Consumer privacy

Last updated

Consumer privacy is information privacy as it relates to the consumers of products and services.

Contents

A variety of social, legal and political issues arise from the interaction of the public's potential expectation of privacy and the collection and dissemination of data by businesses or merchants. [1] Consumer privacy concerns date back to the first commercial couriers and bankers who enforced strong measures to protect customer privacy. In modern times, the ethical codes of various professions specify measures to protect customer privacy, including medical privacy and client confidentiality. State interests include matters of national security. Consumer concerned about the invasion of individual information, thus doubtful when thinking about using certain services. [2] Many organizations have a competitive incentive to collect, retain, and use customer data for various purposes, and many companies adopt security engineering measures to control this data and manage customer expectations and legal requirements for consumer privacy.

Consumer privacy protection is the use of laws and regulations to protect individuals from privacy loss due to the failures and limitations of corporate customer privacy measures. Corporations may be inclined to share data for commercial advantage and fail to officially recognize it as sensitive to avoid legal liability in the chance that lapses of security may occur. Modern consumer privacy law originated from telecom regulation when it was recognized that a telephone company had access to unprecedented levels of information. Customer privacy measures were seen as deficient to deal with the many hazards of corporate data sharing, corporate mergers, employee turnover, and theft of data storage devices (e.g., hard drives) that could store a large amount of data in a portable location.

Businesses have consumer data and information obtained from consumer and client purchases, products, and services. Thus, businesses have the responsibility to keep these data and information safe and confidential. Consumers expect that businesses will take an active stance when protecting consumer privacy issues and supporting confidential agreements. [3] [ citation needed ] Whether a firm provides services or products to consumers, firms are expected to use methods such as obfuscation or encoding methods to cover up consumer data when analyzing data or trends for example. Firms are also expected to protect consumer privacy both within the organizations themselves and from outside third entities including third party providers of services, suppliers who provide product components and supplies, and government institutions or community partnership organizations. In addition, businesses are sometime required to provide an agreement/contract to service clients or product consumer that states customer or client information and data will be kept confidential and that it will not be used for advertising or promotional purposes for example. The US government, including the FTC, have consumer protection laws like The Telephone Consumer Protection Act and Data Transparency and Privacy Act. Individuals States have laws and regulation that protect consumers as well. One example of this is The California Consumer Privacy Act.

Legislation

Consumer privacy concerns date back to the first commercial couriers and bankers who enforced strong measures to protect customer privacy. Harsh punitive measures were passed as the result of failing to keep a customer's information private. In modern times, the ethical codes of most professions specify privacy measures for the consumer of any service, including medical privacy, client confidentiality, and national security. These codes are particularly important in a carceral state, where no privacy in any form nor limits on state oversight or data use exists. [4] Corporate customer privacy practices are approaches taken by commercial organizations to ensure that confidential customer data is not stolen or abused. [5] Since most organizations have strong competitive incentives to retain exclusive access to customer data, and since customer trust is usually a high priority, most companies take some security engineering measures to protect customer privacy. There is also a concern that companies may sell consumer data if they have to declare bankruptcy, although it often violates their own privacy policies. [5]

The measures companies take to protect consumer privacy vary in effectiveness, and would not typically meet the much higher standards of client confidentiality applied by ethical codes or legal codes in banking or law, nor patient privacy measures in medicine, nor rigorous national security measures in military and intelligence organizations. The California Consumer Privacy Act, for example, protects the use of consumer privacy data by firms and governments. This act makes it harder for firms to extract personal information from consumers and use it for commercial purposes. Some of the rights included in this act include: [6]

Since companies operate to generate a profit, commercial organizations also cannot spend unlimited funds on precautions while remaining competitive; a commercial context tends to limit privacy measures and to motivate organizations to share data when working in partnership. The damage done by privacy loss is not measurable, nor can it be undone, and commercial organizations have little or no interest in taking unprofitable measures to drastically increase the privacy of customers. Corporations may be inclined to share data for commercial advantage and fail to officially recognize it as sensitive to avoid legal liability in the chance that lapses of security may occur. This has led to many moral hazards and customer privacy violation incidents. [7]

Some services—notably telecommunications, including Internet—require collecting a vast array of information about users' activities in the course of business, and may also require consultation of these data to prepare bills. In the US and Canada, telecom data must be kept for seven years to permit dispute and consultation about phone charges. These sensitivities have led telecom regulation to be a leader in consumer privacy regulation, enforcing a high level of confidentiality on the sensitive customer communication records. The focus of consumer rights activists on the telecoms industry has super-sided as other industries also gather sensitive consumer data. Such common commercial measures as software-based customer relationship management, rewards programs, and target marketing tend to drastically increase the amount of information gathered (and sometimes shared). These very drastically increase privacy risks and have accelerated the shift to regulation, rather than relying on the corporate desire to preserve goodwill.[ citation needed ]

Concerns have led to consumer privacy laws in most countries, especially in the European Union, [8] Australia, New Zealand and Canada. Notably, among developed countries, the United States has no such law and relies on corporate customer privacy disclosed in privacy policies to ensure consumer privacy in general. Modern privacy law and regulation may be compared to parts of the Hippocratic Oath, which includes a requirement for doctors to avoid mentioning the ills of patients to others—not only to protect them, but to protect their families— and also recognizes that innocent third parties can be harmed by the loss of control of sensitive personal information. [9] [10]

Modern consumer privacy law originated from telecom regulation when it was recognized that a telephone company—especially a monopoly (known in many nations as a PTT)—had access to unprecedented levels of information: the direct customer's communication habits and correspondents and the data of those who shared the household. Telephone operators could frequently hear conversations—inadvertently or deliberately—and their job required them to dial the exact numbers. The data gathering required for the process of billing began to become a privacy risk as well. Accordingly, strong rules on operator behaviour, customer confidentiality, records keeping and destruction were enforced on telephone companies in every country. Typically only police and military authorities had legal powers to wiretap or see records. Even stricter requirements emerged for various banks' electronic records. In some countries, financial privacy is a major focus of the economy, with severe criminal penalties for violating it.[ citation needed ]

History

1970s

Through the 1970s, many other organizations in developed nations began to acquire sensitive data, but there were few or no regulations in place to prevent them from sharing or abusing the data. Customer trust and goodwill were generally thought to be sufficient in first-world countries, notably the United States, to ensure the protection of truly sensitive data; caveat emptor was applied in these situations. But in the 1980s, smaller organizations also began to get access to computer hardware and software, and these simply did not have the procedures or personnel or expertise, nor less the time, to take rigorous measures to protect their customers. Meanwhile, via target marketing and rewards programs, companies were acquiring ever more data.[ citation needed ] [11]

Gradually, customer privacy measures were seen as deficient to deal with the many hazards of corporate data sharing, corporate mergers, employee turnover, and theft of data storage devices (e.g. hard drives) that could store a large amount of data in a portable location. Explicit regulation of consumer privacy gained further support, especially in the European Union, where each nation had laws that were incompatible (e.g., some restricted the data collection, the data compilation and the data dissemination); it was possible to violate privacy within the EU simply doing these things from different places in the European Common Market as it existed before 1992.[ citation needed ] [12]

1990s

Through the 1990s, the proliferation of mobile telecom, the introduction of customer relationship management, and the use of the Internet in developed nations brought the situation to the forefront, and most countries had to implement strong consumer privacy laws, often over the objections of business. The European Union and New Zealand passed particularly strong laws that were used as a template for more limited laws in Australia and Canada and some states of the United States (where no federal law for consumer privacy exists, although there are requirements specific to banking and telecom privacy). In Austria around the 1990s, the mere mention of a client's name in a semi-public social setting was enough to earn a junior bank executive a stiff jail sentence. [13]

