A Consumer’s Journey into Data Reaping

November 16, 2017

By Jeff Hannah

Steven Spielberg’s 2002 science fiction film Minority Report, set in the year 2054, depicts a
futuristic society where crimes are stopped before they even occur. Using information provided by a
triad of psychics known as “precogs”, a specialized police department is able to apprehend and convict
criminals with just the foreknowledge of a criminal act. As part of Spielberg’s futuristic portrayal of 2054,
the identity of citizens’ is associated with biometrics, namely individuals’ retinas, as the movie depicts
digital signage that actively captures individuals’ unique identity by way of retina scans. Via recognition
of an individual’s identity, digital signs display personalized advertisements that include holographic
avatars who call out by name the movie’s lead character, Chief John Anderton played by Tom Cruise, as
he walks through a shopping center. While Minority Report is a science fiction film, the concept of
personalized advertising based upon foreknowledge of an individual’s preferences is not, particularly as
an individuals’ digital identity continues to be merged with individuals’ physical identity and the physical
space in which an individual occupies.

As of 2017, 95% of Americans own a cellphone and of those Americans that own a cellular
phone, 77% own a smartphone. 1 Smartphones come with many benefits beyond those provided by
traditional cellular phone devices, including the ability to browse the Internet, access to a catalogue of
applications that provide customized experiences for device owners via applications that serve
individuals’ needs and preferences, and the ability to connect and pair ones phone with various devices,
such as a FitBit or wireless headphones. In many ways, these devices are an individual’s identity.
According to a 2009 poll by PC World, 40% of respondents said they would rather lose their wallet – that
thing that carries your photo ID, credit cards, etc. – rather than their cell phone. Additionally, 82% of
respondents stated that they “fear that if their phones were lost or stolen, someone would use the
information stored on them for fraudulent means.” 2 Clearly, with the adoption of cellular devices,
particularly smartphones, the notion of individual identity has come to center around a single device.

But as individuals’ identities become more intertwined with their smartphones, so does an
individuals’ digital identity. Internet browsing history, mobile application usage and even an individuals’
location is all now tracked by way of an individuals’ day-to-day use of their smartphone. Increasingly,
individuals’ activities within the physical world are becoming synchronous with the digital world. For the
companies that provide the convenience associated with a smartphone, e.g. the wireless network
operators, device manufacturers and application developers, the information gleaned from individuals’
day-to-day usage of their smartphone provides a treasure trove of information that can be analyzed,
utilized and productized. Either unwittingly or wittingly, smartphone owners are living in a science
fiction film where information captured via their day-to-day use may be used to develop foreknowledge
of their daily behaviors, consumer preferences and geolocation.

1
Mobile Fact Sheet, Pew Research Center, http://www.pewinternet.org/fact-sheet/mobile/
2
“Bigger Loss: Cell Phone or Wallet?”, PCWorld, June 13, 2009,
https://www.pcworld.com/article/166628/bigger_loss_phone_or_wallet.html
 For smartphone owners, the information gleaned can present concerns over individual privacy,
but for retailors, the information reaped is pure gold as personalized digital advertising today can be
positioned directly in the palm of consumers’ hands with detailed knowledge of an individual
consumer’s preferences, location and more. The level of accuracy digital advertising now delivers has
created a disconnect between individual consumers and retailers. Consumers are willing to exchange a
certain level of information in exchange for free services, such as Internet browsing and E-mail services
provided by Google or a social media account provided by Facebook, but consumers are wary of further
transactions for free services, discounts, and other perks in exchange for their personal information.
According to an April 2017 article in RetailDIVE, “less than 50% of consumers of willing to exchange
personal data for discounts and other benefits – presenting a clear conundrum for retailors on the
question for personalization.” 3

To address this conundrum, retailors as part of their quest for personalized marketing have
turned to web companies and data brokerages who have become increasingly sophisticated at
aggregating once siloed and anonymized data sets. The aggregation of such data presents a challenge
for regulators, namely the Federal Trade Commission (FTC) and the Federal Communications
Commission (FCC), as existing guidelines that address consumer privacy are often bound by privacy
policy agreements between consumers and the network operators, device manufacturers, web
companies and applications used by consumers. This one-to-one agreement structure, whereby there is
a stated privacy policy between a consumer and their network operator, another between their device
manufacturer, and another between their application developer – for which there may be many – may
provide consumers with the allusion of privacy, however, closer examination of various privacy policies
and the practices of some companies states otherwise.

