The Anti-Choice Privacy Fundamentalists

One of the fundamental debates around privacy is whether certain activities should be opt-in or opt-out.  However, lately it seems that giving users the ability to opt-in is not enough for the most hardline privacy fundamentalists. They do not even want to give consumers the right to choose.

I do not want to rehash the debate on opt-in vs. opt-out, but I do want to discuss the current level of choice afforded Internet users.  First, let’s be clear: even when users do not “opt in” as it is traditionally understood (i.e. giving affirmative assent), users still have choice. Users express this choice when they opt to use or not to use a particular website or service. There may be no formal “I do” or ceremony, but a choice is still made, and it is no less real than a common-law marriage.

Websites have privacy policies and users can choose to read them. If users have strong privacy preferences, then they have the option to read the policy. This is the entire basis behind the current notice and choice system we have today (which contrary to unsubstantiated claims in the recent FTC report on privacy works fairly well today). Whether an individual reads the privacy policy or not is their choice. And since many users will say it is too difficult or cumbersome to read these policies, they can rely on third parties to validate the claims. For example, TRUSTe runs a Privacy Seal program and privacy advocacy groups routinely opine on the privacy of websites. If users don’t like the privacy practices of a particular organization, then they can choose not to do business with them. And if websites do not adhere to their stated policies, they must face the consequences under FTC’s current authority to regulate unfair and deceptive trade practices. 

Opt-in proponents ask for a second level of affirmation. Users must change a default setting of “no sharing” to “sharing.” Sometimes this second step is necessary and useful, but it should be applied appropriately. For example, an organization should use opt-in if it wants to share certain types of personally identifiable information with third parties that could put users at risk. In these cases, the organization should obtain permission from users before sharing this information. In many cases, such as with behavioral advertising, opt-in is not necessary because there is no risk to users.

Privacy advocates would like to see legislation that requires opt-in consent before collecting, using or disclosing even the most basic data about users. And many of these same advocates would also like to require opt-in consent before using de-identified data. But as Stu Ingis (who leads the privacy practice at the law firm Venable) correctly noted, “Opt-in takes the information out of the information economy.” And as I have described before, opt-in can impose a heavy toll on businesses who must spend more resources on obtaining consent then on providing consumers services. For example, economists Avi Goldfarb and Catherine Tucker documented that European executives have found that it costs approximately 15 euros to obtain user consent to be tracked online. Moreover, opt-in requirements can actually lead to lower levels of privacy for users because it encourages “scope creep” among businesses (i.e. they start to ask for more than they need) and desensitization to privacy notices among users (i.e. they get tired of unimportant notices and just click “yes”).

Most companies act responsibly and allow users to opt-in when appropriate. Even Facebook, which constantly receives criticism from privacy fundamentalists, has used opt-in as it deploys certain new features.  For example, in January, Facebook rolled out a feature to allow users to share their contact information with others through Facebook. As Facebook described on its Developer Blog:

On Friday, we expanded the information you are able to share with external websites and applications to include your address and mobile number. With this change, you could, for example, easily share your address and mobile phone with a shopping site to streamline the checkout process, or sign up for up-to-the-minute alerts on special deals directly to your mobile phone.

As with the other information you share through our permissions process, you need to explicitly choose to share this data before any application or website can access it, and you can not share your friends’ address or mobile number with applications. Also, like other data you make available to third party apps and websites, you can always clearly see and control the ways your information is being used in the Application Dashboard.

Many privacy advocates immediately derided this new feature even though users would have to expressly give permission every time an application wanted to obtain access to their contact information. Blogs like the Huffington Post were awash with misleading headlines such as “Facebook Starts Sharing Your Home Address, Phone Number With Developers.” And groups like EPIC immediately objected to the new feature claiming that Facebook was “trying to blur the line between public and private information.”

It has become clear that opt-in is not enough for privacy fundamentalists. The objections likely stem from the fact that these groups fundamentally oppose the idea of corporations having personal information, not just about themselves, but about anyone. Their paternalistic view of Internet users is at the heart of arguments in favor of government regulation to protect consumers from themselves. They do not want to give users choice, they want to make the choice for users.

The goal of policymakers should be to give users the freedom to choose their own privacy settings; it should not be to enforce a rigid privacy doctrine on all users. As Congress considers privacy legislation in the coming months, it should remember that the focus should be about finding ways to empower users through competition, choice and innovation, not about taking away their freedom to choose.