Reason Magazine

In 1997 Qwest Communications performed a practical study of the opt-in rule. It asked its customers for permission to use general information about their calling habits to market new services to them. When customers were asked for this permission through postal mail, the positive response rate was between 5 percent and 11 percent. When Qwest representatives made phone calls instead, the response rate was up to six times higher -- an indication that many customers really didn't mind but also didn't want to go through the bother of sending a letter to opt in. Qwest eventually concluded that an opt-in approach was too expensive to be viable.

If we want the low prices and consumer choices of a database nation, we may have to tolerate unsolicited sales pitches (although there are ways to avoid them -- all legitimate marketers offer a way to delete your name from the list). Few of us are fans of direct marketing -- until we receive an advertisement for a product we want. The same information sharing that makes unwanted solicitations possible also can improve targeting so that consumers are more likely to receive offers that interest them. And many people clearly do: The Direct Marketing Association's 2002 annual report estimated that direct marketing efforts "are projected to generate nearly $2 trillion in sales" in 2003. Even if that number is inflated, information flows contribute to a huge chunk of the economy.

"Companies are increasingly finding that if consumer data is not readily available for business use, the negative impact on sales could severely stunt company growth," warns Jennifer Barrett, chief privacy officer at Acxiom, a database marketing firm in Little Rock, Arkansas. "Moreover, increased marketing costs could force retailers to substantially raise the price of their merchandise to maintain effective margins. The result would be higher prices, fewer customers, and fewer jobs."

Site Security

The cost of restricting information hasn't stopped regulatory enthusiasts from demanding an opt-in standard for Web sites. Federal law mandates that standard for medical information, and pro-regulation activists hope to broaden the concept to stretch as far as the European Data Directive does.

Congress has convened dozens of hearings on Internet privacy issues, and in April 2002 Sen. Ernest Hollings (D-S.C.) introduced his Online Personal Privacy Act. The now-defunct bill would have regulated how Internet service providers, commercial Web sites, and noncommercial sites supported by advertising or product sales collect information about customers. The legislation covered "personally identifiable information," including names, e-mail addresses, and numeric I.P. addresses.

"How can we trust companies with our personal information when their every economic incentive is to collect, compile, enhance, target, and disseminate it for profit?" Hollings said in support of the bill. "It is like letting the fox guard the henhouse. Our bill grants consumers, not companies, control over their personal information on the Internet. And our opt-in component is the only method for ensuring that Internet users have the ultimate control."

Hollings' proposal had a technophobic twist: It applied only to the customer records of Internet-related firms, not their brick-and-mortar competitors. During one Senate hearing, an Amazon.com lobbyist pointed out the discrepancy and unfair advantage. Hewlett-Packard predicted that the vague definitions in Hollings' bill would invite lawsuits.

Some politicians have gone even further than Hollings. The Consumer Internet Privacy Protection Act, proposed by the late Rep. Bruce Vento (D-Minn.) in 1997, would have barred Web sites from sharing "personally identifiable information" about their visitors without prior "written consent" -- a requirement far more onerous than the one that applies to offline firms. Other, more recent proposals include a plan being advanced in the Senate by Dianne Feinstein (D.-Calif.) to slap serious restrictions on all forms of database marketing.

Robert Hahn of the American Enterprise Institute estimates that complying with an opt-in requirement for Web sites would incur a one-time cost of between $9 billion and $36 billion. If Hahn's numbers are anywhere near correct, struggling companies could be required to lay off workers, and marginal ones could be driven to bankruptcy.

With the exception of sites targeted at young children, which are federally regulated, under current law Web sites choose their own privacy policies and are judged accordingly. Consumers can rely on nongovernmental rating and reputation systems to steer them toward desirable destinations. Just as The Michelin Guide reviews restaurants and kashrut organizations certify foods, these systems rate privacy. TRUSTe, BBBonline, and WebTrust offer "privacy seals" to Web sites so consumers can find companies worthy of their trust. To earn a TRUSTe seal, a firm signs a contract that requires its site to prominently disclose how it collects, uses, and distributes personally identifiable information about its users. The cost ranges between $300 and $7,000 a year, depending upon the company's size, and participating companies can display a bright green TRUSTe logo. TRUSTe claims 2,000 member companies, including many high-profile sites, and BBBonline has awarded its privacy seal to more than 500 sites.

In addition to these companies, nearly all large commercial Web sites take a full-disclosure approach to privacy, saying exactly what they'll do with personal data they collect. Although Europe has strict regulations in this area, America's free market approach seems more effective. A 2001 report from Consumers International, a global association of more than 260 pro-regulation groups, admits that "despite tight EU regulation, sites within the EU are no better at telling users how they use their data than sites based in the U.S. Indeed, some of the best privacy policies were found on U.S. sites."

Ways of Making Us Talk

An approach to data handling that works for businesses trying to woo customers, of course, may not be appropriate for governments trying to monitor their citizens. When dealing with private corporations, you generally can choose whether to give them your information. If you don't like Safeway's discount card, don't get it; or shop at Whole Foods, which doesn't offer one. If Amazon.com's recommendations are annoying, try barnesandnoble.com instead. You have a choice.

That choice disappears when the government demands data. Whether you're filing tax returns or filling out a form for a driver's license, governments have the unique -- and uniquely dangerous -- ability to compel you to divulge information whether you want to or not. Police also have the unique power to conduct wiretaps, set up roadblocks, and employ search warrants. The massive Total Information Awareness project that John Poindexter tried to piece together under the aegis of the Defense Department would have put private-sector databases to shame. The Treasury Department's FinCEN agency, available to local, state, and federal police, offers the ability to scroll through more than 120 million reports about banking transactions. The FBI, the Secret Service, and the U.S. Bureau of Customs and Border Protection regularly download the data and import it into their own databases. (See "Show Us Your Money," November 2003.) In addition to unique data collection abilities, the government has unique powers in using the information it gathers, including the ability to arrest, prosecute, fine, and imprison people.