In 2000, the FTC deviated from the practice of allowing web companies to self-regulate
themselves and adopted four guidelines as part of the Fair Information Practice Principles (FIPP) that “all
commercial consumer-oriented Web sites that collect personal identifying information from
consumers” 4 should adhere to. These four principles state that:

• There shall be no personal record systems whose existence is secret;

• Individuals have rights of access, inspection, review, and amendment to systems containing
information about them;
• There must be a way for individuals to prevent the use of information about themselves
gathered for one purpose for another purpose without their consent;
• Organizations and managers of systems are responsible for the damage done by systems for
their reliability and security;
• Governments have the right to intervene in the information relationships among private
parties. 5

3
Sandy Skrovan, “Despite expectations of personalization, most shoppers don't want to share data”, RetailDive,
April 5, 2017, https://www.retaildive.com/news/despite-expectations-of-personalization-most-shoppers-dont-
want-to-share/439610/
4
Orson Swindle, “The Status of Online Privacy”, Federal Trade Commission, June 5, 2000,
https://www.ftc.gov/public-statements/2000/06/status-online-privacy#N_2_
5
Hal Varian, “Economic Aspects of Personal Privacy”, 1996,
http://people.ischool.berkeley.edu/~hal/Papers/privacy/
 Web companies have historically been at the forefront in the collection and sharing of user data.
From its genesis, Google’s free web search services has been monetized by advertising services that
offer relevant ad placement alongside consumer’s web searches. As Google has grown, along with the
company’s profits, others have taken note, recognizing the value of user data. As a result, mobile
handset device manufacturers, application developers and, more recently in the wake of the FCC’s
recent reversal of the 2016 Consumer Privacy Rules, network operators now collect information on
users’ device and application usage and general Internet browsing activity. As each entity has its own
privacy policy, along with limited information on with whom and what is shared with third-parties,
retailers and data brokerages are reaping the benefits of the convoluted myriad of privacy policies.

To demonstrate how retailers and data brokerages are benefiting from consumer confusion,
scoring the FTC’s FIPPs against the privacy policies outlined by three companies provides insight into
where consumer confidence in privacy leads to fears of “Big Brother” within the retail sector.

Verizon Wireless
According the FCC’s Annual Report and Analysis of Competitive Market Conditions, as of the end
of 2016 Verizon Wireless held the largest market share between the four largest national mobile
wireless service providers with 36.8% of the market. 6 Given Verizon Wireless’s large market share, it has
access to a considerable amount of American’s data obtained during a customer’s account set-up, such
as name, contact information, driver’s license number, Social Security Number and payment
information.

Additionally, once subscribed, Verizon Wireless continues to collect data, to include, but not
limited to, “call records, websites visited, wireless location, application and feature usage, network and
device data including battery life and apps on your device, product and device-specific information and
identifiers”. 7 For retailers and data brokerage companies, Verizon Wireless subscriber data collected is
valuable information that can be used to obtain a profile of individuals’ consumer preferences. So how
does Verizon Wireless’s privacy policy adhere to the guidelines outlined within the FTC’s FIPPs?

