Analysis by David Curle, Director & Lead Analyst – Minneapolis, Minnesota – Outsell Inc.  October 19th 2012

The swirling debate over online privacy presents risks to the entire information industry, particularly in professional and B2B markets where expectations of privacy are quite different from the consumer market. Increased regulation seems inevitable, but the information industry needs to educate regulators about the danger of unintended consequences and overly broad legislation.

Important Details:  Senator John D Rockefeller IV, Chairman of the Senate Committee on Commerce, Science and Transportation, has issued a letter to nine companies he identifies as “data brokers,” asking them to provide very detailed information about the data they collect about consumers, the sources of the data, and the ways the data is sold and used.  The nine companies are Axciom, Experian, Equifax, TransUnion, Epsilon, LexisNexis, Datalogix, Rapleaf, and Spokeo. While the list is actually quite a diverse set of companies, all of them, in at least some lines of business, collect and re-sell information that can be tied to specific individuals.  The list of nine companies is only representative of a much larger class of companies, so any company that gathers and resells data that might include personally identifiable information should be following these developments.

The investigation does not come out of the blue:

The US House of Representatives had earlier launched its own investigations. Representatives Joe Barton (R-TX) and Ed Markey (D-MA) had led a similar round of letters to data industry players with similar questions about practices;

In March 2012, the Federal Trade Commission, the primary US consumer protection agency, had issued a report, “Protecting Consumer Privacy in and Era of Rapid Change,” which identified privacy issues across a wide range of industries. Regarding data brokers, it specifically recommended that Congress implement targeted legislation that would build transparency into the system by allowing consumers to access information about them held by a data broker, and by making information about data brokers available in a centralized web site, including information about where the information is collected and how it’s used;

The European Union has issued a proposed new Data Protection Directive that would harmonize privacy rules across EU countries; increase accountability of companies managing personal data, give users access to their own data; allow them to transfer it to other providers; and includes a “right to be forgotten” that would allow individuals to direct that personal information be deleted by a given vendor;

A wider “Do Not Track” movement has resulted in the World Wide Web Consortium, a standards body, considering standards that would build opt-out capabilities into software products such as browsers, so that consumers can direct that personal activity not be tracked online;

Meanwhile, the Digital Advertising Alliance (DAA) issued a statement that its self-regulation program will not sanction or penalize companies that ignore the default settings on Microsoft’s Internet Explorer 10 browser or any other browsers that are automatically fixed to a do-not-track setting, saying, “Machine-driven Do Not Track does not represent user choice; it represents browser-manufacturer choice.”

Given the high level of scrutiny that privacy is receiving, it is likely that some form of legislation will emerge after the US election.  The big question is how far-reaching it will be, and what the unintended consequences of any new rules might be.

Implications:  Is it possible for this kind of investigation to be both heavy-handed posturing and witch hunting, on the one hand, and a legitimate attempt to get at a genuine policy concern that is worthy of thoughtful legislation?  It clearly has elements of both.

Businesses organized around the provision of personal data of any kind are suspect these days. Consumers are more aware of the extent to which their behaviors are being tracked and stored – both in the real time advertising markets, and in the broader, longer-term aggregation of data that many of the data brokers who received Rockefeller’s letter perform. Existing safeguards in the Fair Credit Reporting Act now limit access to some of the data collected by credit reporting agencies, but over time the credit agencies and other non-credit players have started collecting a much wider range of data that is not subject to the FCRA – there is a genuine sense that we are living in a Wild West of personal information.

At the same time, there is a real danger of throwing out the baby with the bathwater as this issue becomes so highly charged that careless blunderbuss legislation is put in place.

First, there’s a significant risk that the investigation and the remedy are too broad and fail to make necessary distinctions between consumer and B2B markets. As Congress focuses on personal information about consumers, a great deal of tracking is about individual search behaviors, interests and habits of professional and B2B end users. A businessperson in the market to acquire a widget or a service of some kind does not necessarily have the same expectations of privacy around that behavior as a consumer might place on shopping habits in his or her own life. In fact the two might be the same people – by day very interested in letting the world know what they are looking for because it results in better information and more targeted offers, but by night very secretive and circumspect about their private lives and interests (see Insights, 22 February 2011, Do Not Track – Just Spam Me with Irrelevant Junk). The risk is that potential legislation would cut too wide a path, and would limit the very real gains that many forms of online tracking and behavioral advertising have made in making B2B markets run more efficiently.

Second, there is a risk that legislation is counter-productive, because in general, more personally identifiable information means higher quality personally identifiable information – and there are cases where many business and even consumer users might believe that better quality information trumps any broad stroke, always-on privacy protections.  A case in point: the integration of D&B’s AllianceNetwork with Microsoft’s Dynamics Customer Relationship Management (CRM) platform (covered just this week in Insights, 17 October 2012, D&B AllianceNetwork to Help End Cold Calls). Here the whole point of increasing the amount of data gathered, and its currency, is that better information results in less waste for marketers as they avoid chasing down contacts through inaccurate information, and less aggravation for the B2B targets of that marketing, who are likely to welcome accurately targeted pitches but abhor contacts made on the basis of clearly outdated or inaccurate information.

The players that Rockefeller’s letter targets, and many others, know well that there will very likely be new rules and guidelines to work with in the future, but they are hoping for a slow, reasoned process that is characterized by pragmatic give-and-take between different stakeholders rather than more draconian, inflexible, and hard-to-reverse regulations that can come out of highly charged political processes. This is the biggest policy challenge for the information industry in general; not to fight tooth-and-nail to avoid regulation – which would likely be futile – but to insist that the regulators take into consideration the very real distinctions between different markets and end user segments and their relative needs. Those distinctions can get lost in an emotional, headline-driven debate, which is why there is some risk in the Senate’s current approach.