Choice

Martin Abrams, Executive Director, Center for Information Policy Leadership
Hunton & Williams

Choice seems like such a simple topic. In the United States consumers designate choice through an opt-out mechanism. In Europe individuals opt in. Opt-out means that a business is free to use consumer information for marketing and selling unless the consumer objects. Opt-in means that a business is prohibited from using information for selling and marketing without the consumer's explicit approval. Luckily, choice is not that simple. In the United States, consumers exercise choice by opt-in in certain instances. There are elements of opt-out in European data protection regimes. I say luckily because choice should be proportional. In other words, the level of consumer control should be proportional to the sensitivity of the data, the way in which it is to be used and the maturity of the consumer.

The question of choice has become increasingly important over the past half century as the combination of information technology and digital content have become central to how our economy, society and culture work. As a result, the manner in which we regulate information use has become increasingly important. Data subject choice with notice has become the foundation of information policy in the United States. This paper will examine choice's historic roots, policy evolution, application today, and policy choices and best practices.

Before we begin, we must define the domain for choice as we discuss it in this paper. Choice has always begun with the concept of a data subject walking away from a transaction the data subject considers unfair for whatever reason, including trust about how the collector will use the information. Therefore, the use of information to complete the transaction initiated by the data subject will not be discussed in this paper. Choice, as we discuss it in this paper, is limited to the additional or secondary uses of that data. A company's use of information to bill the consumer for the product he orders, deliver it to his home, and register the product's warranty would not be subject to choice as discussed in this paper. However, the communication of that same information to a third party would be subject to choice as we consider it here, as would be the use of that information to offer the consumer additional products. The reader should keep this definition in mind as he or she considers the rest of this paper.

Historic Roots

The concept of choice has two roots. The first is the development of consent as a foundation of fair information practices principles. The second is the Direct Marketing Association's Mail Preference Service. In this section we will explore these roots and how they have defined choice.

Fair Information Practice Principles

In the early days of information privacy � the late sixties and early seventies � the concepts of data protection and principles of fair information practices appeared at almost the same time in Europe and the United States. In both places there was concern that in the new computer age, governments would misuse information to harm individuals. The theory adopted to protect against such misuse was access control. The data subject would control access to information � he or she implicitly would consent to the collection of information for a specific purpose. Any additional uses would require further explicit consent by the individual. In simple terms, the data subject exercises control by giving or not giving his or her consent. In the United States, this simple concept of data control became institutionalized in the Privacy Act, which only covers the federal government's collection, use and communication of information. In Europe, this concept of control was adopted as national law in many countries, first in the German state of Hesse. Consent also became a foundation for the Organization for Economic Cooperation and Development's Guidelines for the Protection of Data and Transborder Data Flows (OECD Guidelines).

While the concept of data subject consent is fundamental to the theory of effective control, from the beginning consent has been limited by exemptions. Policymakers understood that in many instances data subject control may not be practical or appropriate. They also realized that consent often would impede other societal goals such as limiting fraud, encouraging competition, or providing for national security. Over time, therefore, consent became proportional.

Some examples may be helpful. In the United Kingdom consent is required for a credit grantor to share information with a credit bureau � an unrelated use. However, the credit grantor may require that the consumer consent to such sharing as a condition for the loan. In other words, consent in that situation is an acknowledgment of a notice rather than real consent. Another example is the use of information for direct marketing. Under many national laws information may be used for marketing unless the consumer withdraws his or her consent. This negative consent is equivalent to opt-out.

The Direct Marketing Association's MPS

The second root for choice is the Direct Marketing Association's Mail Preference Service (MPS). The DMA's MPS was probably the first self-regulatory approach to information privacy, and was also the first permission-based marketing system. Consumers could write the DMA and either opt in or opt out to receiving direct mail solicitations. Direct marketers would then purchase the service to remove from their marketing lists those consumers that did not want direct mail advertisements, and add those individuals who wanted additional mail. Over time the opt-in portion of the program faded away. The individuals who added themselves to the lists were shoppers rather than buyers, and therefore the lists yielded very low response rates. Marketers were not interested in buying those lists. (Buyers Choice attempted the same model in the 1990's and had the same results.). However, the opt-out portion of MPS survived and it is now mandatory for DMA members suppress the names of customers who sign on to the MPS to assure that they do not receive direct marketing material. Today, in addition to the MPS, the DMA also manages the Telephone Preference Service and the Email Preference Service.

