Data is the fuel on which analytics runs. Without data, there would be nothing to analyze, and fortunately for analysts, there is no shortage of it. From governments and corporations to hospitals and universities, data is being created and gathered at a pace that was unknown even a few years ago. Still, in spite of the adage that says “information wants to be free,” for the moment at least, much of it is not. This is particularly true of two areas, corporate data and data related to personal identity. The following piece looks at some of the major issues impacting intellectual property rights and privacy policies as they relate to the Internet and World Wide Web.

According to the Direct Marketing Association, the largest trade association for businesses interested in interactive and database marketing, $28 billion in sales were generated by the Internet in the United States in 2000 and sales volume has continued to grow each year. At the same time, every company doing business on the Internet is aware that the use of customer information is at the heart of all business-to-consumer e-business. As a result, issues of privacy, especially in Internet database acquisition and use, remain a primary concern among Internet users.

Indeed, Privacy Council, a privacy solutions company, reported that research conducted last year indicates that 67% of regular Internet users leave a website at the point at which they are asked to supply personally identifiable information, and also that 26% of regular Internet users stated that they would have been more likely to provide personal information had they felt assured the information would be safe.

Moreover, the situation has been further complicated by the events of September 11, in that for the near-term at least, privacy concerns must be considered in the context of—sometimes even taking a backseat to—security concerns. The sections below outline the current state of affairs, highlighting the introduction of Platform for Privacy Preferences (P3P), which is likely to be the biggest driver of privacy-protection activities over the next few years.

Existing Regulations
The US Digital Millennium Copyright Act (DMCA) was signed into law in October 1998. The legislation implemented two 1996 World Intellectual Property Organization (WIPO) treaties and addressed a number of other significant copyright-related issues. The Act encouraged copyright owners to make their databases more widely available through digital distribution methods by including technological protections in the form of specific penalties for copyright piracy.

In January of 1998, the European Union’s Database Directive also went into effect. The EU Directive provides two levels of protection. First, it provides copyright protection for original selection and arrangement of facts in a database. Second, it provides sui generis protection for non-original databases, prohibiting the unfair extraction of a substantial part of any database reflecting significant investment. A database could simultaneously receive both types of protection: copyright protection for the selection and arrangement of data; and sui generis protection against the extraction of a substantial part of the data itself. The sui generis protection lasts 15 years, while the copyright protection lasts for the life of the author plus 70 years.

The Directive protects databases created in the EU whether they are accessed by EU members or by those outside the EU. Fearing a lack of reciprocity, it does not, however, grant legal protection to databases created outside of EU countries.

Compilations of legal cases are replete with references to DMCA and the EU Database Directive. The US Supreme Court (Tasini v. The New York Times) ruled that authors retain rights to their articles in an electronic database compilation even though they released those works for publication in the newspaper. Another important case is that of the class-action suit against DoubleClick, a company that tracks individuals as they surf the Internet and sells the clickstream data. The case, which was filed in 2000, was settled this year with DoubleClick agreeing to pay nearly $1.8 million and to include in its privacy policy an easy-to-read explanation of its online services and ensure that an Internet user’s online data won’t be used in a manner “materially inconsistent” with the policy under which it was collected.

In France, the Paris Court of Appeals held that a database comprised of photographs and biographies in the public domain should be granted intellectual property protection because the creator had to choose its contents. In Germany, a list of 251 Internet addresses in the form of a collection of links (Hyperlink Datenbank) was protected as a database under not only German copyright law but the EU Database Directive.

Cases such as these stand as prototypes for similar decisions elsewhere. For example, last year, the Tokyo District Court issued Japan’s first Internet copyright protection decision, and this year a court in China is hearing its first database intellectual property rights case.

A Long Way To Go
Clearly, the impacts of the DMCA and EU Database Directive are substantial but, despite these developments, a recent study of more than 750 e-commerce sites in the United States and the European Union by Consumers International, a non-profit, independent federation comprised of 225 members in over 260 countries, found that Internet sites selling products and services to consumers fall woefully short of international standards. Most sites collect personal information but fail to tell consumers how that data will be used, how security is maintained, and what rights consumers have over their own information. Gartner Group, an information technology research company, reported that only one in four US companies said they complied with their own privacy policies.