FIPPs Guideline Analysis of Verizon Wireless’s Privacy Policy

There shall be no Assuming that all information outlined within Verizon Wireless’s “Information
personal record we collect and how it is used” section of their privacy policy is complete and
systems whose comprehensive of all data collected, Verizon Wireless is transparent about what
existence is subscriber information is collected.
secret;
Additionally, further reading of the privacy policy details additional information
obtained via third parties and via Verizon websites and apps. This information
consists of demographic and interest data, such as “gender, age range,
education, sports enthusiast, frequent diner or pet owner.” Verizon Wireless

6
Implementation of Section 6002(b) of the Omnibus Budget Reconciliation Act of 1993, Annual Report and
Analysis of Competitive Market Conditions With Respect to Mobile Wireless, Including Commercial Mobile Services,
Docket No. 17-69, Federal Communications Commission, September 26, 2017
7
Verizon, http://www.verizon.com/about/privacy/full-privacy-policy
 also collects “contact information and other marketing lead information from
third parties, website “refer-a-friend” options or social media platforms and may
combine it with information we have to contact you or direct Verizon's
marketing offers to you.” 8

While the personal data collection system outlined by Verizon Wireless is

extensive, Verizon Wireless is transparent with regards to what system, or
systems, are used for personal data collection.

Individuals have According to Verizon Wireless’s privacy policy section on Accessing and updating
rights of access, your information, Verizon Wireless strives “to keep our customer records as
inspection, accurate as possible. You may correct or update your Verizon customer
review, and information by calling a Verizon customer service representative at 1-800-
amendment to VERIZON or by accessing your account online and providing the updated
systems information there.” 9
containing
information Upon accessing Verizon Wireless’s customer portal, information available
about them; included “Personal & Security Information”, contact information, billing
information, and documents and receipts.

Nowhere within the subscriber portal is a subscriber able to inspect, review or

amend any personal data beyond basic subscriber contact and billing
information.

There must be a Verizon Wireless collects information across three broad categories: Customer
way for Proprietary Network Information (CPNI), Business and Marketing Insights, and
individuals to Relevant Mobile Advertising.
prevent the use
of information According to Verizon Wireless’s privacy policy, “Customer Proprietary Network
about themselves Information (CPNI) is information that relates to the type, quantity, destination,
gathered for one technical configuration, location, amount of use and related billing information
purpose for of your telecommunications or interconnected Voice over Internet Protocol
another purpose (VoIP) services.” 10
without their
consent; Business and Marketing Insights is a “program [that] combines and analyzes
customer information in a way that does not identify you personally… uses
information about how you use your mobile device including web addresses of
sites you visit and similar information about apps and features you use, and
information about the location of your device, as well as certain information
about your Verizon products and services (such as device type) and information
we obtain from other companies (such as gender, age range, and interests) or

8
Verizon, http://www.verizon.com/about/privacy/full-privacy-policy
9
Personal MyVerizon account webpage, Verizon Wireless
10
Id.
 that you provide.” 11 This information “may be used by Verizon and others who
want to better understand customer actions in aggregate.” 12

Additionally, as part of the Business and Marketing Insight information collected,

“Verizon may share location information that does not identify you personally
with certain other companies to allow them to produce limited business and
marketing insights.” 13

The third and final category of information collection is the Relevant Mobile
Advertising program, which uses subscribers’ “postal and email addresses,
certain information about your Verizon products and services (such as device
type), and information that you provide or we get from other companies (such
as gender, age range, and interests).” Online and device identifiers, such as
cookies, ad IDs from Apple and Google, and “one created by Verizon, known as a
Unique Identifier Header or UIDH” 14 are deployed as part of the Relevant Mobile
Advertising Program.

For each of the categories of data collection, Verizon Wireless does afford
subscribers the option to opt-out of one or all of these data collection systems.

Organizations and In March 2017, the FCC and Verizon Wireless settled on a $1.35 million fine after
managers of it was determined that Verizon Wireless and its third-party advertising partner,
systems are Turn, “used super cookies for unauthorized purposes, effectively overriding
responsible for customers' privacy choices.” 15
the damage done
by systems for With respect to Verizon Wireless’s collection of personal data in the context of
their reliability mobile advertising, Verizon Wireless has been held responsible for damages
and security; associated with their usage of “super cookies”.

