Privacy / Data Protection

Consumer Information Sharing: Where the Sun Still Don't Shine

Author(s): Chris Jay Hoofnagle
Year: 2008

Abstract: In late 2007, the popular social networking site adopted "Beacon," an application that informs Facebook users' friends about purchases made and activities on other websites. For example, if a Facebook user bought a movie ticket on, that user's friends would be informed of that fact through a news "feed" on Facebook. Some users objected vigorously to the Beacon application, because their activities were reported on an opt-out basis, meaning that the user had to take affirmative action to prevent others from learning about their activities. An activism website,, organized a protest, calling users to action by asking, "When you buy a book or movie online - do you want that information automatically shared with the world on Facebook?" Facebook responded to these critiques by changing its policy to obtain express approval before activities on other sites would be shared with friends.

The Facebook folly demonstrates how intensely consumers reject the "sharing" of personal information for marketing purposes. In this instance, consumers learned of Facebook's strategy because it was transparent and obvious to the individual. But what most do not realize is that, in the absence of a specific law prohibiting information sharing, businesses are generally free to monetize their customer databases by selling, renting, or trading them to others. In fact, the sale of customer information is a common, albeit opaque practice that, if disclosed at all, is usually mentioned in a "privacy policy." Facebook's Beacon simply made information sharing obvious to users.

Studies have shown that most consumers oppose the sale of personal information. Unfortunately, most consumers are under the misimpression that a company with a "privacy policy" is barred from selling data. To learn more about information selling, the authors, using a California privacy law, made requests to 86 companies for a disclosure of information sharing practices. The results show that while many companies have voluntarily adopted a policy of not sharing personal information with third parties, many still operate under an opt-out model that is inconsistent with consumer expectations, and others simply did not respond to the request. Based on these results, the authors propose several public policy approaches to bringing business practices in information sharing in line with consumer expectations.

Keywords: Privacy, opt-in, opt-out, direct marketing, information sharing, SB 27, shine the light