In February, doctors removed my kidney and I learned that I had cancer. I might not be eager to disclose that to strangers — except that others may already have done that for me. One company claims to offer more than 60,000 mailing lists, including lists of people who have bought items for dealing with cancer and kidney disease and plenty of other ailments. Incontinent? Constipated? Your secret may also be out.
Other lists raise safety concerns. You can buy the home addresses of police officers. A list of high schoolers is said to include “puberty-infested” students. Even a list of domestic violence shelters is available.
Some lists raise discrimination questions. Those who want to market only to particular groups — Christians or Asians, say — can buy lists confined to such individuals.
While the National Security Agency’s surveillance has elicited a lot of attention recently, it at least theoretically does so to benefit us all. In contrast, companies peddle information on consumers to pursue their own selfish interests.
The industry defends these practices on the ground that they enable websites to offer their services for free. But when we buy something, we are told a price and can decide whether we are willing to pay it.
Learning what most data brokers know about us and whom they sell it to — said to be the price for free websites — is often difficult or impossible. While companies may provide privacy policies, companies that do not want consumers to realize what they disclose to others have an incentive to write their policies in a way to make it unlikely that consumers will wade through them, and many do.
Some information is already protected by federal law. For example, medical professionals are limited in what they can say about patients. But information obtained from some sources, including patients who buy products or conduct searches on the Web without realizing that information about them is being harvested, is often not covered by law. The result is that medical information that consumers believe confidential is readily available for purchase.
Lawmakers should adopt several measures to address these issues. Congress should create a single website that consumers can visit to opt out of the collection of information on their transactions.
The options should be detailed enough so that consumers who want merchants to know of their interests in some things can indicate that, while still blocking sale of other information.
Merchants that collect information about consumers should be obliged to respect consumer choices, just as telemarketers must honor the “do-not-call” list. Merchants should be able to sell information about sensitive subjects, like illnesses, only if consumers affirmatively grant permission to do so.
Privacy policies should be standardized, brief, written in plain English and link to the opt-out website. If the result is fewer free websites, at least that will reflect what consumers want, rather than what businesses have decided for them. I may now be cancer-free, but until Congress acts, I am also privacy-free.
Jeff Sovern is a law professor at St. John's University School of Law in New York City and co-coordinator of the Consumer Law and Policy Blog at www.clpblog.org (firstname.lastname@example.org).