In a few short years, computers have become powerful and prevalent. This technology has facilitated a tremendous increase in the acquisition of personal information by the private sector. Consumers increasingly purchase goods with credit and debit cards, buy new information services (such as pay-per-view movies), and engage in an ever greater number of electronic transactions (e.g., e-mail). The information generated in the course of these transactions is routinely gathered, aggregated, and shared.25 Businesses often collect this information in ways that are not readily apparent to the individual.26 New information technologies may not fall neatly within our current experiences.
Modern technology makes it easier to integrate data from numerous sources to create a powerful information package about an individual. Data errors become more harmful as they are more readily propagated.27 The result may be an "electronic clone,"28 a personal profile in digital form that provides detailed and predictive insight into an individual's medical condition, buying habits, personal tastes, economic status, vacation choices, ethnic background, political and religious affiliations, and even the causes and programs which he or she supports.29Although estimates vary, privacy experts believe that lists track more than two billion names. The average American is on at least twenty-five (and as many as one hundred) of these lists at any one time.30
This trend worries some commentators like David F. Linowes, former chairman of the Privacy Protection Study Commission, who has noted that:
Without our knowledge we are profiled and placed on many specialized lists, whether we like it or not. You could be classified as a foreign policy hawk, affluent ethnic professional, black activist, person who frequents the dice table. You don't know what lists you are on.31
Some industry groups have adopted codes and principles, but many have not.32 Corporate privacy policies are sometimes inadequate in the digital context or simply non-existent. Where such policies do exist, a significant gap may remain between announced policies and actual practices.33 The bottom line is, the vast majority of personal information currently can be sold, shared, exchanged and disseminated without notice to, or input from, the data subject.34
Individuals disagree on the extent to which the collection and use of information should be limited to protect privacy, but most agree it is appropriate to engage in a careful weighing of benefits and harms. Professor Westin describes the majority of Americans as "privacy pragmatists" -- that is, individuals who are concerned about consumer privacy and consider promised benefits before they disclose personal information to business.35
The Privacy Principles acknowledged this balancing process, stating that privacy interests are not absolute and must be balanced by the need for legal accountability, adherence to the First Amendment, law enforcement needs, and other collective benefits recognized in law.36
How does one determine what constitutes an acceptable use of information in any particular situation? Some data uses create significant opportunities for both the data subject and society as a whole. For example, companies use sophisticated databases that identify individuals likely to buy a particular product. The data subject gets desired goods and services. Those goods and services may be less expensive because increased information about a consumer's credit history decreases the risk credit granters must bear. Lower marketing costs reduce entry barriers, and competition thrives. Another example is the use of databases to ensure that citizens receive government benefits that they need while minimizing payment of fraudulent claims. Compiling medical information for research purposes may help cure diseases.
Misuse of information, on the other hand, can create an equally lengthy list of harms. Employers might misuse medical information by denying an individual a job because of an old stigmatizing medical condition, such as depression. Improper use of demographic information by a bank could result in redlining, and the inappropriate disclosure of personal information may cause embarrassment, harassment, or victimization.
The Privacy Principles also recognize the need to consider "the individual's expectations regarding the use of the information."37 Ultimately, the appropriateness of any given use of information must be considered on a case-by-case basis. The magnitude of information collection, storage, and dissemination today increases the probability that information will be used in a manner not reasonably contemplated by the data subject. Separating clearly acceptable uses (those that maximize opportunity with minimal impact upon privacy) from clearly unacceptable uses (those that severely reduce privacy with little or no benefit) may not be difficult. Most cases, however, fall in the middle of the spectrum where the benefits of using the information must be weighed against any diminution in privacy. Decisions about the use of personal data will be influenced by cultural norms, market forces, operating efficiencies, law and law enforcement efforts, civil liability and other factors. How will these factors be weighed in the borderless realm of cyberspace?
Thus, we turn to a consideration of current efforts to protect privacy in the United States. This work does not attempt to catalog and discuss every privacy law, or every substantive privacy issue. Instead, it focuses on four critical areas that illustrate a broad range of privacy concerns and various responses:
- privacy of federal government records (the primary source of American concern traditionally);
- privacy in communications (heavily regulated);
- privacy of medical records (for the most part, unregulated); and
- privacy in the marketplace (regulated in part, otherwise unregulated but subject, in some cases, to industry imposed codes of fair information practices).
