Legal Issues: Data Privacy, Security, and Intellectual Property

The Right to Privacy?

In the United States, we have no expressly stated right to privacy. Scour the United States Constitution’s Bill of Rights and you will see privacy is not expressly mentioned. Some case law has established right to privacy, most notably Roe v. Wade (1973), but so far, a provision for true data privacy has not been mentioned. The reason for this lack of attention is based on the historical foundations of the United States itself.

Calvin Coolidge said, “the business of America is business.” To prosper, business needs data. So, although freedom of religion and separation of church and state were important founding principles in the United States, also important was the freedom of commerce. The Revolution, after all, started in part over perceived unfair taxation of tea imported into the country. The eighteenth century was also the age of laissez-faire capitalism as articulated by Adam Smith. The idea of free trade and free markets was allowed to flourish in the newly founded United States. As we discussed in Chapter 1, data must flow along the value chain to help create value for the customer and profits for the firm. Customer information is included in that data.

For many years, data flowed freely in this country to facilitate commerce. A key element of this free flow of commerce was based on the trust that the consumer had that the data would be used in a responsible manner. However, let’s face it: things moved more slowly in the eighteenth century. As noted in Chapter 1, there have been trends in the last 20 years that have fueled e-commerce and digital marketing growth. The growth of the Internet and the ability to manage large-scale databases in a real-time fashion has meant that marketers have the ability to know more about us than we really might want them to know and to track our behavior online using a variety of mechanisms.

Earlier, in the context of online advertising, we talked about tracking cookies that are placed on our computers by various websites and search engines. These cookies can help by remembering our preferences when we return to a website or by delivering a targeted advertisement. On the other hand, if we don’t want the enhanced web experience, we can delete cookies or use ad blocking software on our browser. It’s rather like direct mail in concept. If we did not have data management companies cleansing data and helping firms target us, we would receive far more direct mail solicitations than we receive today and they would be of less interest to us. Similarly, if we decide not to enable cookies, we have a generic browsing experience full of ads for refinancing our mortgage and reducing troublesome “belly fat!”

Consumer Attitudes toward Privacy

Nonetheless, data privacy is an emotionally charged issue. First, consumers often confuse data privacy and data security, which will be discussed later. Emotions run high not only about data security breaches, but consumers also have negative attitudes toward marketing and a fear of the government having too much information about individuals and using it in an intrusive way. When speaking about data privacy we refer to personally identifiable information (PII). Dr. Alan Westin, who before his death was a professor of law at Columbia University, did a lot of research on public attitudes toward privacy and found that most of us were willing to trade privacy for something of value. Consumers in general want more control over their PII but aren’t sure they want to go through all the steps necessary to control information. Would you really want to tell every website you interact with how to handle your information?

A good exercise is to look at the privacy policy of a large company like Amazon.com. Amazon’s privacy policy may be found in the link in this footnote.¹ You will see that the policy does not say that the company will not resell your information. It does say what the company will do with the information in a forthright manner and is one of the best examples of a privacy policy. Many companies that have gotten into trouble over PII have not followed their privacy policies; so if the policy is in place, it should be followed.

Nonetheless, in various studies the majority of individuals feel uncomfortable with activities such as behavioral targeting of advertising, with generational differences seen. Younger consumers are more likely to feel comfortable with how data is used today to target advertising to them across various devices. There have been a number of surveys recently on data privacy, with some indicating that consumers think brands are benefitting more from data sharing than the customer sharing the data.² So the climate is now set for consumers to be open to stricter data privacy laws in the United States.

The EU Approach

In contrast, the European Union has always viewed data privacy differently. The 1995³ EU directive allows the data “subject” right of access to data and the right to find out about the processing of data. The European Union, while understanding that data is important to the flow of commerce, considers that data about the customer belongs to the customer and not to the company or entity processing the data.

