Personally Identifiable Information: Yours, Mine or Ours?
“Important Update Regarding Your Privacy” was printed in bold red on the envelope. It came from Verizon Wireless, but it could have come from almost any company you’re connected with that collects and uses your personal information. You may have glanced at it.
You probably threw it in the recycling bin – unread. Had you opened it, you would have been greeted with a paragraph that read:
The letter goes on to describe the type of information they are seeking to share, such as your mobile searches, the location of your devices and app and device features, in addition to the types of Verizon services you use and your demographic information. The company will use this information to create its own business reports. It will also share it with other companies so they can create business and marketing reports and will use it to create ads tailored to your internet use, with the ultimate, perhaps only real, goal: making a profit.
And if you don’t want this information to be shared? You need to visit a Verizon website or call an 800 number to opt out. And that’s just for the sharing of your information with the outside world. This is the brave new world of personally identifiable information and how it is stored, used, shared and sold. Who owns it and how it is handled is a swiftly moving field that is yet to be settled. But it is evolving on a daily basis. The social media giants Facebook and Google have occupied recent headlines about the use, storage and worth of personally identifiable information, and whether those rights belong in the internet behemoth’s hands, or in yours. New privacy laws, developed by states, have helped define the extent of this information, how it must be handled and what liability exists in case of a security breach. But to date, they have failed to define the ownership and worth of that information.
Cerberus, the three-headed dog that guarded the gates of the underworld in Greek and Roman mythology, prevented those who had crossed the River Styx from ever returning to life. Today, who stands guard or to profit – you, the company collecting it, or a third party with whom they’ve shared it – is up for grabs. How Personally Identifiable Information (“PII”) is collected, used, and protected is a developing area, subject to daily changes and challenges.
PII is a real quantifiable asset, and to date, the people who own it and are uniquely identified by it are not being compensated for this coveted information.
How personal is PII?
What constitutes personally identifiable information, or PII? It is information that can uniquely identify an individual. Broadly speaking, it is information that, taken separately or pieced together, can identify a specific person. Definitions of PII are developing, and vary from state to state. However, Massachusetts is considered among those that have set the bar for defining PII. The state has settled on name – first and last, or first initial and last name – in combination with a social security number, driver’s license, state issued identification card number, or a financial account or credit/debit card number (regardless of availability of the security or access code). The regulations apply to both paper and electronic records, although they are not applicable to information obtained from public records.
Combinations of two or more of these pieces begin to paint a picture of a very specific individual with unique habits, interests and spending patterns. This portrait is of value to marketers, pollsters and other businesses for the detail and specificity it gives them about you.
To date, most companies have focused on the liability side of this issue. They collect massive amounts of data on individuals and their habits; so what happens if that information is leaked, or worse, stolen?
Today we give up so much of our personal information without even thinking about it. We give it up when we sign up for a pharmacy rewards card, when we play a game on Facebook, or when we ask to be part of a group buying a discount program like Groupon. Mailing lists purchased through list brokers can range between $5 to $500 per name, depending upon how extensive or complete the information may be on a person. In other words, the more information provided, the more valuable it is to a marketer. What’s clear, however, is that PII alone is being monetized by those who gather it. This is before the PII is even used for the purpose for which it is purchased.
Asset or liability?
PII is at once a huge asset and a huge liability. As a liability, it costs to protect it and it is essential, as I’ve written previously, for organizations to have in place a Written Information Security Plan or “WISP”, so that companies comply with Federal and State regulations to protect this information. Not protecting this information will cost companies billions. Most companies have learned to deal with a potential security breach and the expense of implementing post-breach protocols by creating WISPS to define how they deal with a security breach to keep them in compliance with both federal and state laws, both of which are continually evolving to deal with changes in data vulnerabilities. These WISPS are fluid documents that require constant updating and adaptation in order to comply with this constantly changing field of data security.
To date, most companies have focused on security breaches and what happens when personally identifiable information is stolen. But who owns this information and who truly can profit is an area of conflict, one that will only grow as more of our personal information ends up, like metaphoric fingerprints, liberally scattered along everything we touch online. Does that information belong to the person it identifies? If it has been willingly given up, does it belong to the person or company that collects it and puts it together in a way that creates a complete picture of an individual? To date, the law is tilted so heavily in favor of collector “that it is probably unreasonable to expect that our personal information will not be abused,” Vera Bergelson of Rutgers School of Law-Newark.
