Main Nav

The Need for Privacy Protections: Is Industry Self-Regulation Adequate?

On June 28, 2012, the Senate Commerce, Science, and Transportation Committee held a hearing on the need for consumer privacy protections. The FTC and the Administration have both outlined voluntary industry practices, such as the implementation of Do Not Track options on Web browsers, but they have also said that further legislation is necessary.  (See the March 26th blog for information on the FTC consumer privacy report; the February 23rd blog for information about the White House’s report on data privacy and consumer privacy bill of rights; and the March 12th blog for information on NTIA’s efforts to seek input on the Administration’s consumer privacy bill of rights.)

Chairman Rockefeller (D-WVA) opened the hearing by saying,

In conjunction with the White House and FTC reports, the Digital Advertising Alliance (DAA) has announced that its member online companies will stop collecting personal information from those consumers who tell them to stop doing so.  However, DAA also states that companies will still collect information on these very same consumers for “market research” and “product development”.  These exceptions are so broad- they could swallow the rule.  “Market research” and “product development” could encompass almost anything.

Today, I want to hear from our witnesses what consumers should expect when they tell online companies that they do not want their information collected for any purpose other than the functionality of the service.  No one wants to “break the Internet.” But what many of us want is an Internet where consumers have some control over their personal information.

As I stated…, I have learned that self-regulation is inherently one-sided, and that the interests of consumers are often sacrificed for the demands of the bottom-line.”

Sen. John Kerry (D-MA) used his opening statement to argue that industry self-regulation would not be enough to protect consumers' privacy.  He said, “…we believe that even under the best self-regulatory proposals, industry is still not granting the individual real control and real choices. Some in industry have agreed not to use a person’s information to target advertising to them, but they still fully intend to track consumers and their behavior and draw conclusions about them. They still intend to use that information with or without people’s consent for purposes unrelated to any specific transaction or service."

Witnesses included:

  • Bob Liodice - President and CEO,  Association of National Advertisers
  • Peter Swire - C. William O'Neill Professor of Law, The Ohio State University
  • Berin Szoka - President, TechFreedom
  • Alex Fowler - Global Privacy and Policy Leader, Mozilla

The witnesses represented various viewpoints on the subject.  Swire testified that most consumers do not know how much info is being collected on them by websites; and, that it is only when the government and the press pay attention, do companies strongly enforce self-regulation, which is why legislation is necessary.  On the other side, Liodice said, “I do not think we need a clear Do Not Track, especially for cybersecurity reasons because if we block or limit collecting data we won’t be able to pass on information to local law enforcement.”

Privacy legislation is not a welcome proposition for some of the Internet's largest companies — including Facebook and Google — which is why they have been lobbying furiously on the issue.  Any change in how companies can collect and use consumer information would have significant implications for social media firms, many of which are banking on being able to monetize the large amount of user data they have collected.

But Democrats face an uphill battle to pass a privacy bill, with stiff opposition expected from both Silicon Valley and the GOP.  Given the current political landscape, industry self-regulation looks likely to be the only realistic option for privacy advocates in the short-term.

EDUCAUSE will continue to monitor and report on this privacy issue.

Tags from the Community


Currently there is too much concentration of market power in the leading search engine (Google) and social media -- Facebook, Twitter and YouTube (owned by Google) to expect market forces to regulate privacy.  These companies can say "Hey, you don't have to use our service"; but, as a practical matter, we do.

No one can seriously do search engine marketing without signing up with Google or Microsoft (Bing); and no one seriously do social media marketing without agreeing to the Facebook, Twitter, Google+, and/or YouTube Terms of Service (ToS).  What makes this more egregious is that some of these companies openly violate browser specifications about tracking and information collection.  And all the ToS say the companies can alter the Terms whenever they want, without notice -- and they do this.

I'm not a big fan of government intervention, but self-regulation is not working.