Site Meter

Author: Robert Gellman

Price Tag
1

Differential Pricing and Privacy: Good, Bad, or Otherwise?

The vast and ever increasing collection of information about consumers by search engines, advertisers, data brokers, web merchants, and myriad other online and offline companies raises many concerns. A website that stores (and reads) your emails, records every search you make, knows what addresses you look for on its maps, and holds your documents may know more about you than any other single institution, perhaps even including your family members.

Imagine if your email provider reads your email – or some other data accumulator reads your tweets or social network page – and tells the airlines that you are going to a family funeral across the country. Suddenly, you only find that airlines only offer you seats at a very high price. Think that you can hide your identity by searching before you sign in to buy? Doubtful. Web trackers likely know who you are using IP addresses, cookies, or other tricks invisible to most users.

One of the concerns about this data collection is differential or discriminatory pricing. Consumer advocates and others worry that merchants will use personal information to determine how much each individual consumer is willing to pay for something. That consumer then receives an individual price based on that consumer’s interest, need, income, buying patterns, and other factors. The next consumer pays a different price.

What’s the matter when a merchant charges one consumer a different price than another consumer? This is a surprisingly complicated question to answer.

Economists call the gap between what consumers are willing to pay and the market price the consumer surplus. If consumers lived in the economist’s hypothetical world of many buyers, many sellers, and a fair and transparent marketplace, consumers would expect to find prices based on marginal cost of production with lots of consumer surplus. Differential pricing is a merchant’s dream, with each customer paying a price based on willingness to pay rather than a standard price. Differential pricing could end the consumer surplus.

In the offline world, a merchant typically sets a single price for all consumers. The book is $12.99 to anyone who wants to buy it in the book store. Gasoline is $3.25 a gallon no matter how low a car’s gas tank is or how much the car cost.

In reality, things aren’t that simple in the offline world. The bookstore offers consumers a frequent shopper card (sometimes free. sometimes paid) with a discount on all purchases. The consumer with the card pays less than a consumer without one. The gas station offers a discount on Tuesdays because that’s a slow day. The movie theatre offers lower prices early in the day and higher prices in prime time. Many sellers offer a discount to seniors.

Read More

4

Who Is The More Active Privacy Enforcer: FTC or OCR?

Those who follow FTC privacy activities are already aware of the hype that surrounds the FTC’s enforcement actions.  For years, American businesses and the Department of Commerce have loudly touted the FTC as a privacy enforcer equivalent to EU Data Protection Authorities.  The Commission is routinely cited as providing the enforcement mechanism for commercial privacy self-regulatory activities, for the EU-US Safe Harbor Framework, and for the Department of Commerce sponsored Multistakeholder process.  American business and the Commerce Department have exhausted themselves in international privacy forums promoting the virtues of FTC privacy enforcement.

I want to put FTC privacy activities into a perspective by comparing the FTC with the Office of Civil Rights (OCR), Department of Health and Human Services.  OCR enforces health privacy and security standards based on the Health Insurance Portability and Accountability Act (HIPAA).

Let’s begin with the FTC’s statistics.  The Commission maintains a webpage with information on all of its cases since 1997.  The FTC’s website is http://business.ftc.gov/legal-resources/8/35.  I’ve found that the link provided does not work consistently or properly at times.  I can’t reach some pages to confirm everything I would like to, but I am sure enough of the basics to be able to make these comments.

The Commission reports 153 cases from 1997 through February 2013.  That’s roughly 15 years, with an average of about ten cases a year.  The number of cases for 2012, the last full year, was 24, much higher than the fifteen-year average.  The Commission clearly stepped up its privacy and security enforcement activities of late.  I haven’t reviewed the quality or significance of the cases brought, just the number.

Read More

3

Overturning the Third-Party Doctrine by Statute: Hard and Harder

Privacy advocates have disliked the third-party doctrine at least from the day in 1976 when the Supreme Court decided U.S. v. Miller.  Anyone who remembers the Privacy Protection Study Commission knows that its report was heavily influenced by Miller.  My first task in my long stint as a congressional staffer was to organize a hearing to receive the report of the Commission in 1977.  In the introduction to the report, the Commission called the date of the decision “a fateful day for personal privacy.”

Last year, privacy advocates cheered when Justice Sonia Sotomayor’s concurrence in U.S. v. Jones asked if it was time to reconsider the third-party doctrine.  Yet it is likely that it would take a long time before the Supreme Court revisits and overturns the third-party doctrine, if ever.  Sotomayor’s opinion didn’t attract a single other Justice.

Can we draft a statute to overturn the third-party doctrine?  That is not an easy task, and it may be an unattainable goal politically.  Nevertheless, the discussion has to start somewhere.  I acknowledge that not everyone wants to overturn Miller.  See Orin Kerr’s The Case For the Third-party Doctrine.  I’m certainly not the first person to ask the how-to-do-it question.  Dan Solove wrestled with the problem in Digital Dossiers and the Dissipation of Fourth Amendment Privacy.

I’m going at the problem as if I were still a congressional staffer tasked with drafting a bill.  I see right away that there is precedent.  Somewhat remarkably, Congress partly overturned the Miller decision in 1978 when it enacted The Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq.  The RFPA says that if the federal government wants to obtain records of a bank customer, it must notify the customer and allow the customer to challenge the request.

The RFPA is remarkable too for its exemptions and weak standards.  The law only applies to the federal government and not to state and local governments.  (States may have their own laws applicable to state agencies.)  Bank supervisory agencies are largely exempt.  The IRS is exempt.  Disclosures required by federal law are exempt.  Disclosures for government loan programs are exempt.  Disclosures for grand jury subpoenas are exempt.  That effectively exempts a lot of criminal law enforcement activity.  Disclosures to GAO and the CFPB are exempt.  Disclosures for investigations of crimes against financial institutions by insiders are exempt.  Disclosures to intelligence agencies are exempt.  This long – and incomplete – list is the first hint that overturning the third-party doctrine won’t be easy.

We’re not done with the weaknesses in the RFPA.  A customer who receives notice of a government request has ten days to challenge the request in federal court.  The customer must argue that the records sought are not relevant to the legitimate law enforcement inquiry identified by the government in the notice.  The customer loses if there is a demonstrable reason to believe that the law enforcement is legitimate and a reasonable belief that the records sought are relevant to that inquiry.  Relevance and legitimacy are weak standards, to say the least.  Good luck winning your case.

Who should get the protection of our bill?  The RFPA gives rights to “customers” of a financial institution.  A customer is an individual or partnership of five or fewer individuals (how would anyone know?).  If legal persons also receive protection, a bill might actually attract corporate support, along with major opposition from every regulatory agency in town.  It will be hard enough to pass a bill limited to individuals.  The great advantage of playing staffer is that you can apply political criteria to solve knotty policy problems.  I’d be inclined to stick to individuals.

Read More