What Comes First, Innovation or the Consumer?

In December 2010, the Department of Commerce published a greenpaper from the Internet Privacy Task Force for public comment. According to the press release issuing the greenpaper, the intent is "Protecting Consumer Privacy Online While Supporting Innovation." But we all know how difficult it is to establish a framework to execute potentially conflicting objectives. And the green paper fails to overcome this challenge.

In the Foreward (pp.iv.), General Counsel Cameron Kerry calls for a "Dynamic Policy Framework" to offer "a clear lens through which to assess current policy". While policies need to be "dynamic" to leave room for future unanticipated consequences, the framework should be consistent and clear to give flexibility in execution but maintain fundamental integrity.

Although the detailed discussion about execution is comprehensive and thoughtful, the leadership level communication is contradictory and confusing by failing to establish whether innovation or the consumer comes first.

For example, there are contradictions in the goals set in Secretary Locke's introductory letter and the Foreword from General Counsel Kerry.

The paper begins with a letter from Secretary of Commerce, Gary Locke, in which he clearly states there is a problem from the consumer point of view, compelling a "fresh look":

New devices and applications allow the collection and use of personal information in ways that, at times, can be contrary to many consumers' privacy expectations. Addressing these issues in a way that protects the tremendous economic and social value of the Internet without stifling innovation requires a fresh look at Internet policy (emphasis mine).

However, Cameron Kerry, General Counsel, asserts that the current model builds trust and protects consumers:

The United States has developed a model that facilitates transparency, promotes cooperation, and strengthens multistakeholder governance that has allowed innovation to flourish while building trust and protecting a broad array of other rights and interests.

As a result of the task force's satisfactory assessment of the status quo, Kerry asserts that the goal of the task force is to maintain consumer trust:

Privacy protections are crucial to maintaining the consumer trust that nurtures the Internet's growth.

And instead of taking a fresh look, the recommendation is to "reinvigorate" transparency:

...the green paper recommends reinvigorating the commitment to providing consumers with effective transparency into data practices, and outlines a process for translating transparency into consumer choices through a voluntary, multistakeholder process.

In other words, Kerry presumes that consumer trust is "good enough" when third parties are transparent about taking raw data without consumers' express consent, interpreting it without consumers' corroboration and participation , yet representing that interpretation as actionable and expected by consumers to Vendors, for commercial purposes.

The assertion that consumer trust is satisfactory contradicts both Secretary Locke and the body of the greenpaper, which cites research revealing consumers of all ages do not trust these commercial uses of their information.

Separately, despite the representation of consumer marketing companies in the list of inquiry respondents, there is little reference anywhere to the industry's desired improvement in the effectiveness of internet marketing tools and media. How can the Commerce Department ignore that the fastest growing segment of the Internet is "custom digital publishing"? Marketing companies like Procter and Gamble are taking a detour around media companies to connect with consumers and are producing their own media properties to build relationships. This is specifically because marketing professionals realize that growing the business through short term promotions is not as effective nor as efficient as building long term relationships with consumers.

Instead of advocating for the status quo and endorsing current practices through regulation and policy -- as if this is the best business can do to both build consumer trust and promote innovation -- the government should "disrupt ambiguity" with policies which encourage innovation that improves consumer trust, relationship building with commercial enterprises, and consequently the value of information to develop, market, and communicate with consumers.

There are many initiatives working to achieve these objectives. For example, Project VRM, and the Personal Data Ecosystem. It is hard enough for entrepreneurs in these communities to raise investment dollars and educate consumers in today's highly competitive market. We wonder why the government would endorse or sanction existing practices as "best" making it even more difficult for these initiatives to overcome hurdles for success?

In the spirit of promoting innovation to improve consumer trust, here's the opinion of one consultant and entrepreneur, Comradity, on the greenpaper's recommendations.

As background, the paper's "Dynamic Privacy Framework" makes 4 recommendations:

1. Fair Information Practice Principles (FIPPs): "clearly articulated purposes for data collection, commitments to limit data uses to fulfill these purposes, and expanded use of robust audit systems to bolster accountability."
2. Privacy Policy Office in the Department of Commerce (PPO): "work with the FTC in leading efforts to develop voluntary but enforceable codes of conduct. Companies would voluntarily adopt the appropriate code developed through this process. This commitment, however, would be enforceable by the Federal Trade Commission. Compliance with such a code would serve as a safe harbor for companies facing certain complaints about their privacy practices."
3. Encourage Global Interoperability: "build on accountability, mutual recognition and reciprocity, and enforcement cooperation principles pioneered in the Organisation for Economic Cooperation and Development (OECD) and Asia-Pacific Economic Cooperation (APEC)."
4. Ensure Nationally Consistent Security Breach Rules: "Federal commercial data security breach notification (SBN) law that sets national standards, addresses how to reconcile inconsistent State laws, and authorizes enforcement by State authorities... The FTC and individual States should have authority to enforce this law."

Here are Comradity's responses:

1. The value of the FIPPs is directly related to whether the goal is to maintain consumer trust or improve it. For example, we believe that if the default were "opt-in" instead of "opt-out", companies would be naturally inclined to be transparent and limit data uses to those that clearly and directly benefits the consumer in order to increase "opt in" rates. To avoid potentially deceptive or empty promises, we believe an independent multi-stakeholder agency review (e.g., the Privacy Impact Assessment (PIA) ratings) would assure audit systems are used to prevent drops in PIA ratings. To encourage new companies or existing companies who are innovative to make such a dramatic shift, why not give companies a free pass on regulations or favorable tax incentives when they make the default "opt-in" and volunteer for the PIA ratings?
2. Why recommend adding the PPO, another representative to represent business interests? If there's a need for a new government agency, shouldn't it be a multi-stakeholder representative agency with representatives from Commerce, the FTC, the new Consumer protection agency, individual States Attorney Generals, the State Department, and others?
3. If the objective of the Department of Commerce is to encourage global interoperability, why does it fail to acknowledge the existence of Privacy Commissions in Europe and Canada? In fact, another example of the contradictions between different sections of the greenpaper, in the body of the discussion about FIPPs, Privacy Impact Assessments (PIAs) are recommended, following the example of the European Commission:

An industry standards organization pointed to the example of PIAs for radio frequency identification (RFID) tags, readers, and writers; 106 the European Commission recommended that EU Member States and RFID users develop a framework to assess the privacy risks (and safeguards) of using RFID applications.

To see all the public's responses to the Department of Commerce Internet Privacy Task Force Green Paper questions, the link is here.