Opt-In Requirements: The Hidden Red Tape of Privacy Laws

Businesses increasingly rely on consumer data to provide goods and services. However, the use of personal data raises the question of how that data should be obtained. Privacy advocates argue businesses should have a legal obligation to obtain affirmative consent from consumers before collecting and processing their data, known as an “opt-in” approach, because they believe such a requirement is necessary to ensure consumers have full control of their personal information. However, a growing body of research suggests that creating “opt-in” instead of “opt-out” policies can have a negative impact on businesses and the services they provide—both by raising their costs and limiting how data can be used. These effects are then passed on to consumers in the form of higher prices and lower-quality products and services. On Thursday, October 12, the Information Technology and Innovation Foundation convened a panel of experts to discuss the pros and cons of each approach.

Daniel Castro, Vice President of ITIF and the moderator of the discussion, opened the event by discussing the current state of play on this “perennial” issue. Currently, customers can read a company’s privacy policy and decide whether to use their service. If they use the service, customers are automatically considered to have agreed to how that company collects and uses their data. If they don’t, they are considered to have opted out. Under the opt-in system, businesses would have to ask their customers permission to collect and use certain types of data and may not be able to condition customers’ access to their services on their acceptance of the privacy policy.

According to Castro, the comparatively low value of any one individual’s data would not be able to match the high costs of obtaining consent from each individual. Castro noted, “Best case scenario is that companies have less money to invest in new products and services and the worst-case scenario means that you have companies that are shutting down sites and services or moving to a pay-for-use model that has a negative impact on low-income users.” In addition, an opt-in regime would inconvenience the majority of users who are willing to make tradeoffs in exchange for valuable services that require the use of their data.

The panel discussion that followed featured John Verdi, Vice President of Policy at the Future of Privacy Forum; Kara Sutton, senior manager at the U.S. Chamber of Commerce where she oversees international high-tech and digital policy work; Howard Beales, current professor and a consumer protection veteran who played a crucial role in the development of the Do Not Call registry; and Abigail Slater, General Counsel at the Internet Association and former enforcement attorney at the FTC.

When asked if they thought consumers had enough control over the privacy of their data, the panelists were conflicted. John Verdi pointed out, and Abigail Slater agreed, that the problem cannot be considered a monolith. When companies put in effort and resources to respond to their consumers’ privacy demands, everyone benefits. He pointed to the permissions model on mobile apps as an example: “It has evolved from a model that asks for permission immediately before or after an app is downloaded to a just-in-time model where consumers are presented with their options just when it is necessary.” According to Verdi, this has boosted engagement while making sure consumers had some amount of control over their information.

Kara Sutton felt that the key is striking a balance between protecting an individual’s privacy and ensuring that the society benefits from open information. Sutton said, “To me, an opt-out method means to have information flow more freely but in an opt-in method, you’re looking at potentially fragmenting the ability to use that information. This ends up impacting some of the benefits that society can derive from having information flow freely.”

According to Howard Beales, the problem with the opt-in/opt-out debate is that it assumes that data presents a contract question where one party owns property that can be transferred to another party . “In contrast, I think it makes more sense to think of this as a tort problem; is there something that someone is doing with the information that is causing some harm that we want to try to fix?”

For many consumers, he added, changing the nature of privacy policies may not be worthwhile. He mentioned an interesting study which estimated that reading privacy policies comes with an opportunity cost of $781 billion to consumers. “The way people get kosher hot dogs in the US is not by reading a label that says, ‘not kosher’ in the fine print – that’s the privacy policy approach.” Businesses geared towards protecting consumer privacy should advertise themselves as such to ensure that they are reaching those who value that feature, just like kosher hot dog stands.

Slater said, “We should note that there is an acknowledged bargain between U.S. consumers and companies. There’s a reason why we have two billion monthly Facebook users. They see value in the services being delivered and value in the data they are collecting.” Slater also added that the sophistication with which these companies handle data collection and processing continues to increase as our relationship with the internet grows and changes.

The discussion that followed touched on taking a rights-based approach that considers the right to privacy as a human right regardless of its economic inefficiency or its benefits. According to Verdi, this freestanding right may not easily be characterized in economic terms. The discussion also touched on the idea that the opt-in system impedes permission-less innovation. Slater pointed to the comparative success of the internet industry in the United States and Europe and, while she did not assert that less restrictive public policy in the U.S. was the only reason for the stark difference, it did play a role.

The use of consumer data involves both challenges and opportunities, and the issue continues to evolve as technology becomes more sophisticated. It remains to be seen whether reforms to existing practices will improve data privacy and access to information.

Follow the discussion on Twitter using the hashtag #ITIFprivacy.