With such differing standards, how do companies do business with the European Union? For many years in the United States, companies who complied with what were known as the Safe Harbor practices were allowed to do business with companies and consumers in EU countries. These provisions are listed as the following: notice, choice, onward transfer, access, security, data integrity, and enforcement.⁴

The Federal Trade Commission (FTC) has suggested Fair Information Practices principles which include remarkably similar categories to those of the EU in terms of notice/awareness, choice/consent, access/participation, and enforcement/redress. Unfortunately, these practices are still guidelines. The FTC in its guidelines on this issue has suggested that companies design privacy into their products and services, simplify choices, and provide greater transparency for data, but so far these suggestions do not have the weight of federal legislation.

In part because of the lack of federal data privacy legislation in the United States, the EU wanted stronger enforcement of its privacy policy and adopted the General Data Protection Rules (GDPR) in 2016 and they were generally implemented in 2018. These rules require strict processes for processing data and for obtaining consent and do not apply only to companies doing business physically in Europe. Companies transferring data to the United States are affected as well as those conducting business on the Internet.⁵ In short, just about every business is affected by the GDPR.

In addition, the GDPR includes a right to be forgotten, which will allow entities to essentially “opt out” of being found by search engines like Google.⁶ Under certain circumstances, a consumer might ask for personal data to be removed from a company’s records. You may have noticed that websites often notify you these days that they are obtaining your consent to use cookies. This type of procedure is an attempt to enforce the GDPR rules. More information can be found in the excellent blog post by the late Dr. MaryLou Roberts listed below.⁷

Companies need to carefully consider which aspects of the GDPR apply to them; there is not enough space in this short book to outline the impact of the new regulations on all firms. It is important to note the broad-reaching implications of the GDPR. California became the first state to pass data privacy rules similar to the GDPR with the California Consumer Privacy Act (CCPA), which became effective in January 2020. With so many states doing business with California, there are broad-reaching implications to the new act. In addition, many states are considering similar legislation and so many different laws could create a compliance nightmare for firms. The time is long overdue for the United States to have a consistent privacy policy on a national level. There are several pieces of proposed federal data privacy legislation and we all hope a solution may be forthcoming soon. Without national coordination, the burden of complying with rules from so many states will be burdensome and definitely will inhibit the free flow of commerce (see above) and company profitability.

Even with no national data privacy legislation in place, in the United States today, there are regulations regarding the privacy of PII as it relates to children under the age of 13 (Children’s Online Privacy Protection Act, COPPA), the Gramm-Leach-Bliley Act for the disclosure of financial services data usage, and the Health Insurance Portability & Accountability Act (HIPPA) which gives patients greater control and access to health records. The United States has decided that in these three areas at least, some government regulation and control is necessary. Whether there will be more control in the future in the United States depends on the legislative process and the concerns of consumers in this area. The Internet Advertising Bureau (IAB) and other trade groups have also introduced principles for self-regulation of online advertising and tracking.⁸ Consumers can look for an advertising icon which indicates compliance to get a sense if they wish to do business with a particular site. It is not likely that voluntary self-regulation will be the trend in the future.

Security and Intellectual Property Issues

The issue of data security is related to data privacy because consumers often confuse the two concepts. It seems that hardly a month goes by without hearing about some type of data breach at a major company or a virus that has compromised our PII. In addition, the practices of phishing (e-mails attempting to collect PII), pharming (websites that look real but are not), and spoofing (imitating another person or site) are also threats to the integrity of our personal information. With more transactions being carried out online and over mobile networks that might not be secure, the danger to our information increases. Identity theft continues to rise and the bottom line is that fraud will continue to increase and we need to take steps to protect our information. Even the simple practice of changing passwords on accounts frequently can help protect our personal information.

This topic of legal issues in digital marketing, like the other chapter in this book, could each warrant their own book and chapter. I have tried to highlight the key issues in this area and would like to conclude with a word about intellectual property. The ability to share files digitally has impacted the world of intellectual property in a major way. The entire music industry, for example, has had to reinvent itself, albeit slowly, due to the appearance of file sharing services such as Napster. Although Napster had to take down its peer-to-peer (P2P) sharing system, only to re-emerge as a paid music downloading service, the lawsuits surrounding the service paved the way for an entirely new way of looking at the music industry.

