Consumer Federation of California

You’ve no doubt heard the statement by former Sun Microsystems CEO Scott McNealy, ‘You have no privacy anyway. Get over it.’ His remark has launched many a lively debate.

At the Privacy Rights Clearinghouse, we often hear from individuals who are frustrated or even angered by such statements and the business practices they perpetuate. While it is challenging to take the many steps necessary to protect one’s privacy online ‘ for a result that is far from ideal ‘ we are not convinced it’s a lost cause. There is simply too much at stake.

Individuals are increasingly using the Internet as their primary information source, often seeking information on sensitive matters such as finances, health, personal relationships, divorce, sexuality, workplace difficulties and legal conflicts.

But few individuals realize the extent to which they are being tracked by companies that create rich profiles of their web-browsing activities. The 2010 Wall Street Journal series, ‘What They Know,’ reported that the nation’s top 50 websites installed an average of 64 pieces of tracking technology onto each visitor’s computer. Tracking tools go beyond the cookies many of us routinely delete. Some companies deploy ‘Flash cookies’ or other ‘supercookies’ that are not only extremely difficult to delete but can also be used to reinstall cookies that a user has removed.

Such data-gathering and profiling activities are largely invisible, except that they can result in the real-time display of behaviorally targeted ads. You might ask, ‘What’s the harm in receiving ads based on my web-surfing history’? In a legislative primer presented to members of Congress by 10 organizations, including ours, several potentially harmful effects of behavioral tracking and targeting were identified: (1) targeting economically distressed individuals with payday loans and subprime mortgages; (2) sending ads for bogus cures to individuals with serious medical conditions; (3) engaging in discriminatory pricing in which some people are offered products or services at higher prices than others; and (4) targeting children who lack the judgment capacity of adults. Further, profiles compiled originally for the ad industry may be sold to non-advertising third parties such as insurance companies.

Harms aside, let’s not forget, simply, the right to privacy. The definition of privacy that guides my organization’s work is the ability of individuals to control the use of their personal information. Everyone has a different comfort level regarding the collection and use of their personal information. We believe individuals’ choices must be respected, no questions asked.

In the online world, this translates into a ‘do not track’ mechanism across all browsers that individuals may easily use to express their online tracking preferences. Such measures have served as a recent topic of discussion in Congress, the California Legislature, and at the Federal Trade Commission. The online advertising industry is lobbying aggressively for a self-regulatory approach rather than a requirement in law or regulation. We are skeptical, however, given that self-regulation has historically failed to adequately protect consumers.

Industry representatives argue that the Internet cannot remain free if people can effectively say ‘no’ to tracking and behaviorally targeted ads. We recommend giving people a choice. If individuals see the value of behaviorally targeted ads, they can affirmatively opt in. If they do not, online advertisers can continue with more traditional yet still lucrative practices, such as contextual ads.

Industry is also quick to point out that online data-gathering resulting in behaviorally targeted ads does not involve personally identifiable data. However, studies show that robust profiles generated from anonymous data can be matched with other data sources, offline and online, to determine individuals’ identities. These days, the anonymity argument is largely a myth.

Another myth is that young people are not concerned about privacy. These ‘digital natives’ have not known a world without the Internet, so the argument goes, and they are not worried about their personal information being revealed online. However, a 2009 academic survey found there are no significant differences between young adults and older individuals regarding online privacy concerns. While some believe that in a generation or two, concerns about online privacy will vanish, we at the Privacy Rights Clearinghouse are not so quick to accept that argument.

In closing, effective online privacy protection requires a multipronged approach involving policymakers, industry, nonprofits and consumers. It must not be lost to bogus arguments and unfounded myths.