May 24, 1999 Secretary
Dear Secretary: I submit the following comments in response to the Commission’s Notice of Proposed Rulemaking to Implement the Children’s Online Privacy Protection Act of 1998. These remarks respond to the first General Question posed by the Commission, soliciting comments on provisions in the proposed Children’s Online Privacy Protection Rule (the "Rule"). Notice Provisions The proposed Rule requires operators who wish to collect and use information about children to convey some information that the operators may want consumers to receive and other information that they may not wish consumers to act on. In researching informational privacy for a forthcoming article in the Washington Law Review, I found that firms that wish to communicate information to consumers behave differently from firms obliged to convey messages that they do not in fact wish consumers to act on. That has implications for the design of rules governing notice. The article argues that because some businesses can use information about consumers in various ways, including increasing their own sales and selling the information to others, they have incentives to make it difficult for consumers to protect their privacy. I also assert that businesses have the ability to increase consumers’ transaction costs in protecting their privacy in a number of ways. The article further suggests that some marketers do in fact inflate the transaction costs incurred by consumers, and that many consumers, faced with significant transaction costs and certain constraints common to consumers, decide not to protect their privacy, even though they would choose differently if it were easier to do so. For example, certain businesses are required by law to notify consumers of their information practices so consumers have the opportunity to prevent the sale or use of their personal information. Some of these businesses increase consumer transaction costs in protecting privacy by, among other things, obscuring information about privacy by providing it along with other information which consumers will find of greater interest; providing the privacy information in lengthy documents; using language consumers find difficult to understand; and requiring consumers to communicate their privacy preferences by creating an original writing (as opposed to using company-supplied forms or telephone communications, which the companies permit the consumer to use when providing information the companies wish to receive). On the other hand, in at least one instance described in the article, when a business was prohibited from using consumer information without obtaining consumer consent, the business aggressively sought consumer consent by calling and sending attractive mailings to customers, establishing a toll-free number for consumers with questions, sending customers a printed form with a postage paid envelope, and offering incentives to consumers who signed up. Section 312.5(a) of the Proposed Rule requires operators using information about children to obtain permission from parents in most instances before collecting or using the information. Because operators will wish to receive such permission, they will have no incentive to make it difficult for consumers to provide it. However, the Rule also requires operators using information about children to provide parents with statements the operators may not wish parents to act on, such as the parental right to review personal information provided by the child, §§ 312.4(b)(2)(vi), 312.6, that information may be furnished to third parties, § 312.4(b)(2)(iv), and that the parent may agree to the collection and use of the child’s information without consenting to disclosure to third parties, § 312.5(a)(2). If online companies behave as other businesses have, they may attempt to obscure the disclosures required by §§ 312.4(b)(2)(iv), 312.4(b)(2)(vi), 312.5(a)(2), and 312.6. Section 312.4(a) requires that notices required under the Rule "must be clearly and understandably written, be complete, and must contain no unrelated, confusing, or contradictory materials." That standard might be inadequate. The similar "clear and conspicuous" standard for disclosures under the FCRA that information may be shared among affiliates appears not to have done the trick. As stated in the article at p. 66:
A better approach might be to harness the disclosures firms will not want to make to the disclosures they do want to make, by specifying in the Rule that disclosures provided under §§ 312.4(b)(2)(iv), 312.4(b)(2)(vi), 312.5(a)(2), and 312.6 must be at least as conspicuous and easy to understand as attempts to secure parental consent under § 312.5(a)(1). In addition, to prevent companies from overloading consumers with information, § 312.4(a) should be amended to provide that notices should be no longer than reasonably necessary. An additional issue raised by § 312.4(a) is the question of to whom the notices are understandable or confusing. In deception matters, the Commission, of course, currently uses the standard articulated in the 1983 Policy Statement and implemented in In re Cliffdale Associates, 103 F.T.C. 110 (1984) of "likely to mislead consumers acting reasonably under the circumstances." On the other hand, some courts implementing the Fair Debt Collection Practices Act have used the "least sophisticated consumer" test, see Clomon v. Jackson, 988 F.2d 1314, 1318-20 (2d Cir. 1993), or the similar "unsophisticated consumer" test, see Gammon v. GC Servs. Ltd. Partnership, 27 F.3d 1254, 1257 (7th Cir. 1994). It would be helpful if the Commission would clarify this issue with respect to § 312.4(a). My own preference is for the least sophisticated consumer test, given the liberties firms have already taken in this area, and the difficulties some consumers have in addressing privacy issues, as discussed in the article. Section 312.5(a)(2) Because some operators may wish to make it as easy as possible for parents to consent to the use of their children’s information, it is likely that some operators wishing to use children’s information will send parents forms to complete and return. Operators that wish to sell information about children will sometimes have no incentive to simplify the task of parents who wish to consent to use of their children’s information, but not allow disclosure to third parties. Indeed, such operators may have an incentive to do as little as possible to comply with § 312.5(a)(2)’s requirement that the operator give the parent the option to consent to collection and use of the child’s personal information but not disclosure to third parties. Thus, an operator could conceivably create a form for parents to use to consent to the sale of information, but comply with § 312.5(a)(2) by telling parents they may communicate their objections to sale in a separate letter, in the hope that some parents will not make the effort to send the letter. Consequently, the Rule should also provide that operators who wish to disclose children’s information to others, and use forms, have a place for parents to check to indicate that they do not consent to disclosure of information to third parties, even though they may agree to collection and use of the child’s information for internal purposes. Similarly, some operators may allow consumers to express their wishes through telephone calls. To avoid the same problem, the Rule should provide that when parents consent to the collection and use of their child’s information in telephone calls, operators should explain at that time that the parent may refuse to allow the disclosure of the information to third parties, and ask whether the parent wishes to do so. Section 312.5(c)(3) Section 312.5(c)(3) provides that in some circumstances operators can dispense with verifiable personal consent from the parent if the operator makes reasonable efforts to ensure that the parent receives notice. Mechanisms to provide such notice are defined as included sending the notice to the parent’s e-mail address. Operators in such circumstances may not want the parent to refuse, and so may attempt to comply with the Rule in such a way as to increase the likelihood that the parent would not read the e-mail, as for example, by making the e-mail message look like spam. Certainly many people delete messages that appear to be spam without reading them. To frustrate such attempts, the Rule could require the message line to contain information that would make it more likely that the parent would read the message. For example, the Rule could require the message header to contain the child’s name. Section 312.6 I have two suggestions relating to § 312.6. First, § 312.6 does not currently provide for a time limit for operators to comply with parental requests. It might be helpful to add that the operators must provide the information within a reasonable time, or within a specified number of days. Second, § 312.6 does not currently require operators to give parents the option to receive statements about information collected concerning their child on an on-going basis. Many parents who consent to the collection of the information will probably forget about doing so, and will not remember to check back to see what information about their child has been collected and used. The Rule does not require operators to remind parents that the information-collection process is occurring. It probably would not be expensive for operators to provide parents (at least through e-mail for parents who have it) with regular statements containing the information they collect about the child. The Rule should provide that operators collecting and using information about a child should, at the time the parents consent to the collection and use of the information, provide parents with the opportunity to request such periodic updates. * * * Thank you for this opportunity to comment on the Rule. I include a paper copy of the article, as well as a computer disk containing an electronic copy of this letter and the article. If you have any questions, my direct dial number is 718-990-6429, and my e-mail address is Error! Reference source not found.. Respectfully submitted, Jeff Sovern © Washington Law Review 1999. This article is scheduled to appear in the Washington Law Review in the Fall of 1999. The Law Review has given permission to submit it as part of comments on the Children’s Online Privacy Protection Rule. The article has not yet been edited by the Washington Law Review and does not necessarily reflect the views of the Washington Law Review or St. John’s University School of Law. OPTING IN, OPTING OUT, OR NO OPTIONS AT ALL: THE FIGHT FOR CONTROL OF PERSONAL INFORMATION by Jeff Sovern I. Introduction A few years ago one of my students told me that he had a copy of my driving record. During a later class he asked if I wanted a list of my neighbors. On other occasions he correctly told me the name of one of my brothers and who the lienholder is on my co-op apartment. Once he gave me a bullet. Though the story is a little frightening, this was hardly an obsession for him; rather, he was just having some fun, sandwiched between the demands of class and work. Someone for whom it was an obsession--or for whom the information was valuable enough to make it worth serious exploration-- undoubtedly could have learned much more. The information available about consumers is striking. For example, you can buy lists of people who have bought skimpy swimwear and related items such as clingy short dresses and skirts, gambling Arabs, college students sorted by major, class year and tuition payments, millionaires and the people who live near them, people who just lost a loved one, male buyers of fashion underwear, women who buy wigs, callers to a 900-number national dating service, rocket scientists, children who subscribe to magazines or sent in rebate forms included with toys, people who have their urine tested, medical malpractice plaintiffs, workers’ compensation claimants, people who have been arrested for--but not convicted of--crimes, impotent middle-aged men, epileptics, people with bladder-control problems, buyers of hair removal products or tooth whiteners, people with bleeding gums, high-risk gamblers, people who have been rejected for bank cards, and tenants who have sued landlords. There are lists based on ethnicity, political opinions, and sexual orientation. The media are filled with horror stories about the use of personal information. Stories routinely appear on the availability of information most people consider confidential. A television reporter--without any proof of identification--obtained overnight a list of 5,000 families, including addresses and the names of children, for a $277 money order. The reporter used the name of Richard Allen Davis, then on trial for kidnapping and killing a twelve-year old. Some reports are so overwhelming as to be mind-numbing. One company supposedly claims to have identified a market segment for every household in the United States, while another advertises that its database lists every registered voter, as well as their telephone numbers, addresses, and ethnic surname identification. A business executive estimates that on a normal day the average American’s personal information moves from one computer to another five times. The typical person is said to appear in anywhere from 25 to 100 databases. A person sued a marketing company, only to discover that their dossier on her is 25 pages long. The computer library of an information service few have even heard of, Acxiom Corp., is reported to have 350 trillion characters of consumer data on more than 195 million Americans. Services peddle bank account balances, unlisted telephone numbers, and salary figures. In Joel Reidenberg’s words, the "private sector has precisely the type of dossiers that the public has long feared government would abuse." Even the lists of lists are voluminous. A list directory describes more than 10,000 lists which can be purchased. The Direct Marketing Association, a trade association, estimates that more than 15,000 consumer mailing lists exist, containing some two billion names, including, obviously, duplicates. More than one thousand commercial services are said to broker lists. Not only is more personal information available than ever before, but it is becoming easier and less expensive to obtain access to it. Internet sites and even Westlaw have databases designed to locate individuals and report on their transactions, including their bankruptcy records, lawsuits, liens, real property refinancings and transfers, and the location of their assets. Other internet sites list driver’s license information and motor vehicle information, and verify social security numbers. The number of websites selling personal information is estimated at several thousand. Prices for many computer services are now at the point where information which formerly could be afforded only by businesses is now accessible to individuals. To be sure, access to some information--such as credit reports--is regulated, though that may be of small comfort to the various celebrities who have discovered their credit reports in the hands of writers. Still other data, including much of that referred to in the preceding paragraphs, are not subject to legal restraint. A service gave Erik Larson the home address of Baltimore’s mayor, Kurt L. Schmoke, as well as the purchase price, mortgage amount, and taxes Mayor Schmoke paid on the property. Jeffrey Rothfeder has described how after he obtained then-Vice President Dan Quayle’s credit report, he was able, using techniques learned from a private investigator, to call a major retailer and persuade its credit department to tell him Quayle’s home address and telephone number. The Federal Reserve has noted that some internet information providers "place few, if any, restrictions on access or intended use of information, and may permit immediate access over the Internet." Businesses use the information available to them for a variety of