New York University
A Preliminary FTC Staff Report on "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers"
Vasant Dhar , Jessy Hsieh , Arun Sundararajan The purpose of this document is to respond to selected questions for comment on the proposed framework in the FTC report Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (December 1st, 2010). Our responses are based on our ongoing research about online privacy and data risk at NYU Stern School s Center for Digital Economy Research. Our findings are described further in Dhar, Hsieh and Sundararajan (2011). The specific questions proposed for comment that our response relates to are: 1. Are there practices that should be considered commonly accepted in some business contexts but not others 2. Under what circumstances (if any) is it appropriate to offer choice as a take it or leave it proposition, whereby a consumer s use of a website, product, or service constitutes consent to the company s information practices 3. What types of disclosures and consent mechanisms would be most effective to inform consumers about the trade-offs they make when they share their data in exchange for services 4. Should access to data differ for consumer-facing and non-consumer facing entities 5. Should consumers receive notice when data about them has been used to deny them benefits How should such notice be provided What are the costs and benefits of providing such disclosure Summary and key points -- There is privacy risk inherent in any form of consumer data acquisition, retention and use by a firm. Some parts of this risk are non-systemic and can be reduced by firm and/or policy action, while other parts are systemic and cannot be altered without widespread changes in social norms. -- Our framework for examining the non-systemic privacy risk associated with the acquisition, retention and use of consumer data is based on the relative extent to which the acquiring party (typically a firm or government) and the providing party (typically a consumer) perceive that they own the data in question, which in turn is based on the intention of the consumer. -- Much like intellectual property, data is non-rival, and in the absence of appropriate technological or legal controls, is non-excludable. Any assessment of ownership must be based on some notion of the division of rights between a data provider (consumer) and a data acquirer (firm). -- Currently, both the data acquirer and the data provider seem to have equal and comprehensive rights over the exchanged data (in principle) independent of the context of data exchange. By default, this status quo gives excessive ownership rights to the acquirer (the firm) and generates excessive non-systemic data risk for both parties. -- Consumer perception of data ownership is associated with the intent of the consumer when transferring data to the firm. Specifically, the consumer inherently presumes a lower granting of rights to the firm if the consumer did not intend to transfer the data in exchange for a service by the firm. -- Our framework for classifying consumer intent during data transfer identifies two dimensions that can be used to assess perceived ownership: whether the data transfer was explicit or implicit, and whether the data transfer was voluntary or required for service provision. -- Specifying the intent associated with consumer data transfer on the Internet is complex because some kind of data transfer is necessary for every action during an electronic interaction, irrespective of whether the action explicitly involved intentional data transfer. This is because a consumer may be unaware that data not core to the interaction are being transferred. -- The distinction between explicit and implicit data transfer can be partially disambiguated by examining the corresponding actions that would need to be taken by the firm and the consumer if such a transfer was occurring in a non-electronic