Opt-In Consent Not Necessarily Best Model to Protect People's Privacy, Say ITIF Panelists
Giving consumers opt-in choice to have data collected, used and shared may not necessarily be the best model to protect privacy, said panelists during an Information Technology and Innovation Foundation event Thursday. The discussion on opt-in vs. opt-out consent followed a recent piece from ITIF research analyst Alan McQuinn saying privacy debates aren't about consumers vs. companies but about individuals having differing privacy preferences. "Opt-in laws are less efficient and costlier than opt-out ones," wrote McQuinn.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Moderator ITIF Vice President Daniel Castro said opt-in rules are bad when viewed from an internet innovation perspective. He said studies show the value of information is low, but the relative cost of obtaining consent to collect data is high. "The best-case scenario this means companies have less money to invest in new products and services," he said. "The worst-case scenario means you have companies that are actually shutting down sites, shutting down services or they're moving to a ... pay-per-use model." He said opt-in notifications aren't user friendly and often designed for a small population that really values privacy. Such "privacy fundamentalists" would protect their information whether they use an opt-in or opt-out model, he added.
John Verdi, Future of Privacy Forum vice president-policy, said advocates view privacy as a freestanding obligation and it can't be characterized in economic terms, but most advocates wouldn't say opt-in is needed for every single piece of data collected. He said some data collection is implicit and it's clear to consumers who would benefit, such as when they order a product from an online retailer that would have to share the shopper's personal information to have a shipper deliver. When consumers use an app to find the nearest coffee store, they shared location data.
George Washington University strategic management and public policy professor Howard Beales, who headed the FTC Consumer Protection Bureau 2001-04, doesn't see a difference between the first-party and third-party uses of data. He said users have no idea how credit-card processing works and don't understand that a transaction with a merchant may go through four or five different processors to the user's bank along with fraud control screening from the credit card network. He said where it may matter is when users sign up for Facebook and Google, which can then deliver advertising to them, and that information is a "tremendous advantage" to those companies.
"Consumers are showing different patterns, different ways of dealing with their own privacy," said Internet Association General Counsel Abigail Slater. She said there's "not a silver bullet approach" to privacy and there's a contract bargain between a company like Facebook and its some 2 billion monthly users, who see a value in sharing data. "Sophistication" is growing among users in how they manage their data once online, she said. The internet is less successful in Europe than in the U.S. for reasons including policy choices including privacy, she said.
Many companies may adopt the EU's general data protection regulation (GDPR), which takes effect in May, as the minimum standard globally since it's difficult to provide tailored privacy policies for data they collect, share and use across different regions, said Kara Sutton, senior manager for the U.S. Chamber of Commerce's Center for Global Regulatory Cooperation. She's concerned about potential for "analysis paralysis," meaning consumers may get all opt-in notifications to provide information that might either be sensitive to them or not. She said GDPR provides "a little bit" of other ways for data processing to occur beyond the consent-based model, but said the U.S. approach, more risk-based, is the better direction for companies.