London, n.d. Web. 09 Mar. 2015.

<http://www.ucl.ac.uk/Bentham-‐Project/who/panopticon>.

Sableman, Mark. "United States: The U.S. Data Privacy Debate, In A Nutshell." The U.S. Data Privacy

Debate, In A Nutshell. Thompson Coburn LLP, 2 Jan. 2014. Web. 03 Mar. 2015.

<http://www.mondaq.com/unitedstates/x/283976/Data+Protection+Privacy/The+US+Da

ta+Privacy+Debate+In+A+Nutshell>.

Singer, Natasha. "An American Quilt of Privacy Laws, Incomplete." The New York Times. The New

York Times, 30 Mar. 2013. Web. 10 Mar. 2015.

<http://www.nytimes.com/2013/03/31/technology/in-‐privacy-‐laws-‐an-‐incomplete-‐

american-‐quilt.html?_r=0>.

Singer, Natasha. "Data Protection Laws, an Ocean Apart." The New York Times. The New York Times,

02 Feb. 2013. Web. 03 Mar. 2015.

<http://www.nytimes.com/2013/02/03/technology/consumer-‐data-‐protection-‐laws-‐an-‐

ocean-‐apart.html?_r=2>.

Singer, Natasha. "White House Proposes Broad Consumer Data Privacy Bill." The New York Times.

The New York Times, 27 Feb. 2015. Web. 02 Mar. 2015.

<http://www.nytimes.com/2015/02/28/business/white-‐house-‐proposes-‐broad-‐

consumer-‐data-‐privacy-‐bill.html?_r=0>

Sotto, Lisa J., and Aaron P. Simpson. "United States." Data Protection & Privacy in 26 Jurisdictions

Worldwide. London: Law Business Research, 2014. 191-‐202. Print.

What Will a Future without Secrets Look Like? Perf. Alessandro Acquisti. TED, 2013. Online.

Wigmore, Ivy. "Internet Of Things (IOT)." WhatIs.Com. N.p., June 2014. Web. 03 Mar. 2015.

<http://whatis.techtarget.com/definition/Internet-‐of-‐Things>.

privacy in the age of the internet of things

Documents