The DMA's mail preference service was originally completely voluntary. Direct marketers were not required to be members either of the DMA or to participate in the mail preference service. Most major mailers did use the services to demonstrate respect for consumers' preferences.

Policy Evolution

Over the past decade we have seen more privacy laws, both omnibus laws like the European Union Privacy Directive (the Directive), and more targeted legislation in the United States such as the Video Privacy Act,[1] Drivers Privacy Protection Act,[2] and Title V of the Gramm-Leach-Bliley Act.[3] Increasingly, these laws have defined where choice would be required, how it would be exercised, and where there could be exemptions.

Data Protection Law

The European Union Privacy Directive was enacted in 1995 and requires each member country to have harmonized privacy laws. The Directive also prohibits data transfers to countries that do not have adequate data protection. This clause has encouraged data protection in non-EU countries in both Europe (Switzerland) and the rest of the world (Canada, Hong Kong, and Venezuela). The Directive includes the principles of notice and consent, allowing national laws to define the form of consent. Notice and consent requirements are exempted under certain circumstances and special protection is provided for sensitive information. The implementing rules are not always consistent, however, from country to country. In some countries the use of information for third party marketing requires positive consent, while in others negative consent is required.

As discussed earlier, consent is proportional to both the way in which the data is to be used and the sensitivity of the data. Furthermore, the notices that define the use limitation are almost always written in very general terms. It would therefore be very difficult to say that consent in data protection countries is always in the form of opt-in to data uses and communications. The right answer is that consent is sometimes positive, sometimes negative, sometimes in the form of an acknowledgement, and sometimes not required at all.

Choice and Law in the United States

Prior to the 1990's, providing consumers with choice about the secondary use of their information was largely voluntary. For example, the three big credit bureaus would allow a consumer to opt-out of pre-approved credit offers, but were not required to do so by law. During the 1990's that changed. Among the changes in the 1990's:

The Fair Credit Reporting Act[4] (FCRA) was amended to require that credit grantors include an FCRA notice in every pre-approved offer of credit that included an 800 number to opt out, and required the bureaus share the opt-outs;
The Gramm-Leach- Bliley Act (GLB)[5] required financial institutions give notice about data sharing with un-affiliated third parties and offer an opt-out; and
The Drivers Privacy Protection Act[6] required states to give consumers notices about individual lookups and marketing uses of information, and give consumers the opportunity to opt out of the sale of their information.

Some regulations, like the health privacy regulations issued by the Department of Health and Human Services, incorporate elements of both opt-in and opt-out. And not all opt-out legislation of the 1990s retained the opt-out, either because of actions by Congress or agency rulemaking. For example, the Drivers Privacy Protection Act was amended by an appropriations act to change the choice mechanism from opt-out to opt-in. The Federal Communications Commission (FCC), by regulation promulgated pursuant to the Telecommunications Act of 1996[7] provided that customer proprietary network information (CPNI) requires an opt-in before a telecommunication company can use the data for marketing purposes. A federal appeals court found the FCC regulations unreasonable.[8] Therefore, at least for part of the country, the CPNI rules provide for opt-out.

In other words, just as in Europe, choice in the United States is proportional. Sometimes, where the data uses are either considered sensitive (e.g., children's data) or where data subject registration is all but mandatory (e.g., drivers' records) we have positive consent-like opt-in rules. In most other cases, the form of choice is opt-out for additional marketing, either by the organization or third parties. Furthermore, despite the original purpose of privacy law to limit government data use, governments, especially in the areas of national security and law enforcement, have limited the data subject's ability to control data about them for those purposes. Therefore, choice is effectively limited to the broad use of information for marketing purposes.

Notice, Choice and Defaults

While a strong relationship should exist between notices and choice, that doesn't seem to be the case in practice. Notices are flawed. In the United States, law and regulation have increasingly required that notices be long and contract-like. In Europe, notices are often written so broadly that the original purpose is defined in a manner that includes almost all uses. In the US that means that data subjects often don't read the notices to learn how to exercise their choices. Therefore, the defaults most often define whether information is used broadly for marketing (opt-out) or narrowly (opt-in). While it isn't clear whether better notices would appreciably change the numbers of individuals that exercise choice, even marginal changes would help guide our sense what uses of information people consider appropriate.