Governments As described in the settlement between the FCC, Verizon Wireless, and its third-
have the right to party partner, Turn, the US government did have justification for intervening in
intervene in the Verizon Wireless’s and Turn’s use of “super cookies” which violated the third
information FIPPs guideline since Verizon Wireless subscribers we not able to provide
relationships subscribers an effective opt-out option.
among private
parties.

11
Id.
12
Id.
13
Id.
14
Id.
15
Colin Gibbs, “FTC requires Verizon 'supercookie' partner Turn to allow opt-outs”, December 21, 2016,
https://www.fiercewireless.com/wireless/ftc-requires-verizon-supercookie-partner-turn-to-allow-opt-outs
Facebook
Since its launch in 2004, Facebook has seen exponential user growth on its social media
platform. In 2008, Facebook was the first social media platform to surpass 1 billion users and as of the
third quarter of 2017, Facebook reported 2.07 billion monthly active users globally. 16 According to a
2015 article by USA Today, “three-quarters of online adults used Facebook”, or 58% of Americans. 17
Given the usage of Facebook amongst Americans, retailers have flocked to Facebook’s advertising
services. In 2015, 95% of Facebooks revenues were generated from advertising sales. 18

However, as individuals’ physical world often mirrors their digital world, the social media
company has been scrutinized for privacy concerns and violations. Given the global usage of Facebook,
the company’s privacy policies deviate from traditional privacy policies as compared to US-based
companies, providing users with a Statement of Rights and Responsibilities that details both the terms
of service as well as the company’s privacy policies and Data Policy. As part of this deviation from
traditional privacy policies, Facebook’s approach to data ownership is different compared to other
commercial consumer-oriented Web sites. Within Facebook’s Statement of Rights and Responsibilities,
Facebook states that users “own all of the content and information you post on Facebook, and you can
control how it is shared”. 19 But while users own their content and information, does that mean that they
are fully aware of how their information on Facebook is shared with third-parties?

Verizon Wireless’s privacy policy states that the operator collects “contact information and
other marketing lead information from third parties, website “refer-a-friend” options or social media
platforms” 20, e.g. Facebook. So, if an individual “owns” their content and information posted on
Facebook, how is consent given when information is obtained by Verizon Wireless?

FIPPs Guideline Analysis of Facebook’s Privacy Policy

There shall be no Facebook’s Data Policy provides users with information on what information is
personal record collected, how it is used and shared. Given the social focus of Facebook,
systems whose information beyond typical user profile information is collected, to include
existence is messages and communications with other Facebook users, “things others [i.e.
secret; Facebook friends] do and information they provide” and users’ “networks and
connections”. 21

16
“Number of monthly active Facebook users worldwide as of 4th quarter 2017 (in millions)”, Statista,
https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/
17
Elizabeth Weise, “Your mom and 58% of Americans are on Facebook”, USATODAY, January 9, 2015,
https://www.usatoday.com/story/tech/2015/01/09/pew-survey-social-media-facebook-linkedin-twitter-
instagram-pinterest/21461381/
18
“Facebook's advertising revenue worldwide from 2009 to 2017 (in million U.S. dollars)”,
https://www.statista.com/statistics/271258/facebooks-advertising-revenue-worldwide/
19
Facebook, https://www.facebook.com/terms.php
20
Verizon, http://www.verizon.com/about/privacy/full-privacy-policy
21
Facebook, https://www.facebook.com/about/privacy/
 However, much of this information, least from the user’s perspective is tied to
an individual user’s usage of the Facebook platform, but Facebook offers
application and web developers software development kits (SDKs) that afford
third-party websites and applications access to Facebook user’s data and vice
versa. Within Facebook’s Platform Policy for Developers, Facebook states that
developers “You may use Account Information [Facebook user information] in
accordance with your privacy policy and other Facebook policies”, so long as a
developer obtains consent from a Facebook user, but “All other data may only
be used outside your app after you have obtained explicit user consent.” 22

So, while Facebook is transparent with regards to the information obtain from
users and their associated connections on Facebook, the use of and acceptance
for third-party sites that utilize Facebook’s SDKs open a potential Pandora’s box
for consumers as data that was once associated with Facebook may become
associated with a myriad of applications and websites that utilize a Facebook
user’s account for login, social media postings, etc.