Consumers today cannot only share content with each other but also receive music on the cloud, through music services, through streaming audio and video and the like. Rights management firms try to ensure that the creators of content receive credit for their work. The Digital Millennium Copyright Act (1998) was intended to protect authors and their publishers alike by ensuring that ISPs remove infringing content and that royalty fees are properly paid. However, with the ability to share information so easily on digital media, intellectual property rights, like data security and privacy, will continue to be a challenge. Some people advocate the Creative Commons approach, whereby authors can grant to the public some limited rights to their work.⁹ I wonder if we won’t go back to the systems popular before the modern era, where artists had sponsors to support them and did not rely on royalties for revenue.

What to Do Next after Chapter 8

Think about the particular campaigns or actions you recommended for your company or another firm for Chapters 4 through 7. What privacy concerns are related to these campaigns?
Based on your analysis in question 1, develop recommendations for the company to protect its customer data and still facilitate business.
Analyze the current legislation discussed in the chapter. Does any of this apply to the situation you selected? How does the legislation apply and how will you handle the legal issues in the business?

Discussion Questions

Discussion 8.1: Intellectual property as a concept is dead because of the Internet and digital communication. Do you agree or disagree and why?

Discussion 8.2: Discuss concerns that consumers may have about the privacy of their PII. What do you think a business can and should do to alleviate these concerns?

Discussion 8.3: Pick a company and read its privacy policy. What steps do you recommend the company use to further safeguard the personal information of its customers?

Discussion 8.4: Read Amazon.com’s privacy policy as shown in the link above. What do you like about the policy? Is there anything that concerns you in the policy?

Glossary

CCPA: California Consumer Privacy Act

COPPA: Children’s Online Privacy Protection Act

EU Safe Harbor Provisions: Guidelines which companies had to follow regarding data to do business with firms in the European Union before the GDPR.

GDPR: General Data Protection Rules from the European Union that now regulate how data must be treated by firms doing business with EU companies.

HIPPA: Health Insurance Portability & Accountability Act

IAB: Internet Advertising Bureau

PII: Personally Identifiable Information

____________

¹Amazon. 2014. “Amazon.com Privacy Notice,” Website. https://www.amazon.com/gp/help/customer/display.html?nodeId=468496, (accessed October 13, 2019).

²Factual Inc. 2019. “Consumers & Data Privacy Perceptions,” PDF. https://s3.amazonaws.com/factual-content/marketing/downloads/Factual-Consumers-Data-Privacy-Perceptions-Report.pdf, (accessed January 14, 2020).

³European Parliament and Council. 2014. “Protection of Personal Data,” European Parliament and Council Directive. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=URISERV:l14012&from=en&isLegissum=true, (accessed October 13, 2019).

⁴Export.gov. 2014. “U.S.-EU Safe Harbor Overview, Overview,” Website. https://2016.export.gov/safeharbor/eu/eg_main_018476.asp, (accessed October 13, 2019).

⁵General Data Protection Regulation (GDPR) Compliance Guidelines. (n.d.). https://gdpr.eu/, (accessed January 14, 2020).

⁶European Commission. “Fact sheet on the ‘Right to be Forgotten’ Ruling (C-131/12),” PDF. http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf, (accessed October 13, 2019).

⁷M. L. Roberts (2019), “Impact of the GDPR after Almost a Year,” https://im4thupdates.blogspot.com/2019/03/impact-of.html, (accessed March 3, 2020).

⁸IAB. 2014. “Self-Regulatory Program for Online Behavioral Advertising,” Website. https://www.iab.com/news/self-regulatory-program-for-online-behavioral-advertising/, (accessed October 13, 2019).

⁹Creative Commons. 2014. “About,” Website. http://creativecommons.org/about, (accessed October 13, 2019).