While privacy and piracy have been in the news quite a bit in the past few months as separate ideas, David Holtzman’s Viewpoint in Business Week Online – July 24, 2006, took the interesting step of combining them.

Recent debate about privacy has been engulfed by repeated high-profile breaches and the subsequent focus on data protection and security. Mr. Holtzman moves the discussion about privacy back to where it belongs – the value of personal data and how it is used.

The focus on data ownership, however, maybe a red herring.

The concept of ownership bundles rights that a person can 1) assert around a thing, and 2) can restrict anyone else from asserting around such thing. This works well with physical objects (film, cars, CDs, etc.) but becomes more problematic when addressing data about such things.

A person actually does not own personally identifiable data in many instances.

For example, I don’t “own” my bank account number. While this may be counterintuitive, I cannot restrict my bank from changing or even reusing my account number. Because the bank has more rights over who can and how that number can be used, I can’t be said to “own” that number.

Much personally identifiable data is subject to this quandary – the data is about me, but I don’t “own” it.

Control versus Ownership

This difficulty with data ownership exposes Holztman’s red herring. Most of us aren’t as concerned with the technicality of ownership of our data as much as asserting control over our data.

Jim Harper of the Cato Institute articulates the definition of privacy like this:

“Privacy is the condition that people enjoy when they are given the opportunity to control information about themselves, and they exercise that control in a manner consistent with their interests and values.”

A privacy policy is supposed to do exactly that — to allow you to exercise control over data about yourself. Without mentioning “ownership,” this definition works well with how consumers interact with their data in the marketplace.

TRUSTe’s program requirements around what must go into a privacy policy expressly require this option of control. According to TRUSTe, a consumer must be given the option of limiting use beyond the transaction for which data was collected, and a company may not eliminate this requirement through privacy policy disclosures.

(There is an exception for complying with legal disclosure requests from the government, as recently seen with the nation’s telecommunications firms.)

Further, where a website collects personally identifiable data from a third party, as in a gift delivery, the consumer must affirmatively opt-in to any other use by the same company that isn’t for the primary purpose of the collection. This means that if a friend sends you flowers, that flower shop is not able to send you offers for additional services unless you opt-in.

These requirements give control to the consumer regardless of who “owns” the data. A company, at least one certified by TRUSTe, can hardly do whatever it wants with data about an individual.

Mr. Holtzman and I do not greatly disagree. He offered our shared viewpoint with the statement:

“As consumers, we should be entitled to only give out our information when we want, and maintain some control over its subsequent disposition, including mandatory erasure when our business relationship is terminated.”

TRUSTe requirements, and all the regulatory environments which address personally identifiable data (e.g., Gramm-Leach-Bliley Act, HIPAA, Fair Credit Reporting Act, etc.) are in alignment with this concept of control versus ownership. Compliant policies restrict how personally identifiable data about an individual is used and disclosed regardless of who “owns” the data.

Commerce versus Stealing

Which brings us to the second privacy issue raised by Mr. Holtzman – the value of data. Mr. Holtzman makes a fascinating assertion that a privacy statement is a “license to steal consumer information, wrapped up in legal tinsel.”

First, stealing is taking from a person, without their consent, something they “own” (which may or may not be the case with personally identifiable information).

Consequently, there are two elements in play here:

  1. ownership of the data in question, and
  2. lack of consent.

If a person gives you something, that isn’t stealing. Further, if a person gives you something in exchange for something else, not only is that not stealing, that is called commerce.

So, putting aside the first threshold issue of data ownership, let’s discuss the second issue of “bargained-for exchange,” which seems to be at the root of Mr. Holtzman’s complaint – “why can’t I get paid for data about me?”

Bargained-for Exchange

A consumer interacts with a company (which would be the reason for a privacy policy to even apply) when the individual perceives a value to the interaction. Perceived value could come from information the individual receives from the company, or from the services that the company offers.

I pay my bills at CheckFree because I perceive value when I don’t have to pay 37 cents to mail my bill. Further, when CheckFree personalizes communication with me, I perceive value in knowing I am not getting phished or spammed.

So, for the disclosure of my information, I receive value in reducing my cost of paying bills, increased security in communication from Checkfree, and increased convenience of paying bills online.). All this for a service I don’t have to pay for. That looks a lot like bargained for exchange.

Regardless of “ownership”, the individual’s engagement with the business provides at least perceived, if not actual, benefit for the consumer. This is not stealing.

Now, a larger question lies in what kinds of companies actually do follow TRUSTe or GLB-like requirements? And additionally, is the benefit given to consumers actually realized to the level that the consumer wants?

I think these are excellent questions and should be fully explored. However, these questions do not really lend themselves to the sensationalization that sells newspapers.

Regardless of how sexy the topic may not be, it is fundamentally the first principle of the privacy debate – can individuals control information about themselves in a way that is consistent with their interests and values; or is commerce placing a lower value on the bargained for exchange than the consumer might?

This is a question of market motivations and consumer values. However, before any of this can happen in a meaningful way, commerce must adopt the business models that provide informed choice to the individual. TRUSTe is one way the marketplace does this.