 |
 |
|
|||||
| ||||||||||||||
| ||||||||||||||
Priscilla Regan, Professor, Department of Public and International Affairs
George Mason University
The Role of Consent in Information Privacy Protection [pdf]
During more than three decades of discussion about information privacy, various codes of fair information practices
have been developed to give meaning to a concept of privacy that is defined as an individual's ability to exercise control over their personally identifiable information. In 1973, the Department of Health, Education and Welfare (HEW
) developed the first of such codes, which in part required that an individual be able to consent to uses of information for a purpose other than that for which it was collected (secondary use). Later iterations of codes of fair information practices, for example the National Telecommunication and Information Administration's Elements of Effective Self Regulation for the Protection of Privacy,
have, at least in part, replaced consent with choice. Much of the more recent policy discussion has been framed in terms of whether individuals should be able to opt in to secondary uses of their information or whether they should opt out of such uses. In an opt-in system an individual must agree before any additional use can be made of her information. The assumption or default is that information will only be used for the purpose for which it is collected; this is perfectly consistent with the original purpose of the fair information consent requirement. In an opt-out system an individual must disagree with the opposite of the fair information principle Ð the individual has to reassert the principle itself, individually and repeatedly. The assumption or default is that information will be used for any number of purposes unless the individual says no.
The goal of this paper is to help provide a framework for discussing the issue of consent. First, the relationship between consent and choice is examined. Second, the context in which individuals find themselves attempting to protect their information privacy is explored. Third, the issue of secondary uses is discussed. Finally, several policy options are analyzed in light of the preceding discussion.
The concept of consent has long been important in liberal political thought generally (the consent of the governed), as well in many contractual settings (informed consent for medical treatment). Consent implies an active, affirmative agreement of the individual to engage in the activity in question. It also implies that the individual have some understanding of the implications of what is being consented to. The concept of choice has different philosophical roots and practical implications. Choice is an important component of individual autonomy as reflected in the Supreme Court's decisions on reproductive privacy Ð the ability to choose or decide for oneself. Choice also has roots in market theories of consumer behavior and these roots provide much of the rationale and expectations underlying choice as a fair information practice. In the market setting, adequate information to make a choice is also important, but the information is often framed in terms of benefits and costs derived from choices. Choice addresses the rational, economic individual while consent addresses the political, social individual.
It may well be that consent and choice can be viewed as complementary concepts. First individuals consent to have their personal information used for a reason other than that for which it was collected and then they choose for what reasons. Consent is the affirmative, active agreement and choice is the more passive selection of alternatives. Consent is a higher level decision and choice is the implementing decision.
Individual choice may be structured by certain rules or government involvement. As a society, we have removed certain individual choices from the market Ð even though they are choices about consumption. For example, one does not have unfettered choice about the kind of food or meat they may purchase Ð we limit individual choices here by inspecting food and requiring that it meet certain public health requirements. Similarly, we limit the consumer's choice of cars and children's toys for product safety reasons. There may be different motives for restricting choices in these settings: to protect the individual from making a harmful
choice (paternalism); to protect others who may be harmed by one making a bad choice (infectious disease outbreaks, car accidents); or because it is difficult for an individual to make an accurate judgment about the safety of a product or to understand fully the implications of her decisions. Each of these could provide an argument for limiting or structuring the choices that individuals are offered with respect to secondary uses.
The organizational logic on the part of information-rich companies appears to be to collect as much personally identifiable information as conceivable, reuse that information where possible, and exchange that information where profitable. Absent other organizational values (reputation, customer/client satisfaction) or legal/contractual restraints, the logic of the organizational calculus is fundamentally privacy invasive.
The way the market
in personal information is currently constructed, the individual who wishes to control or restrict her flow of personal information bears the burden and cost. Privacy decisions are generally hidden transaction costs associated with a consumer or communication transaction. For example, one purchases a product online or visits a website and a record of that purchase or that visit is recorded as transactional information. That information might then be further used by the organization or resold. From the individual's perspective, however, the primary activity engaged in is the transaction, not the recording of the transaction. But it is the recording of the transaction that triggers the need or opportunity to make a decision about privacy.
