Information Privacy

1
Information Privacy

• Kathy S. Schwaig
• Kennesaw State University
• April 24, 2003

2
Four Types of Privacy

• Informational Privacy
• Anonymity, confidentiality
• Physical Privacy
• Ambush journalism, peeping Toms
• Decisional Privacy
• Abortion rights, assisted suicide
• Proprietary Privacy
• Publicity rights

3
Definitions of Privacy

• Modes by which people, personal information,
  certain personal property and decision making can
  be made less accessible to others. Anita L.
  Allen 2001
• The right to be left alone. Warren and
  Brandeis, 1890
• Claim of individuals, groups or institutions to
  determine for themselves when, how and to what
  extent information about them is communicated to
  others. Turner and Dasgupta, 2003
• The desire of consumers to control the
  disclosure and subsequent use of personal
  information.

4
The Tension Benefits vs. Concerns

• Benefits to consumers
• access to credit and financial services
• shopping choices and educational resources.
• The perception of privacy infringement is
  ultimately shaped by the issues of value and
  control. The perception of a consumer that
  knowingly provides personal information in
  exchange for a free PC is very different from a
  consumer having personal information unwittingly
  gathered and sold to third parties. (Dennis,
  2000)
• Privacy Good for Business
• Chris Larsen, CEO of E-Loan Its good business
  practice. Advances in technology are great,
  powerful and scary. We need a knockout blow
  against privacy fears that will benefit the
  consumer and the economy.

5
Business Perspective

• The Importance of knowing what people are doing
  online, what they are purchasing, and what they
  are likely to do in the future is of the utmost
  importance to organizations. (Hinde, 1999)
• Privacy concerns hold economic ramifications.
  Studies reveal that privacy issues are the single
  greatest concern of Internet users and that
  privacy concerns represent the single most
  prominent reason for not shopping online
  (Hoffman, et al., 1999 Udo, 2001)

6
Privacy Calculus

• From a business perspective, privacy is really
  about making the consumer comfortable disclosing
  his/her personal information needed for
  relationship marketing. This involves
  simultaneously communicating to the consumer the
  benefits of disclosure and providing assurances
  that disclosure of personal information is a
  low-risk proposition. (Culnan, 2000)

7
Concerns

• Loss of control
• Misuse of information
• Risk to physical privacy
• Risk of economic injury/identity theft
• Unwanted intrusions into daily life
• Smith (1996) access, collection, secondary use,
  errors

8
Attitudes Toward Privacy (Turner and Dasgupta,
2003)

• Privacy Fundamentalist 17
• Pragmatic 56
• Marginally concerned 24

9
Why Privacy is Important

• Personhood, individuality, personal and social
  relationships, autonomy information is
  relationship currency
• Workable Societal Objective
• The presumption of privacy is not
  absolute.must often be weighed against other
  considerations such as public health and national
  security (9/11).

10
Post 9/11

• British Airways
• Terrorist Information and Prevention System
  (TIPS)
• Trusted Traveler
• USA Patriot Act (Uniting and Strengthening
  America by Providing Appropriate Tools Required
  to Intercept and Obstruct Terrorism Act of
  2001)/data mining
• Total Information Awareness (DOD) Detect and
  Deter
• Cost to Companies
• Compliance Bell South, privacy policies
• Non-compliance Western Union

11
Post 9/11

• Almost every country that changed its laws to
  reflect the environment following 9/11 increased
  the ability of law enforcement and national
  security agencies to perform interception of
  communications and transformed power of search
  and seizure and increased the type of data that
  can be accessed Waak, 2002

12
Legislation

• Cable TV Privacy Act of 1984
• Children's Online Privacy Protection Act of 1998
• Consumer Credit Reporting Reform Act
• Driver's Privacy Protection Act
• Electronic Communications Privacy Act (ECPA),
  revised February 1994.
• Electronic Funds Transfer Act
• Electronic Signatures in Global Commerce Act,
  July 2000.
• Fair Credit Reporting Act, 1970 Amended 1999.
• Family Education Rights and Privacy Act
• Financial Services Modernization Act of 1999 (AKA
  Gramm-Leach-Bliley)
• Freedom of Information Act 1974
• Privacy Act of 1974
• Right to Financial Privacy Act (RFPA) 1978
• Telecommunications Act
• Telemarketing and Consumer Fraud Act

13
Three Ways to Regulate

• Government
• Industry (self)
• Legislation defining the appropriate rules
• Enforcement initiation of enforcement when
  rules are broken
• Adjudication whether or not the company has
  violated the rules.
• Consumer