That said, Facebook, the social-networking site, has come under fire multiple times for the ways in which is presents its more than 800 million users’ information, and how it allows that information to be used by advertisers, who are essentially making money from of information that uniquely belongs to the user. In November, the company settled with the U.S. Federal Trade Commission, which required that the company get user consent for certain changes to its privacy settings. The company will also now be subject to 20 years of independent audits.
Despite the decision, the company has already again come under fire in 2012. The Electronic Privacy Information Center is urging the FTC to investigate Facebook’s new Timeline feature that went into effect on January 1 of this year as a violation of the agreement the two reached in November. According to a NY Times article on January 31, 2012 entitled “Personal Data’s Value? Facebook is set to find out”, the pressure from regulators continues to grow, and Facebook faces potential rules on privacy in Europe, along with slow-moving privacy legislation in Washington.
On February 1, 2012, Facebook filed for a public stock offering that will ultimately value the company at somewhere between $75 billion and $100 billion. This staggering valuation is not based on the free social networking services that Facebook provides to its users, but rather, what that captured personal information tells third parties – potential advertisers on the site – about those users.
Almost concurrent with this, is Google’s announcement that it will change its privacy policies. The announcement came on the heels of the company being criticized about how user information on its new Google Plus service ended up in search results. Users cried that it was a clear violation of privacy to share their posts without consent. Though the company denies that the new policy is a response to these criticisms, the new policies clarify that Google can use information shared in any one of its services across other Google services.
The information we give up on Facebook and Google Plus is given up willingly and for free. No one coerces us to do so. Yet the question remains: Do we remain the owners of this information? Or, by relinquishing our information to the social media giants, have we also relinquished our right to a say in how it is used, as well as relinquishing our right to profit from it. We all sign off on those privacy statements without reading the pages of legalese involved. How many of us would consent to a simple statement telling us that Facebook, or Google, or CVS, or any other company will be profiting from the sale and dissemination of our information to multiple third parties? Click here to accept!
I take a leap (but not so much of a leap) by saying that PII is personal property and that it can and must be protected. This information has measurable value. Because licensing and the right to it can be bought and sold, like any other commodity, it meets all of the normal standards for the definition of property. Just because you have placed your personal information on a site like Facebook, you have not given up rights to it. This information remains uniquely yours, and obviously valuable, or there would be no issue over who is profiting from all this collecting and disseminating of it.
PII and the law
To date the law has not been kind to the individuals who can actually be identified by the release of PII. Individuals have pursued cases against credit card companies or subscription services for disseminating information they have given to them, but they have not prevailed.
Whether seeking redress for an intrusion on the individual’s right to seclusion or charging that giving out PII is an appropriation, along the lines of using an image or name without consent, the courts have been unimpressed. As Bergelson notes, “the law recognizes neither personal nor property rights of individuals in personal information.” Ultimately this begs the essential question: How can something be so expensive to lose in a breach, be considered worthless to give up? I think the Facebook valuation cuts to the heart of this. Clearly, it is worth quite a lot.
Bergelson argues that rather than seeking redress through the tort regime, that it should instead be sought through the property regime. The courts both explicitly and implicitly understand that PII is property, they just haven’t made a decisive move regarding whose it is. At the moment there is some recognition that both the individual and the collector have rights, though the law has tended to side, through torts, with the collector. That side of the law is much more evolved, because companies clearly have a vested in interest in protecting themselves in the wake of a breach, and much to lose if the courts take a hard look at to whom all this information really belongs.
Recently, Barnes & Noble Inc., the largest bookstore chain in the world, sought to acquire the assets of its now-bankrupt former competitor Borders Group, Inc. Barnes & Noble ran afoul of PII agreements between Borders and its former customers who had asked that their information not be transmitted or used by any entity other than Borders. How to handle the PII nearly put a stop to the whole deal and further demonstrated that who owns PII, the collector of it or the individual who it identifies, needs to be clearly defined.
At issue was whether Barnes & Noble could acquire the customer information along with the other assets, such as trademarks, intellectual property and trade names. The court ruled in September 2011 that Barnes & Noble could acquire the database, but the company would have to inform each customer by email that they can choose not to have their PII transferred with the sale. It is an opt-out vehicle, one that assumes the individual giving up the information will pay attention to the notification — one of a plethora that come by mail or email — understand it and more importantly, act on it, if he or she does not want to lose their inherent rights to the very data that identifies them. If they do not respond, all data, regardless of when it was collected or whether they previously had opted out, will be transferred to Barnes & Noble.
