“Personally identifiable doesn’t necessarily mean significant,” he said. “If someone finds out I like non-pulp orange juice vs. pulp orange juice, I just don’t care. Someone preferring coffee-flavored ice cream could be valuable for an advertiser, but it’s not exposing consumers to harm if there’s a potential breach.”
Many see the existing self-regulatory framework as an adequate consumer safety net.
“We have demonstrated that enforceable and enforced industrywide self-regulation is an effective way to protect consumers with the flexibility to respond quickly to changing technological and business practices in a technologically neutral way,” said Genie Barton, VP and director of the Better Business Bureau’s Online Interest-Based Advertising Accountability Program, in a response to the FCC’s proposal.
The changes would shift the American online landscape to more closely resemble the EU, where sites must provide notice and seek consent before collecting data on users. Even beyond that, Jaffe worries there would be “a constant barrage and drum beat of security alerts” regarding what may have been inconsequential security lapses.
The FCC’s proposed burden may seem minimal but could carry a hefty price tag because of the sheer number of people who have to be notified and the potential lost business. Jaffe pointed to studies showing that similar European policies cost EU businesses the equivalent of $1.4 billion per year.
An FCC spokesperson responded to the ANA’s comment by saying, “Consumers should have control over how their personal information is used and shared by their internet service provider. The goal of the rulemaking is to give consumers the tools they need to make smart choices about protecting their information and enforcing the broadband provider’s responsibility to do so.”