Competition Enhancing Enforcement: Addressing the Anti-Privacy Market

By Chris Hoofnagle

Posted on July 20, 2010

I spoke yesterday at the Conference of Western Attorneys General Annual Meeting along with FTC Commissioner Julie Brill, Professor Paul Ohm, Shannon Smith, an AAG in Washington State; and Washington Attorney General Rob McKenna. This is an exciting opportunity to promote “competition enhancing enforcement” to address the anti-privacy market: practices that reduce consumer choice, lead to misleading representations about privacy, or impede information about how information is sold.

Enforcing Meaning of Key Privacy Terms

Privacy policies are too vague to base comparative evaluations upon. This problem could be addressed with targeted enforcement to bring certainty to key terms used in privacy policies. For instance, websites do not want to disclose that they share information with third parties, so some use “affiliate,” “affinity,” “partner,” or “company with products we think will interest you” to obfuscate third party sharing. Several other key terms are used loosely in privacy policies. Some will guarantee users “confidentiality,” without extending protections consistent with that high level of secrecy. Others discuss “anonymization” but then use practices that are not commercially reasonable to deidentify data.

Removing Barriers to Opt Out

A consensus exists that consumers should be able to opt out of many different information sharing programs. However, in practice, competitive forces encourage the frustration of opt out. Company control over the choice process is one powerful aspect of the opt out default (this is well explained by a number of academics, including Kesan & Shah, Janger & Schwartz, and Sovern). Simply put, companies have incentives to erect speedbumps to opting out, and they do. Major retailers are requiring more clicks to unsubscribe from email lists. Opt-out barriers include: sophisticated technology companies that require opt out by mail or fax, requiring the user to state a complete address history, or only opting out individuals who have a police report showing their status as a stalking or domestic violence victim.

The List Brokers and Data Provenance

There is some real low-hanging fruit in the list broker world. The direct marketing industry has failed to self-police, and there are open advertisements for lists of “suffering seniors,” “addiction responders,” “gullible” people, and “impulsives.” Instead of playing whack-a-mole with fraudsters, the attorneys general could strike at the root of telemarketing and mail fraud through pursuing the companies providing the data used to target the vulnerable.

This is an area where consumers cannot self-police. There are many list sellers, some of which do not even have privacy policies, nor is there a central opt out mechanism for much of this data trade.

Data sellers, even mainstream ones, contractually gag data buyers from telling consumers about the provenance of personal information. Thus, when a consumer asks, “how did I get on this list,” the company may be required by contract to lie affirmatively or by omission. One major data company prohibits the revelation of “selection criteria or presumed knowledge about the recipient.” Another prohibits, “any indication that Client or Client’s customers possess any information about the recipient other than name and address…” In a similar vein, a popular terms of service for mailing lists prohibits revealing the source of information: “you or your customer shall not make reference to any selection criteria or presumed knowledge concerning the intended recipient of such solicitation or the source of recipients name, address, and/or telephone number…”


Much has been said about the value of market approaches to privacy challenges, but the last decade has produced vague privacy policies with meaningless terms, incentives to frustrate privacy preferences, and contractual rules against openness in data selling. Smart enforcement actions could curb ambiguities in privacy policies, place pressure on firms that design opt out to mean no opt, and eliminate the culture of secrecy in an industry that so frequency invokes the value of “the free flow of information.”