Companies should simplify consumer choice
The Commission’s draft proposes a more simplified approach to offering and communicating privacy choices. We all know that none or few go through the lengthy and sometimes indecipherable privacy policy statements before buying a product or service. What we tend to forget is that our choice of buying or not the product or service must also depend on such policies. There may be one clause or notice that would influence our purchasing decision! The draft states that businesses need to provide consumers with meaningful choices while they can omit choices pertaining to commonly understood and accepted data practices.
Companies do not need to provide choice before collecting and using consumers’ data for commonly accepted practices, such as, product fulfillment
The draft identifies five common accepted practices where companies should not be required to seek consent once the consumer elects to use the product or service in question:
- Product and service fulfillment- where consumer’s private data is collected during the ordering process such as, shipping and credit card details.
- Internal operations – where consumers are asked to fill in customer satisfaction surveys from existing customers or the collection of websites visits and click through rates to improve site navigation.
- Fraud prevention – where fraud detection services are used to monitor against fraud such as, checking drivers’ licenses when consumers pay by check.
- Legal compliance and public purpose – where businesses report a consumer’s delinquent account to a credit bureau.
- First-party marketing – where businesses recommend products or services based upon consumer’s prior purchases or offer discount coupons on other services or products.
The practices mentioned above are quite obvious and broadly accepted. For instance, a business collecting the consumer’s address solely to deliver a product the consumer ordered should not be added with the extra burden of privacy policies choices. These are obvious engagements according to the draft. Other commonly accepted practices include ISPs monitoring data transmissions for reasons related to providing Internet service, such as to ensure that their service is not interrupted or to detect and block the transmission of computer viruses or malware. This excludes the ISP collecting data to create detailed profiles of users for marketing purposes. Finally, are these commonly accepted practices too broad or too narrow? Do they apply to different business contexts?