purposes, the best known of which is to solicit sales. Thus, each year Americans are reported to receive sixty-three billion pieces of junk mail and billions of telemarketing calls. But the information is also used for purposes which are less well known. For example, one company combined the data from a number of grocery stores to create a list of more than half a million supposedly weight-conscious consumers who had purchased yogurt, low-calorie breads, and similar products. The company marketed the list to sellers of fitness equipment, vitamins and clothing. It offered a list of "fancy food buyers"--consumers who bought refrigerated pastas or frozen yogurt--to travel magazines and sellers of "high-ticket gifts." The combining of consumer information from a number of sources to create a more complete picture of a consumer’s habits--called profiling--has become common. One company, for example, "often can determine whether you own a dog or a cat, enjoy camping or gourmet cooking, read the Bible or lots of other books. It often can pinpoint your occupations, the car you drive, your favorite vacations. . . . [I]t often projects for its customers who should be offered a credit card or who is likely to buy a personal computer." Other notable stories abound. A company secured lists of consumers and their prescription medications from pharmacies and then sent the consumers reminders to refill their prescriptions or solicitations to switch to competing drugs, communications which were at least partly financed by drug manufacturers. One company maintains a "birthday bank" containing the birthdays of some fifty million people. Retailers use the birthdays to target those who are celebrating turning points--eighteen, thirty, or forty, for example--and so might splurge. The same company also maintains records on consumer heights and weights, information of interest to clothing sellers. Even the manner in which databases are created has raised questions. Richard S. Murphy has written that "the typical transaction between a merchant or seller and a consumer increasingly can be characterized as an exchange of goods or services for money and information." But the information-gathering goes well beyond conventional transactions. A toy manufacturer reportedly ran a television commercial in which a clown asked children to place telephone handsets next to their TV’s. The commercial then played tones which dialed an 800 number. A mechanism automatically recorded the telephone number of phones from which calls to the 800 number were placed. The manufacturer then obtained the names and addresses which matched up to the telephone numbers, and it had a mailing list. Adults are hardly immune from such tricks: in 1993 a manufacturer of a product for incontinent women established an 800 number for people who wanted free samples. It then offered for sale the list of the 4.4 million people who responded. One woman began receiving solicitations directed to lesbians after she spent a night at a lodge. She later learned that the lodge catered primarily to lesbians, and had sold her name to a lesbian mailing list. Similarly, the Federal Trade Commission has determined that businesses operating websites collect a great deal of information from consumers, including children, often without disclosing to consumers how the information will be used. Ninety-two percent of the websites in one sample collected personal information, including such data as social security numbers, gender, and age. Only fourteen percent of the sites disclosed their information practices. Nearly ninety percent of the websites directed at children collect personal information, To gather information from children like names, mail addresses, phone numbers, ages, gender, hobbies, and interests, websites have imaginary characters pose questions, have children sign a guest book, solicit information to create home pages for children, invite children to join chat and electronic pen pal programs, require children to register with the site, or offer prizes and other incentives for providing information. The FTC also found that "numerous sites" either sell children’s personal information to others, or simply post it online, including some sites that post color pictures of children with their full names and ages. Stories like these--involving conflicting desires for privacy and for information which may be of some value--have become commonplace. Privacy, of course, means various things to various people. In this paper, I am concerned only with what has been called by some, informational privacy, and, by others, confidentiality or data protection; that is, any rights an individual has or should have to prevent businesses and individuals from obtaining, using, and selling information concerning the individual, and conversely, the rights businesses and individuals should have to use that information without the knowledge or consent of the individual to whom the information pertains. The laws regulating personal information--especially information contained in computerized databases--are a patchwork of ad hoc responses to outrage over past invasions of privacy, rather than a coherent set of rules based on underlying principles and policies. Some information cannot be sold, while other information is somewhat regulated, and most personal information is not regulated at all. For example, suppose a bookstore, and a videotape rental store, realizing that people often wish to see videos based on the books they have read, desired to enter into an agreement: the bookstore would tell the video store which of its customers had purchased books which had been made into videos--so that the video store could solicit the customers to rent the videos--and the video store would provide the bookstore with the names of customers who had rented videos based on books. At present, federal law prohibits video rental stores from knowingly disclosing the names of movies rented by their customers, but nothing prevents bookstores from revealing the names and purchases of their patrons. Similarly, if the consumer paid with a credit card, no federal law would bar the credit card issuer from disclosing that the consumer had done so. These inconsistencies, as well as others, make little sense. Legal scholars and others have responded to this privacy bramble bush in a number of ways. Some have brought to bear the analyses of law and economics. Others have analyzed the problems created under traditional privacy doctrines or suggested rules to regulate data collection. Some have articulated broad principles intended to govern data collection, often focusing exclusively or largely on fairness considerations. And some have discussed the impact of foreign laws--chiefly the European Directive on Data Privacy--on data collection in the United States. But few have explored the ways consumers behave or the insights which inform other laws governing consumer-merchant transactions. My purpose in this article is to bring to bear on privacy issues some principles and policies drawn from existing consumer regulation and, to some extent, the literature on consumer behavior and consumer transactions. In so doing I hope to contribute to the formation of doctrine regarding privacy and the trade in personal information. Part II of this article discusses the benefits from the sale of personal information. In Part III, I turn to the taste for privacy--why do people care about privacy, and how much they care. Those who are already knowledgeable about the trade in personal information and privacy might do well to skip those parts. Part IV explores the conflicts between what people say and what they do; more specifically, if people say they care about privacy, and in some circumstances act to protect their privacy, why do so few consumers opt out of marketing solicitations? I argue in Part IV that marketers have both incentives and the ability to increase consumers’ transaction costs in protecting their privacy; that some, perhaps many, marketers do in fact inflate the transaction costs incurred by consumers; and that many consumers, faced with significant transaction costs and certain constraints common to consumers, decide not to protect their privacy. In Part V, I suggest ways to reduce consumer transaction costs in protecting informational privacy. II. The Benefits from the Trade in Information A. Information Seekers 1. Commercial Interests Though consumer information is employed for far too many purposes to catalog here, some understanding can be attained by mentioning two uses. The first involves situations in which a consumer seeks some benefit. For example, reports on consumers may be used when a person applies for a loan, employment, insurance, or even to rent a home. A second use of information--marketing--differs significantly from consumer-initiated transactions. When a consumer applies for something, the merchant may desire information to decide whether to grant the consumer’s request. When computers are used for marketing, however, the merchant seeks the information--generally without the consumer’s knowledge--as part of the merchant’s own sales process. Though the consumer may ultimately accept the vendor’s offer, it is the merchant, not the consumer, who starts the process by seeking information about the consumer (or, more accurately, to ask the questions to which the consumer’s name is one answer). The use of computer databases for marketing may take various forms. In one form, businesses sell their customer lists to other companies, typically so that the purchasing business may solicit additional consumers. List sellers find such sales highly remunerative because there are few additional costs in selling a list that the seller already may maintain for other purposes. Indeed, with profit margins of up to sixty percent, some businesses reportedly earn more from selling customer lists than from selling the goods which prompted the consumers to land on their customer lists. Companies have even been pursued by merger partners because of their lists. Another form of marketing is called prescreening. A lender who wishes to solicit a large number of people for credit cards might ask a credit bureau to identify people who meet criteria specified by the lender, such as a past record of paying bills when due and a certain income level. Under this prescreening process, the credit bureau supplies the lender or its agent with the names of those who meet the criteria, or might mail the solicitation directly. The lender never sees the names of those who do not meet its criteria. Those who pass the test know only that they have received the mailing; those who do not satisfy the criteria typically never even know that they were considered unfit for an offer made to others. Some businesses use computers for sophisticated marketing ventures. Thus, supermarkets are able to gather information about their customers through electronic scanners, applications for check-cashing and preferred-shopper cards, shopper surveys, and the like. Armed with this data, supermarkets can mail cat-owners coupons for kitty litter and offer discounts on diapers to those with small children. The supermarket can even encode the coupons to determine which people responded to which coupons, information which may be useful in future marketing attempts. A number of major corporations are reported to monitor consumer purchases both to bombard consumers with solicitations and to sell the information to others. These various marketing endeavors are far from insignificant to business. A 1996 Gallup poll found that 77% of commercial firms use direct marketing. The total amount spent on mailing lists alone--without taking into account the sales of good and services they generate--is said to run $3 billion a year. According to one estimate, direct-marketing-generated electronic commerce could exceed $4 billion in 1998, and rise to $30 billion by 2002. The direct marketing industry reportedly employs more than eighteen million people. And the business is growing, at a rate estimated at twice that of the United State’ gross national product. 2. Non-commercial Interests One reason-- already alluded to--that people search for facts about someone else is simple curiosity: has my professor received a speeding ticket; what can I find out about the person my child is dating, or my ex-spouse; and the like. But consumers seek access to data for other reasons too, and some of these are easier to justify. Information services have helped find abducted children and so-called deadbeat dads. Or a spouse might disappear, leaving the remaining spouse with debts incurred jointly. Some have found long-lost relatives, important witnesses in litigation, or others who were important to them through internet services. On the other hand, some use computers as an adjunct to an unlawful act, such as stalking. Abusive spouses have been known to hunt fleeing partners on the internet, and criminals have employed the internet to steal identities. Obviously, such uses can be a serious problem and an individual’s desire to use computers in such ways should not be indulged under any circumstances. B. Consumers Consumers may also benefit from having their names appear in databases. Indeed, some are so persuaded of these benefits that, as discussed below, they are willing to pay for the privilege. What advantages might consumers receive by appearing in databases? First, many make purchases through direct marketing channels. More than half the respondents to a 1996 Equifax survey say they or someone in their household had bought something from a mailing in the year preceding the survey. Fourteen percent of the respondents to a 1990 survey had purchased something offered to them in a telephone call. Indeed, consumers responding to direct marketing reportedly bought nearly $600 billion worth of goods and services in 1995. Second, consumers whose interests are correctly identified by sellers may reduce their search costs. For example, a consumer who wishes to purchase a new computer might be grateful to receive an unsolicited computer catalog in the mail because it could save the consumer a trip to a computer store. Third, some claim that the greater availability of information actually reduces junk mail. The more sellers learn about consumers, the argument goes, the better they can target mailings, and thus avoid sending solicitations to those who do not want them. If businesses are deprived of consumer information, some say, they will respond by soliciting all consumers, not just the ones most likely to be interested in their product. Response rates to mailings have risen in recent years, suggesting that direct marketers have improved their ability to identify likely buyers. But the argument is flawed. Even if response rates have risen to five percent, that still means that 95% of the recipients of an offer are not interested in it--and, as discussed below, many in that 95% would rather not have received the offer. Indeed the costs of nonconsensual databases--in terms of unread mailings and unwanted telephone solicitations--is estimated to approach $50 billion annually. The argument also assumes that businesses would not respond to the loss of information by abandoning direct mail, in favor of other marketing mechanisms, which might become comparatively cheaper than sending mail to many more consumers. Finally, the argument presupposes that systems to reduce junk mail in other ways cannot be devised. Fourth, consumers who wish to borrow and who maintain good credit records benefit from lender access to their records; if lenders could not determine that a particular consumer was credit-worthy, they might charge the consumer higher interest rates, to compensate them for the risk they were taking in lending to a person with no credit history, or refuse to lend to the consumer at all. Fifth, some products which some consumers want might not be available but for computer databases. These databases furnish names needed for marketing