Pressure from Consumers
If such an incident occurs--a privacy breach that causes a public backlash against companies--what might happen?
Privacy experts believe that under the Obama administration, public pressure could push policymakers to take the side of consumers and demand more controls on companies. As a candidate, President Obama posted a position statement on his website that included a promise to strengthen consumer privacy protections. "That's what consumers are really worried about," says Milla, the former SSI CIO.
Milla fears that a major privacy incident could spark Congress to slap together an onerous regulation and race it through, a la Sarbanes-Oxley.
Remember ChoicePoint? The company collects and sells consumer data, and in late 2004, it had to reveal that it had sold such data to an identity-theft ring. One of the first big data breaches, the thefts sparked calls for a national identity theft law. ChoicePoint paid tens of millions of dollars in legal settlements and fines. Rep. Rick Boucher (D-Va.), chairman of the House Subcommittee on Communications, Networks and Consumer Privacy (who convened the April hearings on behavioral advertising), says he will introduce legislation in the fall that would strengthen privacy protection. But such legislation has gone nowhere in the past.
The Obama administration could go back to the privacy activism of the Clinton Administration's FTC, worries Jim Harper, director of information policy studies at the Cato Institute in Washington, D.C. Under Robert Pitofsky, the Clinton FTC pushed for a uniform regulatory regime for privacy. Harper thinks today's policymakers should take their cues from consumers, and especially from the dialogue between Google, Facebook and their users.
From a regulatory perspective, therefore, privacy and data control questions are by and large open. In fact, right now German courts are considering whether an IP address is personally identifiable information that needs to be protected. No matter what the court decides, Milla thinks companies will eventually find that consumers do think their IP address is akin to their Social Security number. That will at the least force many companies to rethink their marketing strategies.
Whether or not legal prescriptions for privacy change, the cultural shift toward consumer control of personal data seems to be gaining steam. At the World Economic Forum earlier this year, MIT's Pentland called for a "New Deal for Data." He wants companies to acknowledge the power of consumers by acknowledging:
* Consumers have the right to possess their own data.
* Consumers can control the use of that data.
* Consumers can dispose of or distribute that data as they choose.
He says a number of companies have expressed support for his principles, which he argues really aren't that different from the way financial institutions handle data already. Ultimately, companies need to decide whether the data they manage is their data or not.
"The 'privacy is dead' thing is just clearly wrong," says Pentland. "Yes, different people have different attitudes about privacy. But the part they care about is control. They're willing to put something up on Facebook but they want to control who sees it."
The ultimate privacy question for CIOs, then, is what it means for their companies to cede that control.
Michael Fitzgerald is a freelance writer based in Massachusetts.