- In October, Verizon revealed that it would share customers’ calling records, including numbers of incoming and outgoing calls and time spent on each call, with third parties. Customers were informed that they could opt out of the new practice by telephoning a 1-800 number within 30 days of having received notification from Verizon; failure to object was deemed by the company to be consent.
- An ongoing practice of credit agencies is to charge consumers to see their own credit scores. Transunion, for example, charges a whopping $14.95 for a basic credit report.
- In early January, Robert Scoble attempted to liberate his social graph from Facebook via the use of a prohibited automated script provided by Plaxo, prompting the social networking site to ban him. He was reinstated after the ban provoked a blogstorm. Scoble’s explanation boiled down to “What? I was just trying to migrate my social graph to another network…shouldn’t that be allowed?”
These three points highlight the disregard many corporations have for customers’ privacy. Corporations collect vast amounts of data, assert ownership over the data they collect, restrict access by customers to their own data, and cavalierly exchange that data with third parties. The misunderstanding of the basic guarantees corporations should offer is profound, and as consumers we all suffer.
Let’s start by defining what we mean by personal information. Personal information includes any factual or subjective information, recorded or not, in any form, about an individual. For example: name, address, telephone number, gender, identification numbers, income, blood type, credit records, loan records, existence of a dispute between a consumer and a merchant — even intentions to acquire particular goods or services. And let’s not forget health, medical history, political opinions, religious beliefs, trade union membership, financial information and sexual preferences!
Now, what rights should you have? Here are four principles that form a Privacy Manifesto for the Web 2.0 Era.
1. Every customer has the right to know what private information is being collected. That rules out any secret data collection schemes, as well as monitoring regimes that the customer hasn’t agreed to in advance. It also rules out any advertising scheme that relies on leaving cookies on a customer’s hard disk without the customer’s consent.
2. Every customer has the right to know the purpose for which the data is being collected, in advance. Corporations must spell out their intent, in advance, and not deviate from that intent. Reasonable limits must be imposed on the collection of personal information that are consistent with the purpose for which it is being collected. Furthermore, the common practice of inserting language into privacy policies stating that the terms may be modified without notice should be banned. If the corporation collecting data wishes to change its policy then it’s incumbent upon the corporation to obtain the consent of customers in advance.
3. Each customer owns his or her personal information. Corporations may not sell that information to others without the customer’s consent. Customers may ask, at any time, to review the personal information collected; to have the information corrected, if that information is in error; and to have the information removed from the corporation’s database.
4. Customers have a right to expect that those collecting their personal information will store it securely. Employees and other individuals who have access to that data must treat it with the same level of care as the organization collecting it is expected to.
Viewed through the lens of these four principles:
- Verizon should have asked customers’ permission before sharing their information, and should have assumed that permission was denied until informed otherwise.
- Credit agencies should, upon request, share an individual’s information with them; should require consent from the individual before sharing their information with a third party; and should allow an individual to opt out of the credit reporting processes altogether.
- Facebook comes up smelling like a rose. The guarantee that they made to their users was that they wouldn’t share personal information with third parties. Facebook banned the use of automated scripts to prevent that information from being taken from the site. And Facebook explicitly recognizes in their terms of service that a user’s personal information is owned by the user, not Facebook, and the company is merely a licensee.
Plaxo’s role in the Scoble incident is both surprising and disappointing. The company has one of the best privacy policies on the web today. However, it’s also seeking to advance an agenda that would create an open social graph with CTO Joseph Smarr’s Bill of Rights for Users of the Social Web, which is the source of the conflict. Surely the Plaxo team can see how Facebook couldn’t permit such a flagrant abuse of its terms and conditions. While one can make a good case that the social graph should be open, given Facebook’s current terms, opening that social graph should only be done with the consent of the owners of that data – Facebook’s users.
In many parts of the world, governments are now creating legislation embodying the four principles of this Privacy Manifesto. Citizens of those countries have responded favorably, rewarding businesses that assure their privacy, and penalizing those that don’t. In Canada, for example, personal information is protected by something known as the Personal Information Protection and Electronic Documents Act (PIPEDA) and as a result, it’s not unheard of for customers to patronize businesses that store their data locally. Many Europeans are equally sensitive.
Not only are the four principles of the Privacy Manifesto good for individuals, they’re good for business.