Regulation and the Offline Data Market

By Chris Hoofnagle

Posted on January 2, 2010

In considering new rules for the online marketplace, policymakers are revisiting the relatively hands-off approach that has governed the offline world.  In November, a joint hearing in the House examined the practices of some of the largest data sellers that have traditionally sold data in offline contexts, such as lists to help ordinary bricks-and-mortar businesses acquire new customers.  At the Federal Trade Commission's 2009 privacy roundtable, these issues were raised again.

Should online privacy regulation also address the offline world?  This question has several difficult dimensions to resolve.  They include the problem of scope: is there a meaningful difference between offline and online practices, especially where data are combined from multiple channels online and off? 

There's also a pragmatic dimension: including offline practices is likely to broaden opposition to regulation, while being unlikely to attract new proponents.  Hordes of small businesses, many of which may have very simple and contained consumer information practices (think of the fishbowl at the register to collect business cards), would have to be incorporated in legislation that also would constrain the practices of major vendors of data.  These same entities will argue that restrictions will make them less competitive against larger firms.

Advocates and regulators have struggled to articulate exactly what the privacy problem is in the online advertising world. They range from civil liberties objections to concerns about autonomy.  Some simply argue that being monitored online is creepy.  In contrast, actual harm is not difficult to demonstrate in the offline world.  In my testimony before the House, and statement for the FTC Roundtable panel, I recounted some of the low points of offline marketing.  These include the selling of so called "sucker lists" by mainstream data companies to fraudsters.  However, Members of the House also objected to the "creepiness" of standard list selling--whether or not fraud was present, there were normative objections to the sale of lists of medical and other information about individuals.

Some argue that offline practices are substantively worse than online ones.  In the online world, practices are at least governed by privacy policies, but it is rare to see a privacy policy at a register in the offline world.  Offline practices are obscure, consumers believe that many of them are illegal already, and some companies deliberately hide their offline data collection from consumers.  A case in point is the recent Pineda v. Williams Sonoma case, where a retailer asked consumers for zip codes at the register, and then combined the data with a reverse search database to determine the consumers' home addresses. 

As the legislative debate unfolds, the offline data market is likely to continue to be problematic and a political liability for online advertisers, especially to the extent that these practices bridge the online/offline divide.