Privacy Protection in a Wireless World

Every few decades, business confronts a fresh social challenge that forces us to reconsider the premises on which we've operated. In the first half of the century, world conflict and the growing strength of labor unions forced many businesses to adapt their models to accommodate social and economic change. In the 1960s and 1970s, public alarm over pollution prompted many companies to re-evaluate their relationship to the environment. Now, in the opening years of the 21st century, the technology revolution has made personal customer information a central factor in business success; and debate over its use and abuse has risen to a crescendo of proposed legislation aimed at protecting the consumer from prying corporate eyes.

No aspect of this privacy issue is more controversial than wireless technologies. Since the FCC passed its "e-911" mandate requiring all cellular carriers to have the capacity to pinpoint subscribers within 400 feet by October 2001, an upheaval of concern over potential violations has exacerbated leery consumers and their advocates who consider the wireless device's ability to track its owner the ultimate invasion of privacy.

"The Internet is this super-recorder," says John McCarthy, group director of research at Forrester Research in Cambridge, Mass. "In the virtual world, we can track everywhere you go. With wireless, companies not only know where someone surfs on the Web, they know where he walks around and uses his cell phone and PDA. So you have another pool of data that can be potentially abused. "

Convinced that Web-based wireless location technologies will be a huge boon to consumers (especially to travelers in unfamiliar cities), wireless Internet companies like AirFlash.com and Go2 Systems are marketing to consumers the ability to access location-sensitive information on restaurants and retails stores in their immediate areas. This optimism may be misplaced. According to "Surviving the Privacy Revolution," a February 2001 Forrester Research study on wireless Internet technologies, only about 6 percent of North American consumers trust Websites with their personal information. Forty-seven percent of the same consumers believe it extremely likely their personal information will end up in the wrong hands if they respond to an Internet-based ad.

The mistrust stems largely from the lack of consumer participation in how their information is used, argues Andrew Shen, senior policy analyst for the Electronic Privacy Information Center, a Washington D.C. think tank that supports privacy protection. "It does make sense for marketers to make consumers more active participants in the process," he says. "I, as a telephone user, may not be uncomfortable with walking down the street and getting an e-mail message saying that two blocks away there's a sale, as along as I know what information is being sent. But I don't see a lot of businesses necessarily moving affirmatively in that direction."

While the majority of businesses prefer to rely on self-regulation and the posting of privacy policies, the primary contention between privacy advocates and business is the opt-in versus opt-out subscription model. The Internet industry at large clearly favors an opt-out model, in which business can track and collect information until the end user specifically requests that they desist. Under opt-in, business can only collect information if the user has given consent.

The wireless Internet industry, however, has taken the opposite view, with the majority of companies supporting an opt-in model. In part, this position is due to the high sensitivity of the public to collection of location-based personal information and the wireless industry's consequent vulnerability. Yet critics argue that often the definition of what constitutes an opt-in model is too loosely defined by many of these organizations. According to Forrester Research's report, many are pressing the FCC for a vague interpretation of opt-in that allows them to secure consent in the fine print of service agreements.

In the meantime, privacy advocates continue to press Congress for legislation in both the landline and wireless arenas. Of the dozens pending before Congress, one bill originating in the House of Representatives specifically addresses the issue of consent. The Wireless Privacy Protection Act of 2001 requires not only that wireless carriers disclose their information practices in writing to consumers, but that they obtain in writing from the consumer permission to collect and use location information. The bill is currently before the House Subcommittee on Commerce, Trade and Consumer Protection.

Despite the introduction of this and possibly similar bills, Forrester Research's McCarthy remains doubtful that legislation mandating an opt-in model will pass. "Legislation will be around opt-out, not opt-in," he surmises. But, he believes, Congress will likely pass laws to ensure that businesses disclose their information-sharing practices. "The controversy," he says, "will be over how much we have to tell people about third parties. Because that's what users seem to be most spooked about from our research."

Whatever course Congress takes, businesses engaged in wireless marketing seem reluctant to push the ethical envelope of privacy. Many companies are hiring chief privacy officers (CPOs) to execute these policies and to limit the organization's exposure to risk. These CPOs are responsible for developing clear privacy guidelines for an organization based on customer concerns as part of the customer-relationship management process.

"The reality is you don't kick your customer in the shins and expect them to come back," McCarthy observes. "Wireless is one of these things that flares up the wireless issue. Because the technology evolution is relentless, it's only making it easier to collect information about who you are. Unless we have some very broad overarching privacy legislation, technology will always be several steps ahead of policy."