GuestView Column: Private Info For Product Discounts. A Faustian Bargain?

Mark Rasch is the former head of the U.S. Justice Department's High-Tech Crimes Unit and today serves as principal of Secure IT Experts.

Consumers are accustomed to giving up something to get something in return. Usually it's paying for products or services, or driving out of their way to get bargains. With consumer "loyalty" programs and behavioral advertising programs, consumers are giving up privacy rights in return for promised discounts, coupons or other rewards.

The problem with these programs is that many consumers do not really know what they are giving up and that, if they are dissatisfied with the bargain, they probably have no way of getting back their privacy. Merchants get what they want - intimate details about a consumer's identity and habits - but the consumer in some cases gets nothing.

Typically, a contract involves a bargained-for consideration: One party gives something up in order to receive some benefit or reward. In the example of a loyalty program, consumers may get discounts on particular products or services in return for allowing the merchant not only to track their purchases and activities, but also to create a database of this information and share it or sell it to others. Thus, merchants are no longer only in the business of selling widgets, they are also in the business of selling information about people who want to buy widgets. In many cases, the latter is much more valuable.

Usually, the only limitation on the collection and use of this information is contained on the individual Web site's privacy policies under the moniker "what we collect about you..." These policies are difficult to locate and even more difficult to comprehend. Moreover, they are an anathema to the nature of the World Wide Web.

For example, if you want information on diabetes, you simply do a search for the term and start clicking. Most people don't stop their research to look up the privacy policies of each site. The same is true for merchant Web sites. I would be hard pressed to tell you the difference between the data-collection and sharing policies between,, or, much less make shopping decisions based on these policy differences.Recently, a consortium of marketing entities, including the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, the Interactive Advertising Bureau and the Council of Better Business Bureaus released its "Self-Regulatory Principles for Online Behavioral Advertising." These voluntary guidelines are intended to help businesses that collect personal information about consumers' behavioral activities online avoid government regulation of their data collection practices. The principals are as basic as they are inadequate. They include:

• Transparency and control: Companies that collect information for behavioral advertising should provide meaningful disclosures to consumers about the practice and choice about whether to allow the practice. Of course, companies with "privacy policies" would argue that they already do this and that if you don't like the policy, you can take your business elsewhere. In reality, most people have no idea what data is being collected.

• Reasonable security and limited data retention: Companies should provide reasonable data security measures so that behavioral data does not fall in the hands of unauthorized persons. The devil here is in the details. For example, data should be retained for the minimum amount of time as "necessary for business" or for law enforcement purposes. So the local grocery store will collect and store data about my purchases for as long as they feel they want to, or just in case the cops want it?

• Material changes to privacy policies: Before a company uses behavioral data in a manner that is materially different from promises made when the company collected the data, it should obtain affirmative express consent from the consumer. The problem here is that most online contracts provide that they can be changed by the Web site operator at any time, just by posting the new contract online. This is the antithesis of a contract, where both parties are bound. For example, I recently tried to listen to my XM radio online through the XM Web site. No dice. While I had been paying for the service, XM decided to "enhance" its service by charging more for online access. They changed the contract by simply posting it online. Needless to say I cancelled my service immediately.• Opt-in for sensitive data: The new guidelines would provide that merchants would have to obtain express consent of the consumer before they use sensitive data - for example, data about children, health or finances. However, as companies merge – with health insurers acting as banks, etc., the same company collects the sensitive information. A better approach is that the information collected can ONLY be used for the purpose for which it has been collected without the specific consent of the consumer. If I buy a widget online, I expect the merchant to need my name and address for shipping, and my credit card for payment. Once the sale is completed and the item is shipped and accepted, do they REALLY need the information anymore?

What is Missing

The big thing missing from these voluntary guidelines was pointed out by Saul Hansell of the New York Times. There is no mechanism for a consumer to know what information about them has been collected, stored, shared or distributed, and with whom it has been shared. Most people don't care about this because they are blissfully unaware of the threat to their privacy. For example, when the data broker ChoicePoint suffered a breach several years ago, consumers were not up-in-arms because they had no idea what kind of information ChoicePoint had about them.

If consumers could see what advertisers and behavioral marketers know – or, in the near future, could know - about them, they might be shocked and outraged. Marketers can know, for example, that six years ago I was searching for information about liver failure (for a research paper, but they wouldn't know that.) They might know that I like electronics, read liberal and conservative political blogs (and how often I read each) and where I'm physically situated when I do this.

They can collect, combine, collate and cross-reference this data, creating a valuable profile of me and my activities - both online and off. They can combine this data with a background investigation, scouring public records to find out my real estate holdings, past residences, educational information, licensing and litigation history and even who my cell phone provider might be. The data can go back as far as they have records and be kept and shared for so long as they feel there is a business need or a law enforcement need.

Consumers have no way to access this information about themselves. This transparency is necessary in order for the consumer to adequately decide whether they truly want to enter into these bargains with merchants and Web providers. The merchants and behavioral advertisers rely on the fact that consumers don't know what they are giving up.

Reversing the Bargain

What's worse is that, if consumers are unhappy with their end of the bargains they have no effective recourse. For example, in order to drive traffic to its new search engine, "Bing," Microsoft announced a program called "Bing Cashback" where consumers who used Bing to search for products or services, and clicked on specific "sponsored links" to Microsoft's business partners, could buy products at a discount - sometimes a substantial discount.

In fact, as soon as the new Apple iPhone 3GS was announced, I bought two of them, and a third phone, from AT&T through the Bing site, hoping to take advantage of the Bing Cashback discount. However, Microsoft contended I didn't complete the transaction in a "single Web session," as required in the Bing contract, because – during the course of my making the order, I was redirected back to Bing to provide additional personal information. So Microsoft gave me no discount or "cashback," but still got my personal information and had induced me to buy the phone on the AT&T site instead of at Best Buy, where I could have used a bunch of gift certificates I'd accumulated and wouldn't have had to wait a week for delivery.

Yes, I can return the phones for a refund if I want. But how do I get back from Microsoft my personal information? How do I get it back from AT&T? How do I make sure that it isn't used in any way? That's the problem with the information-for-reward "bargain."

There is an old saying that if something looks too good to be true it probably is. The same is true of these programs that trade privacy for small discounts - the discount may or may not come, but the privacy violation continues indefinitely.