25. One data management and marketing company maintains approximately 350 terabytes of information about consumers (one terabyte being equivalent to 500 million pages of single-spaced text). See Elisa Williams, Mining for Megadata: Mountains of Customer Information are Constantly Being Formed and Tapped, Orange County Reg. (Calif.), Apr. 22, 1996, at D23, available in 1996 WL 7023685.
26. Three examples illustrate the point:
- Recipients of an "800" or "900" number call can identify the caller's number through Automatic Number Identification (ANI), use a reverse directory to obtain the caller's address, and compile this information into a computerized list that can be sold to other marketers.See Peter Sinton, Perils Await the Unwary on the Cyber-Frontier, S. F. Chron., Feb. 7, 1995, D10, available in 1995 WL 5262597; Connie Koenenn, How they Get Your Number - From You, Chi. Sun-Times, Sept. 15, 1993, at 37, available in 1993 WL 6549139.
- Individuals who attend a hospital sponsored seminar, health fair, or health screening may be placed on a list. Hospitals subsequently use these lists to solicit business for the hospital. See Using Medical Information for Marketing, 16 Privacy J. 1, Feb. 1990.
- Even local supermarkets can use computers to track the exact nature and frequency of an individual's purchases. See Connie Koenenn,Junk Mail: Guess Who's Giving Out Your Address, L. A. Times, June 17, 1993, at E1, available in 1993 WL 2303036. See also, Carrie Teegardin, Keeping Tabs on Shoppers: A&P Membership Card Records Each Purchase in a Database, Atlanta J.-Const., July 2, 1994, at B1, available in 1994 WL 4469745.
27. See H. Jeff Smith, Managing Privacy - Information Technology and Corporate America 7-8, 124-25 (1994) (discussing the distinction between information existing in separate, distinct pieces and the same information combined and available in one place); Colin Bennet, Regulating Privacy 35-37 (1992) (discussing implications of increased computerization for data protection).
28. "As we see a convergence between telecommunications, computers and information processing, almost any transaction you enter into is leaving some kind of trace." reported in Kinsey Wilson, Your Life as an Open Book - Digital Wizardry that Promises to Make Life More Convenient Could Threaten your Privacy, Newsday, July 21, 1993, at 8, available in 1993 WL 11382702 (Comments of Prof. Joel Reidenberg, Fordham U. School of Law).
29. For a representative sampling of the types of databases that are being compiled and the kinds of information they contain, see Thomas B. Rosenstiel, Someone May Be Watching - Everywhere We Go, We're Increasingly Under Surveillance: Employers, Marketers, even Private Detectives Use High-Tech Tools and Scan Mostly Unregulated Databases to Pry into our Daily Lives, L. A. Times, May 18, 1994, at A1,available in 1994 WL 2166435; Larry Tye, List-Makers Draw a Bead on Many, Boston Globe, Sept. 6, 1993, at A1, available in 1993 WL 6607597.
30. See Jay Greene, They're Selling Your Secrets, Orange County Reg. (Calif.), Apr. 21, 1996, at A01, available in 1996 WL 7023494; Jim Donaldson, You Can Keep Your Privacy But it Will Take Some Doing, Gannett News Service, Mar. 6, 1996 (page unavailable online),available in 1996 WL 4375432 (reporting that the typical shopper is in at least 25 corporate databases).
31. Mary Zahn & Eldon Knoche, Electronic Footprints: Yours Are a Lot Easier to Track than You May Think, Milwaukee J. & Sentinel, Jan. 16, 1995, at A1, available in 1995 WL 2967415.
32. For a collection of industry guidelines, see Federal Trade Commission, Staff Report on Public Workshop on Consumer Privacy on the Global Information Infrastructure Appendix C (1996), available at Federal Trade Commission Home Page, Workshop on Consumer Privacy on the Global Information Infrastructure, (visited Apr. 3, 1997). <http://www.ftc.gov/bcp/privacy/privacy.htm>.
33. See Smith, supra note 27, chs. 3 & 4.
34. See generally, G. Bruce Knecht, Privacy: A New Casualty in Legal Battles, Wall St. J., Apr. 11, 1995, at B1, available in 1995 WL-WSJ 2126406 (reporting on the "data that is held -- in staggering amounts -- by private-sector companies" and on the fact that "[v]ast amounts of consumer information are entirely unprotected").
35. See Louis Harris and Associates, supra note 24, at 16.
36. See Privacy Principles, supra note 8, at 2.