Given the portability of Facebook user’s data, the existence of how third-parties
utilize a user’s Facebook data becomes less transparent, even though the
systems for personal data collection are outlined within Facebook’s Platform
Policy.

Individuals have Facebook’s Data Policy site clearly outlines how users may manage and delete
rights of access, information about themselves. Information is presented in chronological order
inspection, within a user’s Activity Log.
review, and
amendment to
systems
containing
information
about them;

There must be a Facebook allows users to manage their privacy in accordance with a user’s
way for customized privacy settings. Facebook activities, such posts, reactions and
individuals to comments, photo tags, and timeline stories may all be configured to meet an
prevent the use individual user’s privacy preferences. However, when a Facebook user’s setting
of information for a particular event is set to Public anyone on or off (meaning not a user of the
about themselves platform) may have access to that information.
gathered for one
purpose for Given Facebook’s privacy settings, users may prevent information about
another purpose themselves from being gathered without their consent unless a user has listed
without their their Facebook activity or activities as public.
consent;

22
Facebook, https://developers.facebook.com/policy/
 Organizations and In 2011 the FTC settled with Facebook on eight counts of complaints against
managers of social media company’s lack of adherence to its own privacy settings, namely
systems are changing “its website so certain information that users may have designated as
responsible for private – such as their Friends List – was made public.” 23 It was determined by
the damage done the FTC that Friends Lists, personal information and de-activated account
by systems for information was shared with third-party applications with which a user had not
their reliability permitted access to.
and security;

Governments While governments have intervened in Facebook’s informational relationships

have the right to with third-parties, governments have also been the third-party, as was the case
intervene in the in 2013 when it was discovered that the US National Security Agency (NSA) was
information accessing Facebook user data to develop profiles on both foreign as well as
relationships American users of Facebook. 24
among private
parties.

Target Cartwheel
As consumers continue to turn to online shopping sites such as Amazon brick-and-motor retail
chains have felt the pinch in recent years. But among the American retail stores that were formed at the
turn of the 20th Century, including Sears and Macy’s, Target has remained resilient despite declining
market share lost to online retailers. One reason for its relative success may be attributed to Target’s
early adoption of more technically savvy loyalty and affinity programs.

Affinity and loyalty programs have been deployed by retailors for decades, but the emergence
of smartphones, and more specifically the applications hosted on smartphones, has presented retailors
with even greater ability to “know” their customers. Case in point: Target’s Cartwheel app, which
officially re-launched with more functionality beyond Target’s original mobile app in June of 2017. The
app, which allows Target customers to receive and download coupons, organize their shopping lists, and
process payments via the app, has been downloaded 40 million times since its launch. 25

But what is more interesting, and perhaps more valuable – at least from a retailer’s perspective
– is the Target Cartwheel application’s use of users’ smartphones and the Bluetooth radio technology
embedded within. Proximity-based beacon technology within retail settings has been a use case for

23
“Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises”, Press Release,
Federal Trade Commission, November 29, 2011, https://www.ftc.gov/news-events/press-
releases/2011/11/facebook-settles-ftc-charges-it-deceived-consumers-failing-keep
24
David Simpson, Pamela Brown, “NSA mines Facebook for connections, including Americans' profiles”, CNN,
September 30, 2013, http://edition.cnn.com/2013/09/30/us/nsa-social-networks/index.html?hpt=ibu_c2
25
Sarah Perez, “Target and Cartwheel apps to merge starting this summer, mobile payments and improved maps
to follow”, TechCrunch, June 9, 2017, https://techcrunch.com/2017/06/09/target-and-cartwheel-apps-to-merge-
starting-this-summer-mobile-payments-and-improved-maps-to-follow/
several years, pushed by device manufacturers and web companies as a way to bridge the digital-
physical divide. For retailers such as Target, who are leveraging new devices with this new technology
embedded within new smartphone devices, proximity-based beacon technology can provide pin-point
information on a customer’s behavior within a brick-and-motor retail store – and in some case
unbeknownst to smartphone owners and Target Cartwheel application users. Given that Target’s
Cartwheel application is at the forefront of merging the digital-physical world to collect both customers’
purchasing preferences as well as real-time geolocation data on consumers’ movements within Target
stores, accessing the privacy policy of Target’s Cartwheel app can provide information on how and what
information is collected and how it is used to fuel Target’s personalized marketing strategies.

