Subj: Online Privacy: Perspectives of Privacy Right From: Paul Sholtz, Chief Technology Officer, PrivacyRight Inc., c/o Amy Hanson, 703- 299-9470 To: Internet Caucus Advisory Committee ELEMENTS OF PRIVACY POLICIES The privacy policies posted on most Web sites do a decent job of disclosing to consumers what information is collected, how it is used and with whom it is shared. Unfortunately, these privacy policies are little more than an informal contract, and consumers have no way of verifying or enforcing that Web sites are limiting their data practices to what they outline in their privacy policies. Consumers have no way of controlling or changing how much personal information the Web site knows about them. Also, if the Web site resells personal information, the consumer to whom it belongs does not realize any economic benefit. WHAT IS ADEQUATE NOTICE? "Adequate notice" usually means that the Web operator has gone to some reasonable length to disclose to consumers what personal information is being collected and how it is being used. Usually, posting a privacy policy in a prominent place on the Web site constitutes adequate notice. Adequate notice is probably one reason for the backlash against companies like DoubleClick, which track and profile users without the individual's knowledge and consent. This is because online advertising networks attach cookies to banner ads across a network of affiliate Web sites, which are otherwise unrelated to DoubleClick. Since the Web operator and DoubleClick have different domains, even if the consumer is informed about the Web operator's privacy policy, the person is most likely unaware of the profiling DoubleClick is simultaneously doing. AS BROWSER DISPLAYS GET SMALLER . Cell phones and PDAs have their own host of privacy problems. Since the devices are wireless, the service providers must be able to track the location of the device with a fairly high degree of accuracy (in order to send data back and forth to the device). A law, which was enacted last year, requires cell phone operators to be able to locate a cell phone call within 100 feet when a 911 call is placed. It gives service operators the ability to do novel "real-time location-based" marketing to wireless subscribers (a notion that raises very significant privacy concerns). NOTICE FOR AGGREGATE DATA. Aggregate data is different than individually identifying data, and in general less sensitive. However, in terms of customer control, disclosure should be provided for all collected data, even for internal use of aggregate data.