Terrorism, Law Enforcement, and Choice

The early thinkers in privacy law were very concerned about the government's misuse of information and mission creep by government agencies. However, from day one, choice exemptions to keep us safe have existed in law. Many of those exemptions are quite reasonable. No one, for example, would expect a murderer to have the right to exercise choice over data that helps locate him. What society expects is that there be checks and balances in the system to protect us from mission creep and government misuse. Over the past seven years, those checks and balances have been weakened. For example, the 1996 FCRA amendments gave the FBI the ability to acquire consumer reports without requiring that the inquiry be logged by the credit bureau. The Patriot Act and similar legislation in other countries have broadened the exemptions in the interest of national security, and have weakened data subject choice related to data collected by the private sector. This trend runs counter to the trend we chart in this paper � the expansion of choice from a good business practice to a legal right.

Policy Choices and Best Practices

High quality research has shown that there are three drivers of privacy concern. The first is a desire on the part of consumers for electronic security that they feel is lacking. The second is a desire for control in an information environment they see as out of control. And the third is a desire for all the value, quality and immediacy that technology combined with information can bring them. The desire for security and control conflicts with the desire for the immediacy and value. We therefore seek the compromises that give us a sense of wellbeing. Finding those equilibrium points with public policy is very difficult. The same may be said for choice.

In the private sector we use information for essentially four purposes:

To locate an individual and verify his or her identity;
To qualify the individual for employment, insurance, public benefit, credit, housing, etc.;
To manage a relationship with an individual and fulfill his or her requests; and
To create new products and services with less risk, and discover and sell them to the appropriate candidates.

As we established earlier, choice is proportional based upon many factors. Societal purpose, data subject sensitivity, application and the sensitivity of the data are all factors we consider when determining the level of control that should reside with the data subject. Generally we do not allow consumers to opt out of credit reporting and fraud tools, but we do allow them to exercise control over receiving direct advertising solicitations. As we mentioned earlier, data subject control over government uses of information for law enforcement and anti-terrorism have become less subject to consumer choice. Essentially, the domain in which choice can be exercised has become marketing.

We have evidence that the default set for choice tends to stay in place. If the default is opt-in, businesses cannot aggregate information in a precise fashion to use to design highly targeted products and services for highly targeted markets. On the other hand, if the default is opt-out the result is communication overload. Typically, as a society, we want the middle ground. Again, proportionality comes into play.

We have already discussed that there are certain data flows that are sensitive (e.g., medical information) and populations that are at risk (e.g., young children) that require the higher level of choice associated with consent or opt-in. There are other places where the marketing process takes resources from us, like unsolicited faxes and email that might also require higher levels of control. However, for other applications where convenience is balanced against competition and freedom of expression opt-out should remain the norm. While I truly believe we would not have the consumer driven economy we have today in an opt-in environment, that doesn't mean there isn't room for better basic protections and better implementation of choices. What follows are some of my suggestions:

The individual's choice to opt out of marketing should be protected by law in all sectors. One should have the freedom to buy a product without receiving future sales communication if one chooses to opt out. That means that a mixture of broad opt-out systems should be available to consumers that would cover prospecting and in-house lists of customers who don't want additional e-mail, letters, faxes or calls.
Choice should be easy to exercise. Consumers should be able to exercise choice in a few easy steps. That in turn requires consumers to share the data necessary to make choice easy to exercise. In other words, the consumer exercising opt-out must supply the identifiers necessary to match their name, address and telephone number for suppression.
Proportionality must be rational. The car one drives is a piece of information that is highly useful for marketing purposes because it is predictive of lifestyle. While this information is arguably not considered sensitive, it is subject to opt-in when more sensitive data that is less predictive is not. We need a process for vetting principles for proportionality.
Data subjects have little control over the government's use of information. We don't want to live in a surveillance society. We therefore need to create effective systems of checks and balances to create discipline in this most important area of application.

Finally, we need a national debate on choice that focuses not on whether the answer is opt-in or opt-out, but rather on proportionality in choice that balances our desire as a society to have information and technology driven growth with convenience and individual autonomy.

Notes

[1] Pub. L. No. 100-618, 18 U.S.C. § 2710.

[2] Pub. L. No. 103-322, 18 U.S.C. § 2721.

[3] Pub. L. No. 106-102, 15 U.S.C. §§ 6801-6809.

[4] Pub. L. No. 104-208, 15 U.S.C. §§ 1681 et seq.

[5] Pub. L. No. 106-102, 15 U.S.C. §§ 6801-680

[6] Pub. L. No. 103-322, 18 U.S.C. § 2721 et seq.

[7] Pub. L. No. 104-104, 47 U.S.C. § 251 et seq.

[8] U.S. West v. Federal Communications Commission, United States Court of Appeals for the 10th Circuit, No. 98-9518.