research, and in the absence of such research, some sellers might decide against taking on the risk and expense of introducing certain new products. Sixth, the use of computer databases in marketing also makes it possible, at least theoretically, to sell products at lower cost. Sellers use databases to assist them in selling goods when they believe that the cost of that use, per sale, is cheaper than other marketing mechanisms. The average return for a dollar spent on direct mail advertising is ten dollars, more than twice the return for a dollar spent on television commercials. The average mailing generates ten times the response produced by a newspaper ad and 100 times the response from a television commercial. Hence, more money is spent on direct mail than on magazine ads, radio commercials, or television pitches. If sellers were denied access to databases as marketing mechanisms, they would either be forced to employ more expensive selling methods--measured by the cost per sale--or else forgo selling the product altogether, if alternative methods were too costly to make selling the item profitable. If the cost per sale increases, probably the sale price of the product will also increase. Consequently, those who do wish to buy the product will pay a higher price for it, in essence paying to protect the privacy of another. Seventh, some claim that mail-order selling reduces damage to the environment because it enables people to shop without traveling. In sum, the use of computer databases to maintain information on consumers benefits many. Some claim that because businesses have a stake in the outcome of discussions on privacy, they inflate the benefits generated by databases and underestimate the costs they produce. That is a credible argument. But it seems clear that some value the trade in personal information, even if the benefits are somewhat exaggerated. The next section looks at a cost of that trade--its effect on privacy. III. The Taste for Privacy A. Why Do People Care About Privacy? In a number of articles Judge (then-professor) Posner attempted to construct an economic theory of the right to privacy. Posner focused on privacy as an intermediate goal, because, he wrote, regarding privacy purely as a consumption good "would bring the economic analysis to a grinding halt because tastes are unanalyzable from an economic standpoint." Judge Posner viewed the demand for privacy as stemming largely from a desire to conceal either "discreditable information"--that is, "information concerning past or present criminal activity or moral conduct at variance with a person’s professed moral standards"--or information which would "correct misapprehensions that the individual is trying to exploit; a would-be borrower, for example, might wish to conceal from lenders the fact that she has previously defaulted on a loan. Many consumers, however, seem to reject this view of privacy. One survey found that sixty-four percent disagreed with the statement "most people who complain about their privacy are engaged in immoral or illegal conduct." Perhaps viewing privacy as an end in itself, rather than as a means to an end, retards analysis in some respects, but an economic theory which overlooks the reality that for some privacy has value as an end is necessarily incomplete. What is behind the "taste for privacy"? Alan F. Westin has speculated that it may be biological in origin. Some commentators have suggested that privacy is so fundamental to life that few pleasures can survive without it. The available psychological literature, though sparse, suggests that the desire for privacy may have a number of motives. The feelings generated by privacy invasions can be deeply held. Arthur Miller has observed that "Some people feel emasculated when private information about them is disclosed or exchanged even though the data are accurate and they do not suffer any career or social damage." For example, the incontinent women who wished free samples of a helpful product may object to disclosure of their condition not because they are trying to conceal criminal or immoral conduct or because they wish to exploit the ignorance of others, but because they fear the feelings they will experience if others find out. Joel Reidenberg has written that "the treatment of personal information is an element of basic human dignity. Fair treatment of personal information accords respect to an individual’s personality." In Richard S. Murphy’s words, "in the utility calculus, these psychic benefits count." Some consumers with a taste for privacy may be concerned about the loss of control. For example, consumers engaged in transactions which appear limited in scope may in fact provide information used far beyond the particular transaction. A child who celebrates a birthday at an ice cream store may unwittingly become an entry in a database. Similarly, some people object to others knowing their income, or how much their home cost. Consumers may also wish to keep information private to deny others access to still other information; for example, someone who knows your social security number and mother’s maiden name may be able to learn your bank account balances. Some have very concrete reasons for protecting their privacy. For example, privacy can be a matter of personal safety for police officers who wish to conceal their home addresses from vengeful criminals. Others are concerned about identity theft. Consumer objections to unwanted solicitations also have a number of bases. Some want merely to be let alone; who has not been annoyed by a telephone solicitation at dinnertime? Many find intrusions in the home particularly irritating--and consumer law has been especially responsive to this concern, often providing protections not available elsewhere to consumers solicited in their homes. Even the unwanted paper troubles: it has been estimated that the average professional in the United States will spend eight months sorting junk mail over the course of a lifetime. Some consumers complain that mail they want to receive gets lost in the flood of junk mail. Environmentalists have claimed that junk mail makes up three percent of the nation’s landfills. According to one estimate, the average American received 553 pieces of junk mail in 1997, totaling 4.5 million tons for the entire country. Some are concerned about the volume of commercial e-mail messages. America On-Line receives thousands of complaints about unsolicited commercial e-mail every day--making it by far the most frequent subject of complaint by AOL subscribers. Depending on the day of the week, between five percent and thirty percent of the e-mail received by AOL subscribers each day consists of unsolicited commercial e-mails. Some recipients of commercial e-mail messages also find them an unwanted expense because some internet service providers charge more as consumers receive additional messages. Business may also benefit from satisfaction of privacy interests. Thus, a number of commentators and even industry representatives have opined that the internet will not realize its potential as a sales medium unless consumers are assured that their transactions will be private. Polls have reported that privacy is the top reason some consumers have declined to use the internet. B. How much do people say privacy matters to them? Over the last decade, numerous polls--many of them conducted by Equifax and Alan F. Westin--have fleshed out what consumers say about privacy. A brief summary: on some privacy issues, consumers are united, often taking pro-privacy positions, but sometimes concluding that other values are more important than privacy. On other issues, consumers are not unanimous, but large percentages of them take pro-privacy positions. 1. Issues on Which Consumers Tend to Agree According to a 1996 survey commissioned by Equifax, 89% of the public is concerned about threats to their personal privacy. Other polls have also found many consumers concerned about the state of their privacy. An increasing number of consumers agrees that consumers have "lost all control over how personal information about them is circulated and used by companies." Nearly four out of every five respondents regards privacy as a fundamental right, worthy of addition to the list in the Declaration of Independence of "life, liberty and the pursuit of happiness." One poll found that 98% of consumers believe their privacy is substantially threatened by marketers and advertisers. On some specific issues consumers are also in accord. For example, 97% of parents with children who use the internet believe web sites should not sell or rent personal information pertaining to children. Nearly three-quarters find it objectionable for a Web site to request a child’s name and address even if used solely for internal purposes. A 1991 survey found that more than half the respondents believe it is important for consumers to be able to opt out of the sale of personal information while a third view it as somewhat important. And consumers dislike telphone solicitations: 47% say they are always an intrusion while another 32% find them mostly an intrusion. While people acknowledge the value of privacy, most value some other things even more. Thus, more than three out of four Americans say they would be very or somewhat upset if they could not obtain credit based on their record of paying bills. Similarly, 96% agree that "when people want to borrow money, the company giving them credit should be able to check on their credit records;" three-quarters feel that businesses should be able to inquire into the checking performance of those who pay by check; and substantial majorities find it acceptable for companies to check the public record information of consumers applying for auto insurance or jobs. 2. Issues on which Consumers Are Not Unanimous. Several polls have made it clear that some people do have more of a taste for privacy than others. For example, the 1990 Equifax Report compared certain demographic characteristics with the answers given by respondents to 46 questions. Equifax found that liberals were more privacy-oriented than moderates and conservatives on 23 of the questions; Jews were more privacy-oriented than Protestants and Catholics on 32 of the questions; and those who had read and heard more about consumer privacy issues in the previous year were also more privacy-oriented on 18 questions. The desire for privacy also varied by age and experience with computers. Another survey found that women tend to be more concerned about threats to their privacy than men; that pattern also shows up in connection with privacy on the internet. Notwithstanding Judge Posner’s view, the most likely explanation for these different perspectives is that the various groups have different tastes for privacy, rather than that some of these groups have more discreditable information they wish to conceal than others. These broad disagreements in preferences for privacy suggest that any rule designed to accommodate the preferences of different consumers on some issues will need to be flexible. Many consumers are troubled by the trade in personal information, though some are less concerned and others are not bothered by it at all. Thus, the 1990 Equifax survey showed that while 39% viewed the sharing of information by companies in the same industry as a major problem, 43% called it a minor problem, and 16% said it was not a problem at all. Similarly, though 57% feel that consumers being asked to provide excessively personal information is a major problem, 33% describe it as only a minor problem, and 10% do not perceive a problem at all. A 1996 survey found that half the public is not concerned or only slightly concerned about having their names on mailing lists, while the other half is somewhat concerned or greatly concerned. Differences of opinion also show up when consumers are asked about solicitations. For example, a 1996 survey found that half of all consumers would prefer not to get any mailings at all, while the other half likes to get mailings on products and services of interest to them. In 1996, 37% of respondents to an Equifax poll said that they regard mail offers as a nuisance, while 43% reported that though they rarely use mail offers they do not see them as a problem, and 12% regard mail offers as a useful opportunity. That survey also found that 55% of the public feel the combination of first, compiling profiles of individual consumers’ purchasing patterns and second, using the profiles to mail offers to consumers is somewhat acceptable; another 11% believe it to be very acceptable; while a third view it as either not very acceptable, or not at all acceptable. Similarly, in 1990 only 23% said they would be very or somewhat upset if they could not receive at their homes, by mail or telephone, new offers of credit, while 21% said they would not be very upset, and 56% said they would not be upset at all. Though nearly all consumers who receive unsolicited commercial e-mail dislike it, they differ in the intensity of their reactions. One survey found that 42% felt that unsolicited e-mails are "getting to be a real pain and [they] want to stop getting these messages," while 55%--less critical--viewed the e-mails as a little bothersome. Three percent liked receiving the messages. A 1996 survey found 43% of internet users disagreed strongly that on-line providers should be able to track their internet use in order to send them targeted marketing offers; 28% disagreed somewhat; while a quarter agreed somewhat and 4% agreed strongly. A bare majority complains that existing laws and practices do not adequately protect their privacy. Other polls also demonstrate a split in views. This variation in views is also shared by executives in privacy-intensive industries, people who can be expected to be more knowledgeable about the extent to which consumer information is available than ordinary consumers. The 1990 Equifax Report indicates that these executives are terribly conflicted about whether the privacy of personal information in computers is adequately safeguarded. Depending on the specific industry, the range of executives who thought it was adequately safeguarded varied from 39% to 57% while the proportion of those who thought it was not ranged from 40% to 57%. Some of the reported survey results may be affected by the manner in which the question is posed. Even taking that into account, however, it is quite clear from the survey results that many consumers say they are troubled by the availability of information about them, and that many either claim they are not troubled or are not troubled very much. Some also appreciate the major consequence of the trade in consumer information--namely that they receive solicitations at home. It thus seems fair to say that the surveys indicate that consumers are divided. The survey results have led Alan F. Westin to divide consumers into three groups. Westin describes about 25% of the public as "Privacy Fundamentalists" who tend to reject the view that organizations are entitled to obtain personal information. Privacy Fundamentalists favor strong laws to protect privacy. Westin identifies as "Privacy Unconcerned" people who have little problem supplying personal information to organizations. This group, which Westin believes makes up about 20% of consumers, sees little need for privacy legislation. Finally, the remaining 55% of the public fall into the category of "Privacy Pragmatists." According to Westin, Privacy Pragmatists hold different views on different information activities, depending on such things as whether they trust the particular industry, the value to themselves and society of the particular program calling for the information, whether the information is relevant, and whether fair information practices are being observed. Westin believes that Privacy Pragmatists tend to favor voluntary solutions over legislation, but will support legislation if voluntary approaches fail. This split shows up in other ways as well. For example, in 1990 Equifax attempted to pose in two different ways questions designed to elicit reactions to the sale of mailing lists. When the questions were posed in one way, 69% described as a "bad thing" that businesses were able to buy mailing-list information about them; of these, 40% described themselves as very concerned about it while another 46% were somewhat concerned. On the other hand, 28% called sales of mailing list information a good thing. When the question was posed another way, a better than two-to-one majority found the sale of mailing lists acceptable. It may be that one group consistently view the sale of information about individuals as unfortunate, regardless of how the question is phrased, another group sees it as desirable no matter how the question is put, and a third group is swayed by the wording of the question. The 1990 Equifax surveyors also asked consumers about pre-screening in two different ways. When the question was put one way, about three-quarters of consumers found pre-screening unacceptable, while another quarter called it acceptable. When they were asked about pre-screening in different words, however, respondents found it acceptable by a better than two-to-one margin. Again, it appears that a hard-core of consumers views pre-screening as acceptable, another group finds it unacceptable, and a third group’s views are affected by the manner in which they are asked. 