Under such conditions, it is difficult to assume that the individual is making an informed or rational privacy decision unless the decision about privacy can be completely severed from the decision to communicate or consume. Each decision needs to be made obvious and the privacy decision should be made first. One can assume that as the privacy decisions become more separable from the initial consumer or communication choice, the more rational an individual will be about that choice. However, it is also safe to assume that individuals will not behave totally rationally. Instead, they are more likely to engage in what Herbert Simon termed satisficing
behavior, or bonded rationality.
This acknowledges that individuals' time and knowledge are limited resulting in less than rational Ð but quite adaptive Ð behavior. It is expected that individuals making privacy choices will likewise engage in satisficing.
Both individual behavior and organizational behavior are skewed in a privacy invasive direction. People are less likely to make choices to protect their privacy unless these choices are relatively easy, obvious, and low cost. If a privacy protection choice entails additional steps, most rational people will not take those steps. This appears logically to be true and to be supported by behavior in the physical world. Organizations are unlikely to act unilaterally to make their practices less privacy-invasive because such actions will impose costs on them that are not imposed on their competitors. Overall then, the privacy level available is less than what the norms of society and the stated preferences of people require.
Relying on individual decisions to protect privacy in a context where organizational logic pushes so aggressively in the opposite direction will result in less privacy than would be optimal from a collective standpoint. Although reliance on individual decisions is consistent with a liberal philosophical view of privacy and with private sector preferences for self-regulation and market forces, the idea that individuals will engage in a process of negotiations with a host of organizations to establish their preferred level of privacy is somewhat unrealistic given the overall context in which information is collected and exchanged. This is even more true when the organizational logic is embedded in a social logic of avoiding risk and maximizing profit by monitoring and profiling individuals.
The original articulation of fair information practices includes the principle that information should be used only for the purpose for which it is collected. Some argue that related purposes or similar purposes within the same organization may be close enough
to the original purpose that they could fall under secondary use. This generally leads to a slippery slope
where an increasing number of uses are viewed as legitimate secondary uses. Experience with the routine use
exemption of the Privacy Act of 1974 illustrates such expansion of secondary uses.
In addition to these implementation difficulties with condoning related secondary uses, I argue that they are logically inconsistent with the fundamental purpose of fair information principles. If the goal is to remove decisions about uses of personal information from the organization and place it with the individual, then any use beyond the original use is incompatible with consent. The action most consistent with the consent requirement is to only use information for the purpose for which it was collected.
The existence of secondary uses exposes the lack of implementation of the collection limitation principle. Although this was originally a cornerstone of the fair information principles, it appears to have vanished in practice. Under this principle, organizations were to collect only relevant, accurate and timely
information. But as perusal of any information collection form reveals, all organizations collect more information than would seem necessary. The initial over-collection of information serves to drive the organization's desire for secondary uses of what has been collected. If the collection of information were truly limited, there would be fewer opportunities for and interest in secondary uses.
Another factor driving secondary uses of information is that organizations often assume that they have an ongoing relationship with an individual. But if the goal is to give the individual control over personal information through consent, that assumption cannot be validly made. Unless the individual affirmatively and clearly indicates that the relationship entails more than the instant transaction, then the relationship should be assumed to be limited and not ongoing. If an individual purchases a product and supplies mailing and billing information, that information should only be used to execute the purchase of that product. Once the product is purchased, the relationship between the individual and the organization ends unless the individual affirmatively indicates that she is interested in establishing some further ongoing or limited relationship. The organization has no basis for assuming that that the individual is interested in other similar or related products.
It seems that no matter how you scrutinize it, the bottom line is that a consent scheme that is most protective of privacy imposes the largest burden on the individual, as well as costs to the individual while the consent scheme that is least protective of privacy imposes the least burden on the individual, as well as fewer costs to the individual. Recent experience with Gramm-Leach-Bliley confirms this. Such an outcome gives support to arguments for a privacy policy that is not dependent solely upon individual consent and individual enforcement. It also supplies further evidence that organizations need ongoing support to facilitate both the development and implementation of their privacy policies.
Despite the difficulties with implementing and enforcing effective consent schemes, some form of individual consent will almost certainly be a component of privacy policies. A gross distinction between opt-in and opt-out, however, may well camouflage the real complications of implementing consent. A more nuanced analysis of consent would include the following criteria:
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |