Some years ago, in response to a reporter’s question about user privacy, Eric Schmidt, then the CEO of Google, made the following statement: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” In his Congressional testimony this week, Facebook CEO Mark Zuckerberg didn’t say anything nearly as condescending or abrasive. But, his testimony was a good reminder that we are in a very different world privacy-wise than we were even ten years ago, when Schmidt made that comment.
In recent years, stories about data breaches have become routine. They come in two general categories:
1. Hacking, either directly into a victim’s computer network, or indirectly, via the systems of an organization that holds the victim’s data. Recent examples include data thefts from Target, health insurer Anthem, Yahoo and even the Federal government’s own Office of Personnel Management.
2. Phishing attacks, also known as social engineering, that dupe victims into opening the door to a thief. This is the strategy, for example, that hackers used to access emails during the 2016 presidential campaign.
But what really seemed to bother legislators at this week’s hearings was the fact that there seems to be a third category, which is that Internet companies share vast amounts of personal data in ways that are perfectly legal. For example, a company called Acxiom is in the business of matching consumers’ offline and online activity. Buy diapers at the supermarket, for example, and that information will be available to marketers online. For years Acxiom had been a data provider to Facebook. In the wake of the recent controversy, they terminated this partnership, but there was nothing at all impermissible about it.
As a consumer, what can you do? Regulation on the Internet is still an open question. Fortunately, though, laws exist to protect consumer privacy in most other industries that handle sensitive information. In medicine, HIPAA has been in place since 1996. And, in financial services, the 1999 Gramm-Leach-Bliley Act requires financial institutions each year to provide consumers with a breakdown of the information they collect and how they share it. They must also give customers an opportunity to opt out of at least some of this sharing.
Still, these rules put a large part of the responsibility back on the consumer — to read dense disclosure statements and to go out of your way to opt out of data sharing when companies give you that option. To manage this, I see four approaches you could take:
1. Do nothing: If the only thing you watch on TV is PBS, if the only thing you buy at the drugstore is vitamins, and if your only bank transactions are donations to Goodwill, then you might decide that data sharing really doesn’t bother you. In that case, perhaps you just leave well enough alone.
2. Opt out of data sharing: If you’d prefer to limit the degree to which your data is trafficked, then you could take five or ten minutes to read through privacy notices when you receive them each year. Look for the “Can you limit sharing?” information and then follow the instructions provided to opt out. In most cases, you can go online to make these elections, and it takes just a minute. Once you opt out, it’s good for five years, so be sure to renew your preferences from time to time.
4. Avoid creating sensitive data, if you can: It’s impossible these days to stay completely “off the grid,” but if there’s a particularly sensitive purchase you want to make, it’s not too hard to stay below the radar of Internet marketers: Don’t search Google for the best price, don’t buy it online and don’t pay with a credit card. Instead, go into a brick-and-mortar store, pay with cash and definitely don’t use your loyalty card.