3. Resolving the split based on information practices. Westin concluded that the Equifax surveys consistently showed that consumer concern with particular information-gathering practices could be converted to strong majority approval when the information-gatherers employed such fair information practices as notifying consumers what information was being collected, how it was being used, and affording consumers options as to whether the information would be supplied to others. Other surveys also suggest consumers favor disclosure by companies. Thus, a 1991 survey conducted by Time Magazine and the Cable News Network found that 93% of the respondents agreed that companies should be required by law to ask permission from individuals before selling information about them. Similarly, a Money Magazine poll found that 88% of the public favors a privacy bill of rights "that would require companies to tell consumers and employees exactly what kind of personal information they collect and how they use it." C. How do consumers act to protect their privacy? Perhaps the most common way in which consumers protect their privacy is to have an unlisted telephone number. Because consumers pay for unpublished listings, the listings also say something about how much consumers value their privacy: in theory, consumers with unlisted numbers value their privacy at least as much as it costs to conceal their phone number. The numbers of consumers willing to pay for an unpublished number varies from state to state. In California, 55% of residential telephone numbers are not listed, while in New York State 24% maintain unpublished numbers. Other evidence too, indicates that some consumers value privacy highly. Some claim to have acted on their privacy preferences. The 1990 Equifax Report found that 30% of Americans say they decided against applying for something, like a job, credit, or insurance, because they did not want to reveal certain information about themselves. Though it is impossible to know precisely what information was concealed, the authors of the 1990 Equifax Report commented that the increase in the percentage of Americans who have chosen not to apply for some benefit rather than to provide the information sought "may be a strong indicator, in practical terms, of the unease felt by the American public concerning how personal information is used by large organizations." Similarly, the Federal Trade Commission has observed that "a substantial number of online consumers would rather forgo information or products available through the Web than provide a Web site personal information without knowing what the site’s information practices are." The 1995 Equifax survey found that 59% of the public has refused to give information to a business because they thought the information was either not needed or was too personal. Significantly, pollsters found in 1990 that those who can be expected to know best about the uses of information--executives in privacy-intensive industries such as lending and direct marketing--were even more likely to withhold requested information than the rest of us. Consumers have acted in other ways to protect their privacy. Some have tried to prevent even the creation of databases. For example, Lotus Development Corporation and Equifax engaged in a joint venture to develop a database on a compact disc that would contain the names, addresses, personal buying habits, and income levels of about 120 million Americans. The data base, dubbed "Marketplace: Households," would have been available at a price small businesses and nonprofit organizations could afford, and could have been extremely useful to many of them. As one commentator explained, "the owner of a trendy new restaurant could get a list of young, affluent people living near his establishment. A local political organization could target older, married homeowners in a given neighborhood." But the companies abandoned Marketplace: Households after receiving some 30,000 calls, e-mails, and letters of complaint from people who were concerned about having their names included. It is impossible to know how many people heard about Marketplace: Households and did not care enough to complain (or did not care at all, or even looked forward to the product). But 30,000 people valued their privacy enough to invest in a complaint. Consumer complaints have also caused other businesses to abandon plans which some feel would have infringed upon consumer privacy. IV. The Conflicts Between What Consumers Say and What They Do. A. Few Consumers Opt Out. Given the survey and other evidence discussed above, we might expect to see that consumers generally have not taken steps to prevent the use of their credit reports in rulings on credit applications but that many consumers have acted to prevent the sale of their personal information for marketing purposes. We might also expect that others permit the use of their personal information for marketing, in accordance with their preferences. This is what Coase’s famous theorem appears to predict, at least at first glance. Coase maintained that when people could bargain freely without transaction costs--an important limitation which will be discussed below--their bargaining would produce an efficient allocation of resources regardless of which party initially possessed the relevant property right. The Coase theorem suggests that people who value their privacy more than the information is worth to firms would pay businesses not to keep the data. Conversely, if the firms value the data more than people value their privacy, people would not wish to pay the businesses enough to make the businesses willing to forgo use of the data, and the businesses would continue using the information. Now assume that the law forbids the operation of databases on people, unless the affected individuals consent to collection and distribution of the information. Again, if privacy is worth more to people than the information is worth to firms, the firms will not be able to pay people enough to make them give up their right to privacy and no databases will be in operation. Alternatively, if the firms value the information more than people value privacy, the firms will purchase from people the right to run the databases. In either case--whether the law gives firms the right to operate databases or people the right to keep businesses from operating databases--the Coase theorem predicts the same outcome. If firms value the information more, the databases will come into existence; if people value privacy more, there will be no databases. In fact, comparatively few consumers seem to have taken steps in a systematic fashion to bar marketers from using their personal data. True, some consumers have acted to curtail the number of solicitations they receive. A number have even paid fees to services which purport to reduce or eliminate commercial solicitations. Some consumers have asked enterprises to add their names to "opt-out" lists, that is, lists of consumers who do not wish to receive solicitations. The Direct Mailing Association ("DMA"), a trade association of firms involved with direct mail, maintains a list of 3.3 million consumers who have indicated that they do not wish to receive direct mail. Other prominent examples of consumers opting out exist: in 1990, the company then known as New York Telephone allowed consumers to have their names deleted from the list that the telephone company planned to sell to direct marketers. Of the 6.3 million customers to whom the offer was made, 800,000 opted out. But while the total number of consumers who have opted out seems large, the percentage of consumers who have opted out is not large at all. Commentators estimate that the proportion of consumers who take advantage of opt outs is twenty percent or even less. That permits the inference that few consumers genuinely care about solicitations; the assumption is that if consumers cared, they would act on their preferences. B. Are the Surveys Inaccurate? How can this be reconciled with the survey evidence which suggests that so many consumers find the trade in information objectionable? One possibility is that the surveys do not accurately report consumer preferences. Survey evidence should always be viewed with skepticism, and there are a number of reasons why that is particularly so with privacy surveys. First, all of this discussion assumes that consumers view the competing costs and benefits of solicitations and privacy the same way at all times regardless of what they are being solicited to buy. In fact, that may not be so. A personal example makes the point. In 1995, my wife died. My daughters were then three and five years old. To save time, I began purchasing my daughters’ clothing from catalog companies. Initially the catalogs I selected clothes from were addressed to my wife, but after I made my purchases, the successor catalogs came addressed to me. Over time, I began to receive catalogs from companies I had not bought from, presumably because they had acquired my name from the companies whose clothes I had purchased. I was grateful for these additional catalogs because they increased the choices available to my daughters and me. Eventually, however, I began to receive catalogs from companies that sold women’s clothing, including at least one which sold rather intimate apparel. Once again, I surmise that these companies had purchased my name from companies which sold me children’s clothing, I suppose on the assumption that people who buy clothes for children also buy garments for women. These catalogs I was not so pleased to receive. Putting aside the fact that lingerie hardly suits me, I did not need to be reminded about my wife’s death by receiving catalogs which should have come to her. But the point is, if I had been asked my views about the selling of my name and about privacy, how should I answer? I wanted my name to be sold to some companies but not others. I welcomed some solicitations but was saddened by others. My answers might have varied at different times--depending on which catalog I had received last, or upon whether I had recently ordered clothing for my daughters--and also would have been different if I could have focused on some catalogs and not others. But the surveys are not that narrowly tailored. My specific situation is unusual, fortunately. But what may not be unusual is that consumer preferences may shift depending on when the questions are posed, what recent experiences the consumer has had, and whether the consumer has most recently received a solicitation which the consumer was interested in receiving or objected to. Surveys offer support for the notion that consumers do not view all solicitations the same way. The 1996 Equifax/Harris Privacy Survey found that if consumers were offered the choice of having their names removed from all mailing lists, some mailing lists or no mailing lists, three out of four would have their names deleted from some. Only 15% would have their names removed from all lists; 12% would not have their names deleted from any. Strikingly, among those who say they have experienced invasions of privacy, or think of mail offers as invasions of privacy or a nuisance, about two-thirds would still keep their names on some direct mail lists. Consumers also have different reactions to different commercial e-mail offers. The data available probably leave the picture of consumer preferences incomplete, but given the limitations of surveying--the need to keep consumers answering questions without compensation for a fairly long time--perhaps it is simply impossible to obtain more useful information than we have. Whether this particular problem would under-report or over-report concern for privacy is impossible to determine. A second problem with relying on survey evidence suggests, however, that surveys may systematically under-report consumer concern for privacy. The consumers who care most about privacy are not likely to answer survey questions precisely because of that concern. A third problem implies that the surveys may over-report privacy concerns. It has been suggested that survey respondents who realize that they are being queried about privacy may reply with answers they think the pollsters want to hear, even if the respondents did not previously hold those views. C. Why Consumers Might Not Opt Out. But other, more persuasive, explanations for the disparity between how the surveys suggest consumers should behave and how consumers actually do behave are possible. Opt-out lists may not accurately reflect consumer interest in opting out, for several reasons. 1. Consumers Don’t Know About Opt Outs or How Their Personal Information is Used. First, consumers may not take advantage of opt-out lists because they may not know about them. Thus, critics say that even more consumers would have opted out of the New York Telephone list if the telephone company had done a better job of informing consumers that they could do so. Roughly fifty percent of the nation’s consumers are said to be unaware of the DMA list--or, in fact, any program for deleting their names from marketing lists. Similarly, the 1996 Equifax/Harris poll found that only 29% of those who find mail solicitations an invasion of privacy know about procedures to have their names removed from mailing lists. Indeed, few consumers even understand how much of their personal information is for sale. While consumers may know generally that there is a trade in personal data and that information about that trade is kept from them--a poll found that 90 percent of Americans think that companies don’t disclose enough about their list usage--many consumers remain largely unaware of how businesses use information about them. Even fairly sophisticated consumers may not be fully informed about the use of their personal information: how many readers of this article were surprised by the information described as being available in its first pages? One study found that a reason consumers may not know firms’ information policies is that executives intentionally hide them. The study reported that when consumers learn of the information practices, "they often become angry and call for legal intervention." Paul M. Schwartz, discussing medical data, has argued that when consumers believe that their records are protected from disclosure and that businesses know that in fact the records are not subject to such protections, a monopoly equilibrium exists. Empirical studies seem to confirm the insight that sellers have disproportionate market power when consumers possess imperfect information. In such circumstances, sellers can be expected not to compete on the basis of how much security they provide for information, but instead to exploit consumer ignorance. To put it more bluntly, how can consumers who do not know the consequences of providing personal information decide whether they want to provide the information? 2. The Difficulty of Opting-Out. The second reason consumers have not acted to protect their privacy, notwithstanding surveys that suggest considerable consumer concern with confidentiality, has to do with how difficult it is to opt-out. An amusing story in The New York Times makes the point:
But consumers seeking to remove their names from lists face other, more troublesome obstacles. Even if consumers can obtain the information needed to opt-out, the cost of communicating and negotiating with all the relevant information-gatherers, in terms of time and money, may be substantial. Anne Wells Branscomb described her experiences: "attempting to get out of the clutches of the database managers is almost a full-time job. I can vouch for this, because I have spent the last five years trying to withstand the assault of direct mail marketers on the post office box I rented to relieve the overstuffed mailbox at my home address." Other stories are similar: one consumer still receives junk mail after having written over 2,000 letters seeking deletion from mailing lists. Not even telemarketing executives--presumably more knowledgeable than the rest of us about avoiding solicitations--can escape: the president of one telemarketing company tells telemarketers who call him at home that he died. As Joel Reidenberg has written, "this obscured transparency raises transaction costs and allocates them to citizens." Special problems in opting out arise in the e-mail context. Many e-mail direct marketers view requests from consumers asking to be removed from lists as confirmation that the e-mail has been received, and continue to send e-mail to the offended consumer, or even flame the customer. Indeed, this practice is so widespread that some advise consumers unhappy with the promotional e-mails they receive not to seek name-removal. Consumers who learn that lesson in the e-mail context may carry it over to other contexts as well, and so refrain from asking to be deleted from direct mail lists. Of course the DMA has its opt-out lists. But the DMA lists are of limited utility. Many direct marketers eschew the DMA mail list, perhaps because DMA charges for it. Only a fraction of all firms engaged in direct marketing are members of DMA, and some of these non-members are the companies most likely to misbehave, though DMA members are said to account for a major percentage of the direct mail solicitations in this country. Registering with DMA will not help with the mailing lists of political organizations, non-profits, or local retailers. The DMA members themselves are hardly role-models: reportedly, only about half the DMA members use the DMA mail preference service to screen their mailings. Even when companies buy the DMA list, consumers may not be completely satisfied: lists are sold so frequently that sometimes names are sold faster than they can be deleted. Hence, one privacy group claims that "consumers who attempt to make use of the Direct Marketing Association’s Mail Preference Service routinely report that they continue to receive junk mail and that the service is not effective." Moreover, companies using the DMA opt-out list remain free to maintain and develop profiles on consumers; they are only called upon to refrain from soliciting consumers on the list. One frequent commentator on privacy has opined that the DMA list is "meaningless" and "just a public relations effort." Still another significant problem with the DMA lists is that placing your name on them is an all-or-nothing proposition for companies that use them: consumers do not have the option of telling DMA which solicitations they would like to receive and which they disdain. I have chosen not to join the DMA’s Mail Preference Service for just that reason, and I am not alone; as discussed above, many consumers would prefer to receive only some of the solicitations currently furnished them. Consumers who are knowledgeable enough about privacy to be aware of the DMA lists may also understand their limitations. Surely some, mindful of those limitations, have chosen not to write to DMA. Too, some consumers may not take advantage of the DMA lists because of doubts about how effective a trade organization is at protecting consumers: the 1994 Equifax Survey found that about three-quarters of consumers were skeptical that companies offering products or services through the mail or via the telephone would use personal or confidential information in a proper manner--the lowest proportion of any industry asked about. Another survey found many consumers do not trust companies marketing products on the internet either. Indeed, there are reasons to harbor doubts about some marketers, as the preceding paragraphs make clear. a. Why is it Difficult to Opt-Out? Why is it so difficult for consumers to opt-out? The answer to that question might turn on the motivation of businesses in offering an opt-out system at all. Some companies might do so because they are genuinely concerned about the privacy of their customers. Other companies might wish to offer for sale a list which excludes customers who opt out. Some argue that such a list might command a premium per name, because it should contain a higher proportion of consumers who are interested in receiving solicitations, and thus more likely to buy in response to solicitations. My own experiences suggest at least some direct marketers are not very concerned with pruning their lists, however. Though my wife has been dead since 1995, we still regularly receive junk mail addressed to her. Telemarketers still call to speak to her from time to time. Companies which genuinely want to eliminate poor sales prospects as a means of making their lists more valuable should probably start with those who have died. Yet at least some do not. Or perhaps companies which offer their customers an opportunity to opt out are interested in preserving customer good will, possibly for marketing advantages. Consumers who are concerned about privacy might prefer a company which respected their wishes. Even consumers who do not value privacy might favor such a company for respecting consumer concerns. A handful of companies have in fact chosen to compete on the basis of privacy. Gini Graham Scott has written of a mall in West Covina, California, where marketers offered shoppers the opportunity to win money, vacations, and other prizes in return for personal information such as reading habits, purchasing plans, and income level. About 13,000 consumers signed up during the first four months. A number of services on the internet give consumers electronic coupons or discounts in exchange for their information. In the long distance telephone market, one company has advertised that it will not use customer calling records to identify and solicit others, while another company apparently does just that. But these stories are exceptions. For the most part, companies have chosen not to compete on the basis of privacy and not to offer incentives to surrender privacy. Why is that? Perhaps merchants would rather not focus on privacy in advertising for fear that it will obscure more persuasive appeals. Mary Gardiner Jones has suggested that businesses will not compete on privacy because "it falls into the category of ‘negative’ information about a company." She argues that businesses have little incentive to make investments to protect the security of their information systems and so are unlikely to advertise that their practices are risk-free. In fact, sellers may choose not to advertise product attributes for a variety of reasons. Other, more cynical, explanations exist for companies offering opt outs, and these reasons have little to do with customer satisfaction. Some have suggested that businesses adopt opt-out systems to forestall more draconian governmental regulation. Indeed, the DMA--an organization which has announced that its members must comply with its opt-out system by July 1999--has lobbied extensively against privacy legislation and started its opt-out lists in part to avoid such legislation. Such legislation is a real possibility. In recent decades, a number of governmental entities in the United States, Europe, and Canada have wrestled with informational privacy issues and have produced documents suggesting or mandating, in one form or another, adoption of certain fair information practices. These documents agree that fair information practices include, among other things, that businesses give consumers notice before collecting information from them, and that consumers have options as to how the information collected from them will be used. Nevertheless, companies may not be eager to offer opt outs because they may rationally conclude that they incur costs when consumers opt-out--while receiving few offsetting benefits. To the extent that consumers exercise the option of having their names deleted, the company’s mailing lists shrink and presumably become less valuable. Moreover, the company incurs transaction costs not only in notifying consumers of the existence of the opt-out option, but also in responding to consumers who opt out. Companies could respond to these costs by, in essence, charging consumers for opting out. This charge could be imposed in a number of ways, including, for example, offering a discount to consumers who do not opt out. A downside of this approach, however, is that it might generate consumer resentment, conceivably causing some consumers who might otherwise have purchased the company’s product to walk away from the transaction altogether. Perhaps the fear of this is why so few sellers offer the differential pricing scheme. Consequently, in the end, sellers who offer opt-out systems appear to absorb the costs of doing so themselves. Accordingly, companies might decide that, for various reasons, they must offer an opt-out plan, but at the same time not want consumers to take advantage of it. If that were so, companies might understandably provide an opt-out mechanism without making it easy for consumers to opt out. To put it another way, companies which offer opt-outs have an incentive to increase transaction costs incurred by opting-out consumers. This explains why Coase’s Theorem has not, by and large, operated to produce a market in privacy and consumer information: as Coase himself recognized, the Coase theorem is a prisoner of its underlying assumption of no transaction costs. That assumption does not apply here. Avery Katz has identified two types of transaction costs: costs of implementation and costs of strategic behavior. He defines implementation costs as "the real resources used up in bringing contracting parties together, in executing and administering the resulting agreement, in enforcing any bargain reached, and in settling any disputes that arise along the way." In an opt-out context, implementation costs might include the costs incurred when consumers communicate with the marketer that they wish their names excluded from the marketer’s list. Katz describes strategic behavior costs as the "losses suffered because bargainers have the incentive to maximize their individual gains rather than the total surplus from exchange." To the extent that sellers can create these costs, they can reduce the number of consumers who opt out, while preserving their own profits from selling consumer information. But why wouldn’t consumers respond to the increased transactions costs by forgoing the purchase? Some consumers seem to do just that when it comes to the internet. Nevertheless, many consumers buy goods and services through other media which permit the collection of their personal information. Again, some consumers may not know of the uses to which their information is being put. Still, why would knowledgeable consumers make such purchases? A rational consumer who understands that buying a particular product means surrendering some privacy or invoking an opt-out should still make the purchase if the value to the consumer of having the product exceeds the price plus the lesser of the cost to the consumer of opting out or the value to the consumer of the lost privacy. The idea may be expressed as follows, where VP is the value of the purchase to the consumer, P is the price, COO is the cost of opting out, and VLP is the value to the consumer of the lost privacy: (1) Consumer should buy if VP > P + (lesser of COO and VLP) The reason the consumer should focus on the lesser of the cost of opting out and the value to the consumer of the lost privacy is that if the cost of opting out exceeds the value to the consumer of opting out, a rational consumer should not opt out but simply endure the loss in privacy. On the other hand, if the cost of opting out is less than the value of surrendering the lost privacy, a rational consumer should opt out. In either case, the lesser cost is the one that should be relevant. If businesses inflate the cost to consumers of opting out, some consumers should respond by declining to buy, and so businesses will lose sales. It therefore seems counterintuitive that businesses will inflate the costs to their customers, especially since those costs do not represent revenues received by the businesses themselves, for the most part. But recall that a number of businesses generate more revenue from sales of mailing lists than from the products they offer to consumers. Such businesses have an incentive to inflate the costs to consumers of protecting their privacy until the loss of profit from sales of products to consumers exceeds the loss of profit from the sale of consumer information. Moreover, because many consumers apparently do not know how businesses use their information, the number of consumers who actually decline to buy because of high privacy transaction costs may be low. This discussion assumes that consumers are rational and knowledgeable about companies’ information practices. But what if consumers are not knowledgeable about information practices? Then consumers should buy if the value of the product to them exceeds the price. Or, put another way: (2) Consumers should buy if VP > P In this second equation, consumers who care about their privacy end up losing it, but they do not take that into account in deciding whether to make the purchase. Presumably, some nescient consumers will end up purchasing, using the formula in equation (2), who would not have bought if they had knowledgeably used the formula in equation (1). Such purchases actually reduce society’s net welfare, but they increase the share of the pie provided to sellers, who realize the profit both on the sale of something to consumers and the sale of consumers’ personal information--which may be another reason why sellers do not, with some exceptions, publicize their information practices. How do companies increase consumers’ transaction costs in opting out? A brochure titled "Privacy Notice" which my local cable company included with its bill provides an example. This Privacy Notice discussed, among other things, how cable subscribers could write to the company to ask that the company not sell their names and other information to third parties. There are at least four reasons why this particular notice may not be effective in eliciting a response from consumers troubled by the sale of their names to others. First, the Privacy Notice may be obscured by other papers in the mailing. The Privacy Notice arrived with a bill and the monthly listings for Pay-Per-View, both likely to be of greater interest to many consumers than printed inserts enclosed in the envelope. Social scientists have found that many consumers are more likely to focus on "vivid" information--such as the Pay-Per-View Listings, which were written in considerably