Last modified: Tuesday, May 26, 2009
Industry must move quickly, through self-regulation, to protect consumer privacy in technology era
FOR IMMEDIATE RELEASE
May 26, 2009
INDIANAPOLIS -- Self-imposed industry standards regarding the digital collection and use of consumer information are the preferred solution to protect consumer privacy and empower business innovation, according to faculty at the Indiana University Kelley School of Business.
If industry fails to set guidelines that recognize consumer needs and expectations regarding privacy issues, it risks the government doing so in a more aggressive and potentially stifling manner.
A recent article in the American Business Law Journal explores challenges to consumer privacy amid the growing use of Radio Frequency Identification (RFID) for real-time inventory control and other purposes. The authors outline several key recommendations they believe should guide development of industry-driven privacy standards for RFID and other emerging technologies, beginning with a better understanding that consumers expect to own, share and control personal information even after they have disclosed it.
"More companies are realizing advances in the ability to link products and consumers through the use of technologies such as RFID, but such progress can sometimes come at the expense of individual privacy," said co-author Julie Manning Magid, associate professor of business law at the Kelley School in Indianapolis. "For RFID and other such technologies to thrive, industry self-regulation that directly addresses the issue of personal privacy threats is far preferable to piecemeal and potentially oppressive government regulation."
According to Magid, there are several successful historical examples of similar types of self-regulating industry standards which reflect consumer needs or expectations, including the myriad "green" initiatives currently being adopted across numerous industries and the development of the Underwriters Laboratories (UL) more than a century ago to test products and write standards for safety worldwide.
Industry should limit types, timeframe and transfer of information
Drawing from the fields of behavioral economics, communications privacy management and social networks, Magid and her colleagues outline three principles that will protect consumer privacy while still promoting efficient business practice:
- The types of information gathered should be limited so that the technology cannot be used to collect highly sensitive or inappropriate data, such as Social Security numbers or medical histories;
- Information should have expiration dates -- 12 months, for instance -- to ensure that information remains relevant and accurate, benefiting both business and consumers; and
- Unauthorized re-use or transfer of information to or by third parties, a practice that the researchers identify as the single greatest threat to consumer privacy, should be banned.
"Individuals clearly expect that their information should remain within expected networks, so companies should take great care to meet this expectation," said Magid. "Further, third-party firms that acquire this information must agree to the data expiration policies consistent with the initial consumer disclosure."
Although the article focused on privacy issues related specifically to RFID technology, the authors believe that the insights and guidelines they identified have implications for a range of fast-growing technologies that utilize consumer information, including Internet data.
Growing concern -- and legal ambiguity -- regarding consumer privacy
Concern among consumers about how and why companies are gathering and using their "private" data has sparked several high-profile backlashes, most recently against Facebook in the wake of its attempt to unilaterally change the terms of service to gain rights to users' personal information and materials. Exacerbating these fears, the professors believe, is an outdated legal model of privacy that offers no sustainable solutions to managing data obtained through modern technologies.
They point to the lack of direct and clear guidelines in the U.S. Constitution, which does not prohibit the collection and use of personal information by private firms. Efforts to adopt new legal models from the Fair Information Practice Principles (FIPP) have fallen short and the growing number of state-level initiatives has the potential to create a patchwork of legal requirements that increases the cost of technological improvement, the professors add.
According to Magid, if industry fails to self-regulate, further legislation may surface that impedes the potential of technologies such as RFID and increase costs to consumers and businesses.
"Although this innovative technology can increase consumer choice and reduce costs, companies must be cognizant of the danger the technologies pose and should take proactive steps to address and mitigate these risks to consumer privacy," she said. "If they don't, then government may do so but in ways that reduce efficiencies to both consumers and businesses."
"Radio Frequency Identification and Privacy Law: An Integrative Approach" appeared in the January 2009 issue of the American Business Law Journal. It was written by Professors Julie Manning Magid, Mohan V. Tatikonda and Philip Cochran of the Kelley School of Business, and is available for download at http://ssrn.com/abstract=1347762.