“Qui tacit consentire” is the legal maxim “he who is silent gives consent.” But silence is the weakest form of consent, and assumes that everything leading up to that “silent consent” has been on a transparent, fair playing field.
The opt out racket:
As we can see in the Barnes & Noble case, and the Verizon “junk” mail quoted at the outset of this piece, the opt out has been the preferred way of handling PII. An opt out, quite simply, puts the onus on the person receiving the communication to respond in some way so that their personally identifiable information is not further disseminated, used or sold in any way.
Of course, very few pay attention to these opt outs, and companies, of course, are quite literally banking on their ignorance. You get at least one of these every week, from a credit card, insurance or communications company. Online, you waive your rights away when you sign any of Google’s agreements, ask to get deals from Gilt Group or Zappos, or any other commercial enterprise on the internet. It is very unlikely that we’ll ever see printed on an envelope from a company informing us of changes in their privacy and personal information policies, “We’d like to ask your permission to use your information for our financial gain.” Instead we get the disingenuous “Privacy is important to us.” Implicit in the proposition is that if you decline to “accept” this choice, you don’t get the service being provided. These companies are not telling you that they want to use the value of your PII for free. Instead, they present a simple a guise to keep undisturbed, access to what they most desire.
But companies readily understand that what you possess – your PII – is valuable and that you do not know it. If they had to ask you to opt-in, agree to let them use your PII, rather than let benign neglect allow them permission, they would be looking at a very costly proposition. Since when do we let huge companies off the hook in a moneymaking endeavor because of the costs incurred to them? Let’s not forget that it was only about 40 years ago when seat belts were shunned because of the sheer “magnitude” of additional cost incurred to manufacturers. Eventually, the tide will turn and our property rights will trump the expense of managing those assets.
The current situation is untenable and unfair, putting an onus on consumers, who if they do not understand or never see notification, are essentially giving consent. Meanwhile, the law is lenient on large companies interested in keeping their costs down.
Inherent in this is an assumption that PII is property and PII has value. Giving up your right to that property is like losing your keys: the finder of your keys does not have the right to the use of your house. Yet information left behind on the internet, such as our search histories, the forms we fill out, the shopping that we do, are treated as abandoned, and to which we’ve waived all right or interest.
Using PII without consent is more akin to appropriating your likeness without permission, or using a piece of music without compensating the composer. There is recognition of both value and ownership in this view. ASCAP, BMI and SESA, are performing rights societies that represent publishers and songwriters in the music business. They represent a catalogue of writers and publishers. Radio and television stations, nightclubs, malls, anyone who might use the music for profit, negotiates with this third party, which in turn complies data from these companies, such as play list logs, to determine how many times a song has been played. These performing rights societies then pay out to a songwriter or publisher based how often the work is played.
PII rights societies, if you will, need to be developed – that is some efficient way to track the use of personally identifiable information, the way music companies have come to deal with this issue. A burgeoning industry is about to arise for the management of hundreds of millions of “pieces” of property, representing just about everyone involved in commerce. When this happens there will be an equitable flow of wealth to just about everybody, or at least everybody on the grid.
This is the area that is going to be the next new stage in the information revolution. No Fortune 500 Company is going to want to be charged with appropriating someone’s property without compensation. There will be vast opportunities arising in areas to track, monitor, and compile this information.
As the law evolves and there are more chances that each of us will leave behind our electronic footprints, willingly or not, industry will arise to exploit this new economic reality. In Europe, where the personal property value of our information is treated very differently, it is illegal to release personal data to a third party or even to use it for a purpose unrelated to the reason for which it was initially collected without the person’s consent. This affects the way American companies do business in an international sphere that now has to take into account these considerations.
We’ve recognized, as will the law, that PII is property, and we simply cannot go on treating other personal property one way, and PII another. Change is around the corner, and we’re going to want to be prepared for it. Imagine a future with some sort of PII exchange, in which there is an equitable distribution of both information and value for it. This is not only about a new market. This very well may be the first situation to arise in the information age that accords each human being with real, tangible and tradable value.
Nat Wasserstein, We Expert