more exciting prose, with color photographs--than on duller information. Similarly, many consumers focus more on pictures--again, like those in the Pay-Per-View Listings--than on text. A story makes the point even more clearly: some years ago, federal regulation required a bank to send its customers a mailing explaining their rights concerning electronic fund transfers. Perhaps mischievously, the bank promised in 100 of the pamphlets that it would send $10 to any customer who sent in his or her name and address on a sheet of paper with the word "regulation." No one responded to the promise. The second reason why consumers may not respond to the Privacy Notice is its length. The brochure is four pages long, and contains 17 paragraphs, 36 sentences, and 1062 words. While some reports are to the contrary, many studies have now demonstrated the existence of "information overload;" that is, the idea that consumers when overloaded with information either do not make optimal decisions, or that overwhelmed consumers simply overlook relevant information. This is not necessarily irrational behavior: some argue that contracting parties rationally do not read contractual terms because of the cost of reading through the terms and the likelihood that the information provided is not useful. Consequently, some consumers may be deterred from reading the brochure, or at least from finishing it, by its length. An interesting contrast is again provided by the Pay-Per-View listings, which typically provide only a brief paragraph about each movie or event. Some companies have gone in the other direction, providing so little information in such vague terms that consumers are unable to discern what they are being told. For example, some companies state only that they may make offers they "think would be of interest to you." While some companies may make this limited disclosure in good faith, commentators have suggested that "the vagueness intentionally avoids giving individuals knowledge of actual practices." A third reason why consumers receiving the Privacy Notice may not read it stems from its prose. Notwithstanding our local Plain Language Law, computer analyses of the text found it extremely difficult, requiring more than a college education for comprehension. For purposes of comparison, the computer found a draft of this article considerably easier going than the Privacy Notice. Fourth, the Privacy Notice invites consumers who object to the sale of their personal information to write to the cable company in a separate letter. By contrast, cable subscribers desiring to add a new premium channel can do so over the telephone, speaking either to a person or tapping buttons on their telephone, depending on their preference. The more difficult the opt-out process, the less likely consumers are to avail themselves of it. My cable company is hardly unique in the presentation of its opt-out policy. Another example: in 1996, Congress amended the Fair Credit Reporting Act to provide that information that would otherwise be covered by the statute could be shared among businesses that were commonly owned "if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons." Notwithstanding the "clearly and conspicuously" requirement, the Office of the Comptroller of the Currency is reported to have found that "few banks highlight this option." Acting Comptroller of the Currency Julie Williams has commented that "Most bank customers can’t ever recall seeing something like this." And, she has observed:
Not surprisingly, banks are not the only companies that provide opt-out notices in small print. Similar complaints have been made about online disclosures of privacy policies. And other examples are not hard to find. Thus, in 1995, TRW (now Experian) published a booklet titled "Twelve Common Questions about Consumer Credit and Direct Marketing." It is not until the twelfth--and last--question, beginning on the sixteenth page, that the booklet addresses how to remove names from TRW’s marketing list. Earlier questions include such inquiries as "How does a credit bureau help me?" When a merchant provides some information in exciting language with colorful pictures and allows subscribers to make purchase decisions by telephone, while providing the same subscribers a lengthy, dull statement of their rights written in difficult language, calling upon subscribers who object to communicate their views in a separate writing, I wonder how helpful the merchant truly wishes to be to those who do not want their names sold to third parties. One study of information disclosure to consumers found disclosures to be most useful when the consumer "(a) has easy access to the information at the point of sale, (b) can readily comprehend and process the information, and (c) can use it to make direct comparisons of the choice alternatives among relative attributes--in short, when the information is easy to use and relevant to the choice process." My cable company’s notice fails that test. Of course, not all merchants behave in such a fashion. Some take steps to increase the likelihood that their message will be read and responded to by those who object to the selling of their names. For example, the American Bar Association makes the following statement to members in its census form: "On occasion, the ABA makes its list of names and addresses available to carefully screened companies for a rental fee. However, if you prefer not to receive information, please call [toll free number] or mark here." The form then contains an oval which members can mark and return to the ABA along with their answers to other queries on the form. In comparing the two forms, it may be relevant that the ABA is a non-profit organization operated at least in part for the benefit of its members. An opt-out system like the one used by my cable company is likely to be less than effective in matching people up with their preferences. That is to say, it will probably produce a result in which many people who do not wish to receive solicitations receive them, and in which personal information is sold about many people who would prefer it not to be sold. That is so because the availability of an opt-out mechanism is obscured and the mechanism itself is not easily used. As long as marketers have the power and incentive to inflate strategic transaction costs, the market is unlikely to produce an efficient equilibrium. 3. Consumer Limitations. A third explanation for the failure of consumers to opt out as often as their answers to the surveys might suggest lies in the consumers themselves. An extensive literature on consumer complaint behavior makes clear that many consumers who are distressed by merchant conduct cannot bring themselves to tell the merchant about it. In this context, that might translate into a failure to add their names to opt-out lists. It may be that the appropriate response to that is to ignore it: in theory, consumers will act to take themselves off lists if their privacy matters more to them than the cost of having their names removed. Consumers who don’t act are making a statement that their privacy is not worth very much to them. If it is not worth very much to most consumers, then perhaps society would be better off focusing on other concerns which do matter to consumers. But the theory overlooks the reality that consumers act inconsistently with their preferences. Why do consumers do that? E. Scott Maynes has argued that consumers suffer from handicaps in dealing with business, handicaps that contribute to asymmetries in consumer-business relationships. The first handicap, according to Maynes, is that "a person’s interest as a consumer is always secondary to one’s producer interest in a job-profession-business, at least until retirement." Consequently, "many consumers cannot find the time to manage effectively consumption that has grown more complex and dynamic." The second handicap arises from the capacity of merchants to focus on a particular task while consumers must simultaneously grapple with numerous decisions. Maynes has written that as a producer, "a person is concerned with a single job, product, or industry. As consumer, by contrast, one’s interest is spread thinly across thousands of transactions and the management of hundreds of possessions." Thus, the consumer is an "amateur-generalist" dealing with an expert. While Maynes may overstate the point--businesses surely must deal with many transactions too--businesses have the capacity to hire specialists to deal with particular matters in a way that few consumers can match. The opt-out situation may be compared to what is sometimes called "negative-option billing." Negative-option billing is familiar to many consumers from book and music clubs. Typically, from time to time members of the book club receive a brochure describing the club’s offerings. If members do not respond by a particular date, the books are automatically sent to them. Members who do not wish to receive the books must mail a notice to that effect to the club. Whether purchases are to be made by negative-option or positive-option has a significant effect on consumer purchases. As one consumer attorney has written, "[a]s a result of such negative-option offerings, many families have acquired an abundance of unwanted items because they failed to return a card within a stated time period." Though there is little publicly-available empirical evidence on what effect negative options have on consumer choice--as distinct from positive options--what is available shows rather emphatically that it makes a significant difference. Thus, the Federal Communications Commission studied how consumers responded to offers to "unbundle" services by telephone companies. The FCC found that consumers who had to indicate affirmatively that they wished to purchase the optional maintenance plan subscribed about 44% of the time. Consumers who could subscribe by doing nothing--that is, through a negative option--subscribed 80.5% of the time--for a difference of about 36% of the consumers. Similar results have shown up in the cable television industry. In Canada, cable television companies found that when new channels are offered in normal ways, only 25% of customers subscribe, but when made available through negative options, 60 to 70% of the subscribers do not reject the offer. In other words, for many cable customers, the key factor in the purchasing decision is not the cost or content of the programming, but rather whether they have to act. Merchandisers have acknowledged that consumers buy more readily when items are sold through negative options. For example, when one cable television provider switched its offering of a new channel from a negative option to a positive option, the company reduced its estimate of the number of expected subscribers to the new channel from 80 percent to 50 percent. Similarly, when the FTC took testimony on negative option selling, it noted that "several industry members quite candidly admitted that if a positive option were offered, subscribers would buy proffered merchandise at a lower rate of purchasing." No one suggests that consumers would respond to all negative option offerings equally. To take a fanciful example, if a business supplied a service and stated that it would charge $20,000 unless the consumer sent in a form, in which case the service would cost $10, virtually every consumer who purchased the service would surely send in the form. But privacy seems less like that example, and more like the book that consumers buy but never read, simply because it is easier not to send in the form. One observer has noted that consumers are more likely to make a purchase through a negative-option plan if they don’t notice that they are making the purchase. In particular, inexpensive items and services are more likely to be overlooked: "even if the consumer happens to notice the charge, he or she might not devote much attention to it because of the time and effort to determine the cause of the charge and to have it removed from the bill. Moreover, those in vulnerable positions, such as the elderly or foreign born persons, might feel intimidated or deterred from objecting to the charge." Obviously, a system in which people can be said to make purchases that do not reflect their preferences is inefficient. The analogy to negative options seems clear: many consumers are troubled enough about solicitations to have written to marketers to opt out; as to them, the current default rule does not much matter. Still others would like to continue receiving solicitations, and so they are not troubled by the current default, though a change in that default might make them unhappy. But a third group will not act to change the default setting to one that more closely reflects their preferences. To put it bluntly: for many consumers, default rules matter. They affect choices. In sum, in light of all these obstacles, surely consumers can be forgiven for abandoning efforts to have their names removed, as indeed some have. But all of this leads to a troubling conclusion: namely, that existing commercial practices and laws frustrate consumers in accommodating their preferences. Can that be fixed so that consumers can attain their goals without unduly burdening business? The article now turns to that question.
An approach that produced an efficient outcome that genuinely reflected consumer preferences would require consumers to be better informed than they are at present; eliminate unnecessary transaction costs; and tear down unnecessary barriers to consumers acting in accordance with their preferences. As discussed above, we do not have that today: consumers often find it difficult to opt-out, and it appears that businesses have an incentive to make it that way, as well as the power to make it more expensive for consumers to opt out. How could we change to a system in which that is not so? A. A Voluntary System One option is for businesses to move voluntarily to an opt-out system, free of government regulation--except perhaps government enforcement of broken promises. Surveys have generally shown that consumers prefer voluntary privacy policies to legislation (though if companies fail to adopt appropriate privacy policies, consumers would support changes in existing law). Some reasons exist to think that may happen. Many trade guidelines already call upon businesses to provide notice of their information policies and allow consumers to opt-out. Beginning July, 1999, DMA members will have to notify consumers of their information practices and permit consumers to opt-out. The DMA is also developing a list of those who do not wish to receive unsolicited commercial e-mail, similar to its existing lists of those who object to mail and telephone solicitations. Progress has also been made in preserving privacy on the internet. Recently a number of corporations and associations, under the aegis of the OnLine Privacy Alliance, adopted guidelines for online privacy policies. One third-party oversight privacy program, TRUSTe, claims that one-quarter of all time spent on the internet is spent on sites licensed by TRUSTe. The Better Business Bureau is also establishing a self-regulatory program. Moreover, the information industry has proved willing to negotiate. Thus, in December, 1997, the FTC reached an agreement with fourteen businesses to limit the sale of certain information, such as social security numbers and mothers’ maiden names. Under the agreement, the information could continue to be sold to "qualified subscribers," like investigators, insurers, and lawyers. But pessimism about the willingness of the information industry to adopt a consumer consent system seems more justified. Critics of the information industry complain that self-regulation has not been effective. The reported failure of half of DMA’s membership to use DMA’s mail preference service lends credence to such claims. Commentators have charged that the DMA Code of Fair Information Practices "is not systematically honored by