Imagine a man, Carl, who walks into a pharmacy, buys an over-the-counter HIV test at his local store. Now imagine that the store, which collects copious amounts of information on its customers, sends advertisements to Carl's friends, family and other contacts noting that he bought the HIV product. Carl's boss sees one of the ads and fires him.
Exactly where did that company go wrong?
Although the scenario is hypothetical, such things do happen in the age of internet-powered marketing. Some 12,000 Aetna members received a mailer this summer that revealed they were HIV-positive. People with HIV are still fired or not hired, though such actions are illegal under federal law -- akin to firing a person because of their race or sex. And nearly anyone who's shopped online is familiar with the parade of targeted ads that follow a person across computers, tablets and phones after they've looked at a product.
Recent data hacks at Uber, Aetna (AET) and Equifax (EFX), to name just a few, have thrust the potential for malfeasance into the spotlight. But are people are harmed if their data is merely collected and not leaked? More than a dozen lawyers, consumer advocates and advertisers grappled with that question at a Federal Trade Commission workshop this week examining "informational injury."
"Maybe there's a harm to all of us, since we're all Amazon Prime customers at this point," said one law professor.
Data is the lifeblood of the modern consumer economy, but few entities, let alone consumers, understand how important it is. "Much of the internet [economy] is a black box where we don't know what is happening. We know that value is being generated, but we don't know how it's happening," said Alessandro Acquisti, professor of information technology and public policy at Carnegie Mellon University. "That to me is a pretty crucial issue."
Industry representatives sought to draw a line between data collection and data usage. "Serving a targeted ad to someone online is very different from using that data to make a decision about someone," said Leigh Freund. Freund heads the Network Advertising Initiative, a nonprofit that aims to be the self-regulatory body for advertisers.
Many disagree with that view, however. Facebook (FB) has come under fire for algorithms that allow you to create housing ads that exclude people with an "interest" in black or Latino culture. (Excluding people from housing opportunities based on their race is illegal under federal law.) And for many people, just knowing that information about them exists can prevent them from fully participating in the economy, said Paul Ohm, a professor at Georgetown University Law Center.
"People self-chill -- they don't apply for jobs they might apply for because they're worried about their credit report. They don't try to buy a house," he said.
The FTC, which regulates a broad range of consumer issues, has gone after businesses for fraud, scams and misleading ads. It's also supposed to regulate "unfair business practices," which is a murkier area. For some consumer advocates, the very fact that companies collect vast troves of people's data -- any data -- is unfair.
"A lot of discussion assumes there is a benefit to consumers, to individuals, through tracking of any kind, and the question to ask is, what was the benefit here?" said Michelle de Mooy, director of the privacy and data project at the Center for Democracy & Technology.
"The information asymmetry, the lack of a level playing field, is a huge part of this," she said. "Having a level playing field is a democratic principle."