All the notice in the world doesn’t mean anything if the consumer doesn’t see it.
It’s not yet apparent what the Federal Communications Commission’s recently passed privacy regulations will look like in practice. Internet service providers (ISPs) could potentially phone in their compliance to the newly imposed strictures with an updated user agreement or cleverly worded phrases in their terms and conditions.
But Chad Wollen, CMO of Smartpipe, which helps telcos monetize their data, points out the FCC expects “a particular experience be designed so that consumers know how to manage their information – not just a small change to the T’s and C’s.”
The FCC’s regs call for “clear notification” and require ISPs to alert customers about what types of information they collect and to specify the purpose of the collection, as well as who the data is being shared with. Notice needs to be “immediate and persistent,” which means it’s provided when a customer signs up for service and updated when an ISP’s privacy policy changes in “significant ways.”
The opt-in will be more difficult given the FCC’s expanded definition of personally identifiable information. ISPs must now get specific opt-ins to leverage web browsing and app usage history, which weren’t considered sensitive before.
There’s no detail, though, on how that “clear notification” should be presented to consumers, and very little that precludes a service provider from burying its opt-in within the obfuscating embrace of legalese.
Requiring an opt-in might sound more onerous and more likely to protect privacy because the user has to actively provide affirmative consent, but “the fact of the matter is that contracts are usually boilerplate and are hardly ever read by consumers,” said Omer Tene, VP of research and education at the International Association of Privacy Professionals.
“Oftentimes, an opt-in rule yields rote consent and just causes people to sign whatever forms they’re given,” Tene said. “We’ve seen many detailed privacy regulations in the past that didn’t amount to much privacy on the ground at the end of the day. The best of example of that is the European privacy framework, formerly the directive and now the GDPR [General Data Protection Regulation], which is bureaucratic and driven by paperwork.”
The proof is always in the pudding.
“Once we understand the baseline of what we need to achieve, it’s about bringing the commercial response, which is true here and in what Europe is trying to do,” Wollen said. “We’re all too often focused on the absolute moment of truth when the customer is confronted with the tick box, but there needs to be a conversation that starts before that point and continues after about trust in the brand and what value the customer will gain by saying yes.”
But consumers aren’t always willing to participate in the protection of their privacy or control over their personal data. In 2013, for example, Acxiom launched an online portal where consumers can log in to see and edit the marketing data Acxiom had collected about them.
“Even with all the press and promotion about it, guess what the rate was of people who logged in and made changes? Two percent, or maybe a little less than that,” said Josh Herman, a Kimberly-Clark tech and data exec and former Acxiom VP, at AdExchanger’s Programmatic IO in New York on Oct. 27. “[Privacy] is an important issue, but we have to think about the consumer’s level of engagement on the topic, as well.”
Arguably, habitual exposure to protracted and confusing privacy policies can make opt-in borderline meaningless. And, as privacy researcher and University of Pennsylvania professor Joseph Turow argues, many consumers only opt in to allow data collection and sharing because they’re resigned to the fact that they have no real control in the first place.
It remains to be seen how much the average consumer cares about all this, at least in practice, but education to raise awareness and the ultimate consumer-friendliness of whatever mechanisms are put into place will certainly play a big role, Tene said.
But this is new territory for ISPs, which have not traditionally been significant players in the online advertising sphere, said Pantelis Michalopoulos, a partner at law firm Steptoe & Johnson LLP.
“As [ISPs] increasingly enter into that business, consumers will have a somewhat more affirmative say in the manner in which their information is collected, used and share,” Michalopoulos. “The value of that additional say is unclear.”