companies engaged in direct marketing activities." Nor does the DMA maintain data on compliance with its Code: indeed, it has been reported that the DMA did not make a public inquiry after one of its members, in the wake of an investigation by the attorneys general of fourteen states into its mailing practices, agreed to change its practices and pay a $400,000 settlement. Members of the DMA’s Privacy Task Force themselves are said to ignore DMA guidelines; in fact, a representative of the company which entered into the $400,000 settlement chaired the DMA Privacy Task Force. Moreover, even if all DMA members comply with DMA guidelines, there will still be direct marketers who are not bound by DMA rules because they are not DMA members. Similarly, with respect to internet sites, the FTC has concluded that an effective self-regulatory system has not emerged. When the Electronic Privacy Information Center ("EPIC") studied web sites of new DMA members, it found that only eight out of forty had any form of privacy policy, and of these only three had privacy policies that satisfied DMA requirements. Even a DMA official has acknowledged that "we clearly have a way to go." Privacy Times reports that at least one look-up service, Infotel, has refused to abide by the December, 1997 FTC agreement. Infotel provides assistance in locating people and conducting background checks, such as one service, "Checkmate," that allows people to investigate their dates. And one member of the OnLine Privacy Alliance has already been accused by the FTC of misrepresenting the uses for which it collected data: the matter terminated in a settlement in which the company did not admit wrongdoing. Even more troubling is the failure of the information industry to comply with existing laws, let alone non-binding industry guidelines. For example, when a trade magazine wrote to 48 telemarketers requesting copies of their "Do Not Call" policies--which telemarketers are required to provide upon request--only seventeen of the telemarketers had responded after three months. Accordingly, if the information industry as a whole is to adopt a consumer consent regimen, government intervention is likely to be needed. Government intervention could take one of two forms. I now discuss them. B. A Mandated Opt-Out System One solution would preserve the default that businesses could trade in consumer information if consumers take no action but establish mechanisms both to insure that consumers are informed about the choices available to them and also to eliminate unnecessary transaction costs. For example, such a rule could specify the terms of notices to consumers so that notices would be readily comprehensible and likely to be read. A "clear and conspicuous" standard could be employed to prevent companies from obscuring the information. Consumer law is filled with required notices; another could be drafted. Companies could be required to maintain toll-free numbers for opt out calls. But such notices have a downside. First, they tend to suffer from some of the same deficiencies as the cable company’s Privacy Notice: they often contain dryly legalistic, uninteresting prose. Required notices always raise a question about whether consumers actually read them, just as with the Privacy Notice. Moreover, the history of required notices is a checkered one: though some mandated notices seem to have have aided consumers, some commentators are less sanguine about their utility. The discussion above of the Fair Credit Reporting Act opt out--the Acting Comptroller of the Currency observed that few consumers recall seeing the opt-out forms, which are required to be clear and conspicuous --suggests that when businesses do not want consumers to see a notice, consumers won’t. The Truth in Lending Act offers a further cautionary tale. When first enacted in 1968, Truth in Lending required lenders to provide consumers with a complex set of disclosures. Ambiguities in the statute and its implementing regulations led to more than 1,500 interpretations by 1980, as well as numerous lawsuits, often over technical questions. Though the statute undoubtedly improved the manner in which information was provided to consumers, it also required that information be presented in a format many found confusing. In 1980, Congress enacted the Truth in Lending Simplification and Reform Act, in large measure to fix problems with the original statute. Though disclosures about information policies are likely to be less complex than disclosures about credit, the history of Truth in Lending suggests that disclosure requirements are not always a perfect solution to a problem, at least not as initially created. In addition, it raises questions about the competence of government to draft useful notices. A second problem with a regulated opt-out system is that some enforcement apparatus would have to be maintained to insure that businesses were living up to their obligations under the regulation. As discussed above, many marketers have not lived up to their own industry guidelines and questions have been raised about whether marketers are in compliance with existing law. Third, opt-out systems do not provide businesses with an incentive to help consumers act in accordance with their preferences. Consequently, additional regulation might be required to insure that businesses provided consumers enough information to make informed decisions. C. A Mandated Opt-In System It remains to consider an opt-in system, with a default rule different from the one established by today’s system. Obviously, businesses and consumers who do not value privacy are likely to prefer an opt-out system, while privacy advocates can be expected to favor an opt-in system. 1. The Effect of an Opt-In System on Transaction Costs One goal in fashioning rules is to minimize transaction costs. That is especially important in consumer transactions, because the stakes involved are generally so low that large transaction costs may exceed the value of the transaction and make the transaction uneconomic. While some transaction costs are inevitable in any system in which consumers can opt out or opt in, some transaction costs can be avoided. In particular, strategic behavior costs can be avoided by using a system which discourages parties from generating such costs. As discussed above, the system in which we operate at present encourages businesses to inflate strategic behavior costs because the businesses increase their own gains, albeit at the expense both of the consumers and the total surplus from exchange. An opt-in system would encourage businesses to reduce strategic behavior costs, without giving consumers an incentive to increase them. Instead of the opt-out situation in which merchants were obliged to provide a message they did not wish the consumer to receive, in an opt-in regime we would see merchants’ efforts harnessed to providing a message they want the consumer to receive. How do we know that companies would behave in such a way if they could not use consumer information without consumer consent? We do have some information about how companies behave in an opt-in environment. After the Federal Communications Commission, in interpreting the Telecommunications Act of 1996, ruled that phone companies seeking to use phone calling patterns for marketing purposes must first obtain the consumer’s permission, the telephone company in my area attempted to secure that permission. Its representatives called and sent mailings to subscribers. The company also set up a toll-free number for consumers with questions. The mailing I received is brief, attractively printed in different colors, and written in plain English. It also promises, in words which are underlined that "we’ll never share this information with any outside company. . . ." A postage paid envelope and a printed form is included for consumers to respond. Consumers who accept the offer need only check a box, sign and date the form, and print their name. The company also offered consumers incentives to sign up--such as offering them at various times a $5 check or their choice of two free movie tickets or a certificate worth $10 towards merchandise at certain retailers--thus increasing the likelihood that consumers will pay attention to the information. In sum, the company has done everything it can to eliminate consumer transaction costs. An opt-in system thus increases the likelihood that consumers will choose according to their preferences rather than choosing according to the default. That alone offers a significant reason for adopting an opt-in system. Recall equation (1) in which consumers should buy if VP > P + (lesser of COO and VLP), or consumers should buy if the value to the consumer of purchasing the product is greater than the price of the product plus the lesser of the cost of opting out and the value to the consumer of the consumer’s privacy. What would the equation look like in the opt-in scenario? The consumer who wishes to preserve his or her privacy would no longer have to take into account the direct costs of doing so, and so the consumer should buy if the value of the product to the consumer exceeds its cost, or simply: (3) Consumer should buy if VP > P However, the seller in the opt-in scenario has lost income because seller can no longer sell the consumer’s personal information unless the consumer opts in. Hence seller may respond by raising the price, P. But because consumer will buy only if the price is less than the value to the consumer of owning the product, and because seller presumably wants to make sales, seller has an incentive to minimize the price. Consequently, seller not only has no reason to engage in strategic behavior to increase transaction costs, seller instead has an incentive to minimize transaction costs. It still remains to consider consumers who wish to have their personal information used. As the opt-in transaction can be considered a separate transaction--just as the decision to subscribe to the services my telephone company provides is separate from the decision to allow it to use calling information for marketing purposes--they should also purchase a product if the value of the good exceeds the price. They should then allow the sale of their personal information if the value to them of opting in is greater than the cost of opting in. Because businesses will wish consumers to opt in, businesses can be expected to minimize the cost of opting in. Once again, we see that an opt-in system is likely to reduce strategic transaction costs--exactly the opposite of an opt-out system. An opt-in system also increases the prospect that direct mailing would be tailored to what consumers wish to receive. When companies have a reason to obscure opt-out provisions, as is currently the case, they have no incentive to offer schemes in which consumers could express a desire to receive some solicitations but not others. To return to my personal situation, companies that don’t ask me what I would like to receive have no opportunity to learn that I want to receive children’s clothing catalogs but not women’s clothing catalogs. If, on the other hand, companies have to persuade me to opt in, they have a reason to offer me the opportunity to receive only the kinds of catalogs I wish to receive. At least one company has found that when it offered consumers a variety of options, some consumers who formerly opted out of all solicitations chose instead to receive some, as long as they did not have to receive all. 2. Theory of Default Rules In recent years, a number of scholars have written about default rules. This attention was triggered in large measure by an important article by Ian Ayres and Robert Gertner. Ayres and Gertner acknowledge that transaction costs should play a role in setting defaults, but they go on to argue that in setting defaults, law-makers should also take into account whether parties fail to contract around defaults for strategic reasons. They contend that in some circumstances, the law should establish "penalty defaults"; that is, defaults which give a party an incentive to contract around the default rule. One reason for penalty defaults, according to Ayres and Gertner, is to give more informed contracting parties incentives to disclose information to less informed parties. "By setting the default rule in favor of the uninformed party, the courts induce the informed party to reveal information, and consequently the efficient contract results." Ayres and Gertner argue that otherwise, the more informed party might choose not to disclose the relevant information, even though failure to disclose might lead to an inefficient result, simply because concealing the relevant data might enable the more knowledgeable party to end up with a larger slice of the pie. "When relatively informed parties strategically withhold information, courts, to promote information revelation, should choose a default that the informed party does not want." Ayres and Gertner’s theory of penalty defaults closely fits the sale of information. At present, businesses have little incentive to disclose to consumers how their personal information is used or that they can opt out of its use. That leads to inefficient results. Changing the default gives businesses an incentive to make disclosures and increases the likelihood that an efficient contract results. 3. Analogies to Negative Option Regulation Another reason for an opt-in system is that opt-out systems, as discussed above, are analogous to negative options in that agreement is conveyed not by an affirmative manifestation of assent but rather silence. Normally silence does not operate as acceptance of an offer. Similarly, if a party to a contract suggests a change in its terms, the other party’s silence does not constitute acceptance--though courts will sometimes infer from conduct a tacit agreement to modify a contract. We do not allow a seller to impose a contract on a buyer through negative options. Why should we allow a seller to impose a term on a buyer through negative options--without even giving notice to the buyer? Recognizing that negative option agreements are troublesome, Congress and administrative agencies have regulated them in some contexts. Thus, Congress has barred cable operators from charging consumers for services which the consumer "has not affirmatively requested." In the area in which negative options are probably most used--book and music clubs--their use is regulated by an FTC rule. That rule requires the promotional material "clearly and conspicuously disclose the material terms of the plan," including the fact that the subscriber must notify the seller if the subscriber does not wish to purchase the particular selection. Sellers are also obliged to provide forms to subscribers which "clearly and conspicuously" disclose that the seller will send the subscriber the selection unless the subscriber returns the form to the seller. These book and music clubs are significantly different from the type of negative options used in information practices because the book and music clubs notify the consumers in advance of the nature of the program and the consumer voluntarily joins the club knowing how the club works. It seems anomalous to regulate the clubs--given that consumers choose to join them--but not information practices--given that many consumers are not even aware of how their information will be used and so cannot be said to have knowingly "joined." 