14
Self-Regulation

• Governments of the industrial world, you wary
  giants of flesh and steelon behalf of the
  future, I ask you of the past to leave us
  aloneyou do not know our culture, our ethics or
  the unwritten codes that already provide our
  society more order than could be obtained by any
  of your impositions
• John Perry Barlow Declaration of the
  Independence of Cyberspace

15
Self-Regulation

• Self-regulatory Regimes Network Advertising
  Initiative
• Privacy Leadership Initiative
• Online Privacy Alliance
• Platform for Privacy Preferences
• IBM Institute and Privacy Management Council
• Trustee, BBB Online
• Industries developing principles and practices
  that reflect the consensus on the best
  approaches. Letting the Fox Guard the Hen House

16
FTCs Agenda

• Creating a National Do Not Call List
• Increasing Enforcement against SPAM
• Helping victims of identity theft
• Stopping Pretexting
• Encouraging accuracy in Credit Reporting
• Increasing enforcement on COPPA
• Enforcing the Telemarketing Sales Rule
• Restricting the Use of Pre-acquired information
• Enforcing GLBA
• Enforcing privacy policies
• Holding Workshop

17
Need for Online Privacy Leadership

• More legislation could increase consumer
  confidence
• Could ensure consistent regulation of collection
  practices across 50 states
• We need more information about how legislation
  will work , what it will cost, and benefits or
  acres of trees will die!
• Challenges of new legislation are daunting.
  Application of access and security is daunting
• Should we limit to online practices
• More law enforcement rather than laws?

18
Concept of Fair Information Practices

• Notice/Awareness consumers should have notice
  of an organization's online information practices
• Choice/consent consumers should have a choice
  about the use and dissemination of information
  they reveal, usually through an opt-in or opt-out
  mechanism
• Access/Participation consumers should have
  access to the information businesses collect
  about them to help ensure accuracy and
  completeness
• Integrity/Security consumers should have the
  personal information collected about them
  adequately secured from outside parties and from
  corruption of the data
• Enforcement/redress consumers should have a way
  to ensure that businesses and organizations
  comply with these core privacy principles either
  through external regulation (audits ) or
  certification programs

19
Our Study

• Reviewed the Privacy Policies of the Fortune 500
  to ascertain the extent to which these sites post
  privacy policies that reflect fair information
  practices.
• Results

20
Of Those Web Sties That Collect Personal
Identifying Information, Percent with a Privacy
Policy
21
Of Those Sites that Collect Personal Identifying
Information and Have an Information Privacy
Policy, the Percent that Mention Fair Information
Practice Principles in their Policy
 
22
Of Those Web Sites That Collect Personal
Identifying Information, The Percent that
Implement Notice, Modified Choice, Access and
Security to Some Extent
 
23
Of the Sites that Post Privacy Policies,The
Percent of Web Sites That Post Disclosures about
the Sites Use or Non-Use of Cookies
24
Of Those Web Sites That Collect Personal
Identifying Information, Percent that Disclose
Whether They do or May Use Personal Information
to Send Communications to the Consumers
25
Of Those Web Sites that Collect Personal
Identifying Information and Offer Choice
Regarding the Use of Personal Information To Send
Communications to Consumer, Percent that Offer
Opt-In or Opt-out
26
Of Those Web Sites That Collect Personal
Identifying Information, Percent that Say They
May Disclose Personal Identifying Information To
Third Parties
27
Of those Web Sites That Collect Personal
Identifying Information and Say That They Offer
Choice Regarding the Disclosure of Personal
Identifying Information to Third Parties, Percent
That Offer Opt-in or Opt-out
 
28
Of Those Web Sites That Collect Personal
Information, Percent That Provide Elements of
Security
 
29
Of Those Web Sites That Collect Personal
Information, Percent That Provide Elements of
Access
30
Sites with a Privacy Seal
31
Of Those Web Sites That Collect Personal
Identifying Information and Display a Privacy
Seal, Percent that Mention
32
Of the Web Sites with Privacy Policies the
Percent that Have Third Party Cookies
33
Of Those Web Sites with Privacy Policies, Percent
That Provide Applicability of the Policy
34
Of Those Web Sites with Privacy Policies, The
Percent that Provide a Procedure Should Changes
be Made to the Policy
35
Of Those Web Sites With Privacy Policies, Percent
that have Special Provisions for Children
36
Final Thoughts

• Sites post privacy policies but they typically do
  not fully reflect FIP
• Most policies have confusing and often ambiguous
  wording
• FTC has promised greater accountability