What would YOU do for a Klondike bar?
Would you be willing to tell Unilever (the parent company that makes Klondike) your sexual orientation, political preferences, the fact that you are having an affair with your next door neighbor, and provide your financial records, healthcare records, viewing habits, and other personal information? I mean, it’s a Klondike bar, after all. According to Unilever, it is “the best ice cream bar ever conceived.”
A recent marketing campaign for Internet service by AT&T demonstrates just how costly it can be to protect your privacy – or more accurately, to attempt to protect your privacy.
The truth is, we pay for privacy all the time – in subtle and not so subtle ways. Rather than privacy protection being the “norm” and required, it is often seen as a premium service – worth paying extra for.
If you want “free” Gmail service – no problem. Just let Google’s computers read the contents of every e-mail and provide information from those communications to marketers, advertisers and anyone willing to pay them for the data.
Sure, you can be a fool and pay “full price” at CVS for that memorial day barbeque set – our you can give up a bit of privacy and join the loyalty program and get $3 off! Personal Data For Sale!! Limited time only!
The AT&T program is particularly disturbing. As Gigabit’s Stacey Higginbotham noted:
AT&T’s GigaPower service, which currently delivers 300 Mbps to homes and will eventually get upgraded to a gigabit, launched last December in Austin. It did so with two different pricing plans, one that cost $99 a month for typical service, and another that cost $70 a month provided users agreed to let AT&T monitor their packets to see where on the web the user has been. In turn, AT&T would sell ads targeted to that customer based on his or her habits.
But the $29 more a month to keep your privacy isn’t actually $29 a month. As you add video service, the price differential between choosing privacy and letting AT&T snoop rose to $62 a month for an equivalent package and included a $49 one-time fee (see the screenshot below).
Keeping your web history out of Ma Bell’s hands would have cost almost $800 the first year you signed up at the high-end and $531 at the low-end of ordering only internet (there’s a $99 activation fee and a $7 monthly gateway box fee).
So there’s affordable, fast and private Internet access. Pick any two. There’s two ways of looking at this. One way is that consumers are being “paid” or rewarded for voluntarily giving up their personal information to be sliced and diced and used for marketing. The other way is to say that consumers are being punished for wanting to have a basic human right – the right of privacy.
For telephone service, the government has made that choice for people. Consumer Proprietary Network Information (CPNI) — things like the calls you have made and received – cannot be sold by the phone company unless you have consented to the use.
For companies like AT&T, they might use your CPNI to market other AT&T services, but they have expressly stated “AT&T does not sell CPNI to unaffiliated third parties.”
Se we can have a free market for privacy, or a government regulated privacy market – or a combination of both. Which is what we actually have.
Imagine a pregnant woman going to a hospital and being told that a normal delivery will cost $10,000, but if she is willing to share the facts of her pregnancy and other personal information with Pampers, Similac, Graco or other brands, the cost will only be $7,000. Pretty good deal.
If you go on any of the TV reality shows (Real Housewives of Bayonne, New Jersey) the producers will pay you to give up your privacy (and more if you stage a catfight in a fancy restaurant.)
We give up privacy all the time for a pittance. A 50 cent coupon. A throw-away toy. “Free” WiFi. But with AT&T, the price of privacy is much higher – or alternatively, the reward for waiving it is higher.
Remember, personal information is valuable to the people to whom you disclose it. Absent some law or regulation (including data privacy directives) what a company can do with personal information you have provided is a matter of express or implied contract.
In the absence of regulation, if you give Radio Shack your name and address (to buy batteries) they can use that data to profile you, sell your purchasing habits to third parties, and do just about anything they want – for their profit. What you get is a pair of double A batteries. So at least the AT&T “deal” gives you a discount.
But that’s just one way of looking at it. One man’s discount is another man’s punishment. Imagine if our pregnant woman went to the hospital and was told that the cost of delivery was $7,000, but if she wanted to exercise her privacy rights under HIPAA, the price would be $10,000.
HIPAA precludes a medical provider from using health information for non-healthcare purposes (generally) without the consent of the patient (generally). But in this case, the hospital would be providing an incentive/punishment for the consent. While this would be unseemly, (and HHS OCR would undoubtedly object) technically the hospital could argue that the patient consented. They didn’t have to. They could have paid for the “premium” (privacy enhanced) service.
At the end of the day, its about whether the default position should be that things are private, and companies must compensate the data subject for the use of their information (and get consent) or if the default is that everything is public, and privacy is just an option. Like sprinkles or hot fudge.