4. Internalizing Externalities The sale of information is troublesome in part because it creates externalities. Sometimes, when a person engages in an activity, the activity imposes costs on others that the person is not required to take into account in deciding whether to pursue the activity. These costs are considered externalities. The feelings experienced by those whose information is sold and used without their knowledge constitute just such externalities. An opt-in system--or an opt-out system in which consumers who object to the trade in their personal information have a genuine opportunity to opt out--addresses that problem by internalizing the externality. To put it another way, consumers could bar the sale of their information unless they received compensation which they regarded as adequate--something which would compensate them for the feelings they suffer; namely, the externality. Presumably, the business which bought the information would raise the price to others to compensate for any payment to the consumer. Hence, the price would take into account the social costs incurred when the information is sold, and thus the externality would be internalized in the form of the higher price. The higher price might reduce the number of businesses which purchase the information, but because the higher price reflects the true social cost of the sale of the information, it would produce a more efficient equilibrium. 5. Criticisms of Opt-In Systems Critics of opt-in requirements have argued that consumers cannot predict what solicitations they will want to receive in the future, and so they might choose not to receive information that in fact they would like to have. Consumers would also lose at least some of the benefits they receive from appearing in databases, benefits that were described earlier. But that can be explained to consumers at the time they make the choice whether to receive solicitations. Indeed, an opt-in system gives businesses an incentive to do just that. If consumers, understanding what they are giving up by declining to opt-in, resolutely decide against opting in, that choice should be respected. Some have argued that an opt-in system would destroy the direct marketing industry because the cost to businesses of having consumers opt in exceeds the value to businesses of consumers opting in. In other words, the argument is that imposing the transaction costs on businesses would make the transactions uneconomic. Is this true? To be sure, each name by itself is not worth very much. Estimates of the value of the worth of individual names are usually expressed in cents, not dollars. For example, a list of 1,000 subscribers to Forbes Magazine goes for $115. Metromail Corp. reportedly charges thirty cents a name for access to its medical database of 15 million patients, information useful to pharmaceutical marketers. E-mail addresses are even cheaper. On the other hand, some marketers seemingly have paid quite a bit more to generate their lists and obtain consumer information. My local telephone company has already been alluded to. But other examples exist. One company has offered free personal computers to consumers who let the company track their activities on the internet and provide the company with detailed personal information. The computers will also display advertisements. Kay-Bee Toy Stores recently offered a five dollar rebate to customers for their names and addresses. Similarly, when R.J. Reynolds wanted a list of smokers for direct advertising purposes, it ran ads in newspapers offering to send free samples or coupons to smokers who wrote in. Philip Morris built a list of about 26 million names--at a cost of distributing 30 million pieces of free merchandise. To be sure, these programs may have provided additional benefits to the companies beyond generating a list of smokers, but they undoubtedly cost much more than a few coins for each name generated. Why would marketers pay more than cents for names given that names are available at such a low price? First, while some lists may be available for only a dime or two per name, those lists may not be useful to the marketers in question. The marketers may be willing to pay quite a bit more for lists that are useful. And second, the prices that list-sellers quote usually focus on the value to the buyer (or renter) of the list for one-time use. The names on the list may be considerably more valuable to the listowner, who can sell (or rent) the names over and over again. A dime per name adds up over multiple sales. Hence, listowners might be willing to pay much more than just pocket change per name to buy the right to use names--perhaps even enough to cover transaction costs and still make a profit. In addition, a legal regime which required consumers to assent to the use of their names might make the names more valuable. And strategies could be employed to reduce transaction costs. Take magazine subscriptions as an example. Many, probably most, subscriptions are started when the subscriber communicates to the publisher that a subscription is desired. This communication may, for example, take the form of a telephone call, a postcard in a copy bought at a newsstand, or a purchase through one of the magazine sweepstakes companies. In each case, certain information is needed by the publisher to start the subscription--name, address, length of subscription, payment mechanism desired, and the like--and usually the subscriber supplies this information. How expensive would it be if the publisher were also to inquire whether the subscriber would object to including the subscriber’s name whenever the magazine’s subscription list is sold? A system in which the subscriber granted or withheld permission when the subscriber initially purchased the subscription and each time the subscriber renewed need not be very expensive. Would consumers ever opt in under such a system? Little information is available to answer that question. It has been estimated that only five to ten percent of consumers would opt in. On the other hand, America OnLine found that when it enabled consumers to opt-out, more than eighty percent of the people who went to the opt-out area did not opt out but rather asked that they be put on more lists. And obviously, many consumers have reacted to direct marketing offers by buying the product offered, suggesting that they value some offers. Indeed, some consumers have opted in even in a climate in which consumer information is freely available. One company operates an opt-in e-mail system in which consumers can ask to be added to any of 3,000 different mailing lists. Three million consumers have given their e-mail addresses to that service. The service seems to work: one of its clients increased its sales by 1,000 percent in twelve months. Other companies offer consumers incentives to opt-in to internet solicitations. Equifax established "Buyer’s Market," an opt-in service under which a million consumers filled out a list of the kinds of mail they wished to receive--or didn’t wish to receive. The company eventually charged a modest fee for participating, but subscribers also received discounts on products. In the nineteen-eighties, National Consumer Research charged consumers $199 to have their names and purchasing habits included in a database. The information was provided to direct marketers which then provided discounts to those listed in the database. About 10,000 consumers are said to have signed up. Our marketing system is premised on the assumption that consumers are persuadable. Enormous sums are spent to convince consumers of the merits of particular purchases--enough to finance commercial television and radio, underwrite a significant portion of the newspaper and magazine businesses, and, of course, to pay for the direct mail and telemarketing industries, among others. Our economy is a positive-option system, not a negative-option system, in which consumers make purchasing decisions--often, at least so it appears--at the suggestion of marketers. It seems ironic that marketers believe in what they do on behalf of others, but doubt that they can be effective on their own behalf. Even in an opt-in system, businesses would still have significant advantages in convincing consumers to opt in. While companies would have a tremendous incentive to persuade consumers to opt in, no organization would have a comparable reason to discourage consumers from opting in. More than twelve million people are employed in selling and advertising. Only about 1,000 people work for the two largest consumer information organizations, Consumers Union (publishers of Consumer Reports) and the American Association of Retired Persons. Hence, marketers, with their greater incentive and resources would be able to make a powerful case that consumers should opt in while the opposing viewpoint would probably be much less forcefully expressed. Undoubtedly some consumers would not opt in. But it is also likely that many others would. Predictions that significant privacy legislation would be costly are undermined by comparing predictions of the costs made in the past by opponents of consumer legislation, with the actual costs of such legislation once it was enacted. For example, before Congress passed an amendment to the Equal Credit Opportunity Act ("ECOA") to require creditors to disclose the reasons for an adverse decision on a credit application, it received testimony in 1975 from the National Retail Merchants Association that
After the provision was enacted, a Federal Reserve Board survey found that the average cost per Sears account of providing the reasons for denying credit was only 59 cents, far less than the original estimate of $5 per letter. Similarly, when Equifax asked executives in 1990 whether ECOA had significantly increased business costs, 66% of credit grantor executives and 59% of executives at banks and thrifts said it had not. Only 22% and 35% of the executives at the credit grantors, and banks and thrifts, respectively, said it had. And they were dealing with all the provisions of a statute that bars lenders from considering certain criteria in making lending decisions, asking certain questions, provides for punitive damages, and has led to other changes in lending practices. Proposals to change consumer law to aid consumers frequently draw objections based on cost estimates that later prove to be wildly inflated. D. A Hybrid Proposal The National Telecommunications and Information Administration (NTIA) of the Department of Commerce has proposed a hybrid opt-out, opt-in system. Under the NTIA approach, companies could not use "sensitive" information unless the consumer opted in, but could use non-sensitive information as long as the company notified the consumer that the consumer could prevent the use of the non-sensitive information by sending in a form or making a telephone call by a certain date. NTIA acknowledges that the definition of sensitive information "is not clear-cut" and gives as examples health care information, political persuasion, sexual matters and orientation, personal finances, and social security numbers. NTIA points out several advantages to such a system. First, to the extent that the defaults reflect consumer preferences, it will minimize transaction costs: if consumers generally wish to prevent the sale of sensitive information but do not object to the sale of non-sensitive data, they can simply do nothing; their preferences will be accommodated by the default settings. And second, it gives consumers greater control over sensitive information. But the NTIA system may be flawed. It requires someone to define what information is sensitive and what is not. That the definition is not instantly obvious is suggested by NTIA’s failure to create its own definition. To the extent that the definitions do not conform to an individual’s own preferences, that individual will have to incur transaction costs--or live with a system that does not reflect the consumer’s preferences--and so the chief rationale for the NTIA system will disappear. One thing that emerges from the available survey data is that consumers are in fact split about many privacy issues. As Erik Larson has written, "What is private to one individual may not be private to his neighbor; what is considered private today may not be considered private tomorrow." Indeed, when the Federal Reserve System invited comments on what constitutes sensitive information, it found "widely varying answers." Accordingly, it may be that so many consumers would not be satisfied with the NTIA defaults that the system would not produce any savings in transaction costs. The NTIA system may in fact conform to the views of enough consumers so that it does produce savings in transactions costs--but it is not demonstrable on the basis of the evidence currently available that that is so. It may be that a default that prevents any trade in personal information absent permission from the affected consumer is consistent with the views of more consumers and thus would incur lower transaction costs from consumers shifting their defaults. A better solution than the NTIA approach would focus not on the nature of the information but on consumer preferences. When a significant proportion of consumers want to prevent the sale of their information, an opt-in system could be used. On the other hand, when a significant proportion of consumers do not object to the reporting of their information, an opt-out system could be used. That maximizes the number of consumers whose defaults would correspond to their preferences, and so would not have to incur transaction costs in contracting around the defaults. What percentage of consumers is large enough to warrant switching from an opt-in default to an opt-out default? If the problems with strategic behavior costs and the like did not exist, a simple majority might be the trigger. But the incentive and ability to inflate transaction costs changes the calculus. Ideally, the percentage should be set at the point where the cost of opting in, plus losses from consumers who prefer receiving solicitations not opting in, equal or exceed the losses from strategic behavior costs which would occur in an opt-out system, plus the cost of consumers opting out. But because it is impossible to determine what those figures are, the best approach may simply be to require a large percentage of consumers who prefer that their information be used --perhaps as high as 75% or even higher--before the rule switches from "information cannot be used unless the consumer affirmatively permits it" to "information can be used unless the consumer acts to prevent it." For example, comparatively few consumers mind the use of their personal information to determine if they should be granted credit for which they have applied. Using an opt-out system with credit applications makes sense because it permits most consumers to do nothing and still attain their desires. The few consumers who do not want their information used for that purpose would still have the capacity to opt out. An opt-in system serves little purpose in such circumstances because it forces most consumers to incur transaction costs while benefiting few consumers. VI. Conclusion I have argued in this Article that under the present regime, in which the trade in consumer information is largely unregulated, businesses have both an incentive and the ability to inflate consumer transaction costs in preventing the use of personal information. As a result, more consumer information is available and more solicitations are made than would be the case if unnecessary transaction costs were eliminated. While some are attempting to self-regulate, the failure of past attempts at self-regulation and the atomistic nature of the consumer information industry justifies pessimism about whether such attempts will succeed. Accordingly, government intervention seems desirable. That intervention should logically take one of two forms: either government should preserve the existing system--in which consumer information may be used and sold unless the consumer objects--but should insure that consumers are adequately informed about the uses of their information and given a chance to opt out of that use--or government should impose an opt-in system in which consumer information may not be used or sold unless the consumer to whom the information pertains affirmatively consents to the use. An opt-in system eliminates the incentive businesses have to inflate transaction costs and thus seems more likely to produce an efficient outcome. |