Senators Kerry and McCain released their long-awaited privacy bill yesterday afternoon – the Commercial Privacy Bill of Rights Act of 2011. After scanning through the bill summary and text, I thought I would add my initial thoughts to the mountain of reaction the bill is sure to produce.
First of all, it is clear that the Senators made an attempt at addressing calls for privacy regulation while acknowledging the importance of the free-flow of information in the marketplace. Specifically, the Senators cite the importance of online advertising in funding the “free” online content and services we all enjoy. Also encouraging is the bill’s call for opt-out consent requirement for behavior advertising or marketing, which would have much less impact on commerce than mandatory opt-in consent.
Still, the bill does raise some concerns, which I touch upon below.
The bill requires that firms provide individuals access to information collected and mechanisms to correct the information. This has the potential to create a host of issues. First of all, anytime an individual accesses such information, it is an opportunity for a security breach or even fraud, which runs counter to the bill’s intention to improve information security. Second, it is unclear if an individual is allowed to change any and all information a firm may have collected. What about in instances where an individual may want to remove something they deem as negative, but still accurate? Because of the vagueness of the language, these concerns are not addressed in the bill but they should be considered. CORRECTION: It was just pointed out to me that the bill does allow a firm to deny access and correction, as long as they allow an individual to request that the firm stop using or distributing that information.
Also of concern is the bill’s requirement to only collect information that is needed to deliver a specific service, but allow the use of this information to research and development for a “reasonable amount of time.” There are real trade-offs when the flow of information is restricted. In this case, restriction of information, including the length of time information can be held, will result in hindering innovation, especially in online services. It is unclear if consumers value this restriction of information more than innovation in services, but their actual behavior in the marketplace suggests a willingness to give up information in return for services and content.
Finally, the bill raises an overarching concern that has been reiterated many times by TPI’s esteemed leader, Tom Lenard: “Where’s the data?“ Indeed, the influx of privacy bills and reports of late seem to be based much on feeling and opinions – with not a real analysis of costs and benefits among them. Without a cost-benefit analysis of these proposed regulations and identification of the actual harms the regulation is trying to address, it’s impossible to tell if any of these proposals will actually make consumers better off. Since the commercial use of information has been a vital component of the wide array of services offered on the internet, it is imperative that any policy regulating the use of this information is supported by real data and analysis going forward.