Another area where practice falls short of regulation is the Gramm-Leach-Bliley Act, passed in 1999, which restricts how much customer data financial-service companies can share with third parties. The Act requires financial-services companies to mail notices to US consumers describing their privacy protection policies. Nevertheless, some financial-services companies are still struggling to comply. In the words of Federal Trade Commission (FTC) Chairman Timothy J. Muris, “Acres of trees died to produce a blizzard of barely comprehensible privacy notices. We can do better.”

Legally binding settlements, such as the one in the DoubleClick case are likely to encourage Internet businesses to improve their privacy protection and, in fact, many are beginning to do so through voluntary enforcement mechanisms such as TRUSTe and BBBOnline “seals.”

Elected officials are also responding. In April of this year, Senator Hollings (D-SC) introduced S2201, the Online Personal Privacy Protection Act of 2002. This Act contains restrictions on the collection, use and disclosure of personally identifiable information, opt-in consent, robust notice and opt-out requirements, and FTC enforcement responsibilities.

Still, the challenges for new legislation are enormous. To begin with, no consensus exists about implementing privacy policies. Second, it is not clear that privacy legislation should be limited to Internet practices. Third, compliance with Internet privacy legislation carries substantial costs.

The Software and Information Industry Association (SIIA), a trade group representing some 800 leading software and information companies, though it supported the original passage of DMCA, this year opposed proposed revisions to the Act. SIIA continues to argue for a market paradigm that encourages innovation by protecting it through copyright:

If a new way to get products and services to consumers can be created by using a new digital technology or new products or services can be created by using such technology, then you can be certain that SIIA members will make the investment to implement this new business model or create the new product if and when it is economically prudent. What is or is not economically prudent is determined by many factors—but a leading, if not the leading, factor is the risk that, and the extent to which, copyrighted content being made available will be pirated.

In an interesting aside, according to Consumers International, despite the tighter EU legislation, researchers did not find that websites based in the EU gave either better information or a higher degree of choice to their users than sites based in the US. This finding was confirmed by US studies that show that nearly all the top 100 Internet sites in the United States have explicit privacy policies with links on their home pages to descriptions of those policies.

Platform for Privacy Preferences
Platform for Privacy Preferences, or P3P, is the standard created by the World Wide Web Consortium (W3C), a leading international Internet standards setting body. According to the W3C:

P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site's [sic] privacy policies. They present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P-enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.

Microsoft Corporation built P3P into its Internet Explorer 6.0, allowing users to select their privacy preferences from a menu. The browser then warns users when websites are not in compliance with users’ privacy standards. It is estimated that 12 million to 15 million copies of Internet Explorer 6.0 are already in use. As a result, consumer sensitivity to privacy issues will be reinforced and consumers may choose to shy away from sites that set off the P3P warning. Industry associations such as DMA are providing their members with assistance in becoming P3P-compliant in registering, browsing, and purchasing functions. It will take time, however, for the technology to proliferate to the many thousands of active websites.

In the meantime, the debates are sure to continue. While as many as one-fourth of the large Internet companies have already adopted P3P in its early months, privacy advocates are already voicing concerns that P3P doesn’t go far enough to protect consumer privacy. The P3P standard does not require that information collected by a site about a user be made available to the user. P3P does not ensure that sites maintain collected data in a secure location. Nor does P3P have enforcement power behind it, and many privacy advocates believe the law and not industry should govern how a person’s information is shared or protected.

-----------------------

About the Authors
Lane Klein specializes in marketing statistically-based systems to the computer and communications industries. Ms. Klein previously served as Vice President of Ziff-Davis Market Intelligence and also Senior Vice President of The Beacon Companies, where she headed strategic planning and the MIS group. She is also on the advisory board of Stone Analytics, the sponsor of the Second Moment web site. Russell Klein is an independent software engineer, specializing in data acquisition and publication systems, fan loyalty, mass email, and online community.

More Features