2000s

After the terrorist attacks against the United States on September 11, 2001, privacy took a back-seat to national security in legislators' minds. Accordingly, concerns of consumer privacy in the United States have tended to go unheard of as questions of citizen privacy versus the state, and the development of a police state or carceral state, have occupied advocates of strong privacy measures. Whereas it may have appeared prior to 2002 that commercial organizations and the consumer data they gathered were of primary concern, it has appeared since then in most developed nations to be much less of a concern than political privacy and medical privacy (e.g., as violated by biometrics). Indeed, people have recently been stopped at airports solely due to their political views, and there appears to be minimal public will to stop practices of this nature.[ citation needed ] The need for stricter laws is more pronounced after the American web service provider, Yahoo admitted that sensitive information (including email addresses and passwords) of half a billion users was stolen by hackers in 2014. The data breach was a massive setback for the company and raised several questions about the revelation of the news after two years of the hacking incident. [14]

See also

Related Research Articles

<span class="mw-page-title-main">Gramm–Leach–Bliley Act</span> Act of the 106th United States Congress (1999–2001)

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies. The legislation was signed into law by President Bill Clinton.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Information ethics has been defined as "the branch of ethics that focuses on the relationship between the creation, organization, dissemination, and use of information, and the ethical standards and moral codes governing human conduct in society". It examines the morality that comes from information as a resource, a product, or as a target. It provides a critical framework for considering moral issues concerning informational privacy, moral agency, new environmental issues, problems arising from the life-cycle of information. It is very vital to understand that librarians, archivists, information professionals among others, really understand the importance of knowing how to disseminate proper information as well as being responsible with their actions when addressing information.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others.

The Chief Privacy Officer (CPO) is a senior level executive within a growing number of global corporations, public agencies and other organizations, responsible for managing risks related to information privacy laws and regulations. Variations on the role often carry titles such as "Privacy Officer," "Privacy Leader," and "Privacy Counsel." However, the role of CPO differs significantly from another similarly-titled role, the Data Protection Officer (DPO), a role mandated for some organizations under the GDPR, and the two roles should not be confused or conflated.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

Corporate surveillance describes the practice of businesses monitoring and extracting information from their users, clients, or staff. This information may consist of online browsing history, email correspondence, phone calls, location data, and other private details. Acts of corporate surveillance frequently look to boost results, detect potential security problems, or adjust advertising strategies. These practices have been criticized for violating ethical standards and invading personal privacy. Critics and privacy activists have called for businesses to incorporate rules and transparency surrounding their monitoring methods to ensure they are not misusing their position of authority or breaching regulatory standards.

<span class="mw-page-title-main">Protecting Cyber Networks Act</span>

The Protecting Cyber Networks Act is a bill introduced in the 114th Congress by Rep. Devin Nunes (R-CA), chairman of the House Permanent Select Committee on Intelligence. The legislation would allow companies and the government to share information concerning cyber threats. To overcome privacy concerns, the bill expressly forbids companies from sharing information with the National Security Agency (NSA) or Department of Defense (DOD).

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

A privacy seal is a type of trust seal or trustmark granted by third party providers for display on a company's website. Companies pay an annual fee to have an image of the third party provider's seal pasted onto their homepage or privacy policy page. Users can oftentimes click on the seal and be redirected to the web assurance seal service's website which verifies the validity of the privacy seal. They are meant to act as a visual assurance for consumers that the website in question meets a certain standard of privacy. The idea of a privacy seal originates with its physical manifestation – companies have long sought seals of approval like Good Housekeeping to be placed on their tangible products in order to draw in customers who value "quality". While all web assurance seal services follow the guidelines set by the Federal Trade Commission, some providers may have additional requirements. Checks are then conducted on a regular or random basis to ensure compliance. Privacy seals can be applied to various types of e-commerce websites. Some seal providers even create a special privacy seal that is geared toward a certain product like mobile apps or accounting. There are many privacy compliance technology companies, most notably TRUSTArc, CPA Canada WebTrust, PwC Privacy and BBBOnline.

<span class="mw-page-title-main">California Privacy Rights Act</span> Privacy and data protection law in California, U.S.

The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, is a California ballot proposition that was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020. This proposition expands California's consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations.

References

  1. Foxman, Ellen R.; Kilcoyne, Paula (March 1993). "Information Technology, Marketing Practice, and Consumer Privacy: Ethical Issues". Journal of Public Policy & Marketing. 12 (1): 106–119. doi:10.1177/074391569501200111. ISSN   0748-6766. S2CID   158361537.
  2. Cao, Gaohui; Wang, Ping (2022-05-16). "Revealing or concealing: privacy information disclosure in intelligent voice assistant usage- a configurational approach". Industrial Management & Data Systems. 122 (5): 1215–1245. doi:10.1108/IMDS-08-2021-0485. ISSN   0263-5577. S2CID   248313942.
  3. Morey, Timothy; Forbath, Theodore “Theo”; Schoop, Allison (2015-05-01). "Customer Data: Designing for Transparency and Trust". Harvard Business Review. ISSN   0017-8012 . Retrieved 2024-04-22.
  4. Lee, Dong-Joo (June 2011). "Managing Consumer Privacy Concerns in Personalization: A Strategic Analysis of Privacy Protection". MIS Quarterly. 35 (2): 428–A8. doi:10.2307/23044050. JSTOR   23044050.
  5. 1 2 Siam, Kayla (2017). "Coming to a Retailer near You: Consumer Privacy Protection in Retail Bankruptcies". Emory Bankruptcy Developments Journal. 33: 487–521.[ permanent dead link ]
  6. "California Consumer Privacy Act (CCPA)". State of California - Department of Justice - Office of the Attorney General. 2018-10-15. Retrieved 2024-02-23.
  7. Vagle, Jeffrey L. "Cybersecurity and Moral Hazard". Stanford Technology Law Review. 67 (2020): 71–113.
  8. Skiera, Bernd (2022). The impact of the GDPR on the online advertising market. Klaus Matthias Miller, Yuxi Jin, Lennart Kraft, René Laub, Julia Schmitt. Frankfurt am Main. ISBN   978-3-9824173-0-1. OCLC   1303894344.{{cite book}}: CS1 maint: location missing publisher (link)
  9. Hajar, Rachel (2017). "The Physician's Oath: Historical Perspectives". Heart Views. 18 (4): 154–159. doi: 10.4103/HEARTVIEWS.HEARTVIEWS_131_17 . ISSN   1995-705X. PMC   5755201 . PMID   29326783.
  10. Indla, Vishal; Radhika, M. S. (April 2019). "Hippocratic oath: Losing relevance in today's world?". Indian Journal of Psychiatry. 61 (Suppl 4): S773–S775. doi: 10.4103/psychiatry.IndianJPsychiatry_140_19 . ISSN   0019-5545. PMC   6482690 . PMID   31040472.
  11. Foxman, Ellen R., and Paula Kilcoyne (March 1, 1993). "Information Technology, Marketing Practice, and Consumer Privacy: Ethical Issues". Journal of Public Policy & Marketing. 12: 106–119. doi:10.1177/074391569501200111. S2CID   158361537.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  12. Papacharissi, Zizi, and Jan Fernback. "Online privacy and consumer protection: An analysis of portal privacy statements". Journal of Broadcasting & Electronic Media.{{cite journal}}: CS1 maint: multiple names: authors list (link)
  13. "Consumer Privacy: Meaning, Principles and Example". Essays, Research Papers and Articles on Business Management. 2016-06-22. Retrieved 2020-12-06.
  14. "Yahoo faces questions after hack of half a billion accounts". The Guardian. 23 September 2016.