FIPPs Guideline Analysis of Target’s Cartwheel Application Privacy Policy

There shall be no Target and Target’s Cartwheel application privacy policy collects much of the
personal record typical user demographic data, such as name, address, email addresses, phone
systems whose numbers, date of birth, driver’s license number information. Additionally, given
existence is that Target is a retailer, customer credit/debit card, purchase history, registry
secret; information, and searches performed within Target’s web properties and
applications are collected. With regards to the Cartwheel application’s use of
beacon technology, “geo-location and in-store location” data is also collected by
Target along with social media information.

What’s interesting about Target’s privacy policy, however, is that there is no way
to opt-out of the collection of data, either for data obtained via Target’s
traditional websites or via its Cartwheel app. Further, Target’s privacy policy
states that “If you choose not to provide information, we may not be able to
provide you with requested products, services or information.” 26

What is clear about Target’s privacy policy is that it is not the principle agent for
data collection, but rather is deferring to device manufacturer’s, social media
platform provider’s and network operator’s personal data collection systems.

Individuals have Given that Target’s privacy policies do not afford consumers with the option to
rights of access, opt-out of data collection, there are no mechanisms for a consumer to access,
inspection, inspect, review or amend information stored by Target.
review, and
amendment to
systems
containing
information
about them;

26
Target, Target Privacy Policy, https://www.target.com/c/target-privacy-policy/-/N-4sr7p#PP_InformationSharing
 Since Target’s privacy policy states that ““If you [the consumer] choose not to
There must be a provide information, we may not be able to provide you with requested
way for products, services or information” 27, the only known way to prevent use of
individuals to personal information from being used without consent is to not use Target’s
prevent the use Cartwheel application.
of information
about themselves
gathered for one
purpose for
another purpose
without their
consent;

Organizations and
managers of Target has been the focus of expansive data breaches, as was the case in 2013
systems are when Target was the target of cyber attackers who used credentials from a
responsible for third-party vendor to access Target’s customer credit card information. The
the damage done breach resulted in a $18.5 million-dollar settlement, but not with the FTC, but
by systems for rather with 47 states who filed suit against Target. 28
their reliability
and security; It is surprising then, given Target’s past experience with cyber data theft, that
Target’s privacy policies do not adhere to the guidelines set forth by the FTC’s
FIPPs, but rather assumingly deflect responsibility to third-parties, such as device
manufacturers, data brokers and social media platform companies.
This disconnect, whereby retailers hungry for consumers’ personal data are not
held to the same guidelines outlined for web companies, perhaps is why “less
than 50% of consumers of willing to exchange personal data for discounts and
other benefits”. 29

Governments Given the impact of Target’s 2013 cyber breach and the introduction of new
have the right to technologies that track consumer’s physical location within retail environments,
intervene in the the FTC has a role to play, ensuring that the same FIPPs guidelines set for
information commercial web services and applications are applied to traditional commercial
relationships services, such as retailers, especially as consumers’ digital and physical worlds
among private become increasingly intertwined.
parties.

27
Id.
28
“Target Settles 2013 Hacked Customer Data Breach For $18.5 Million”, Reuters, May 24, 2017,
https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-
million-n764031
29
Sandy Skrovan, “Despite expectations of personalization, most shoppers don't want to share data”, RetailDive,
April 5, 2017, https://www.retaildive.com/news/despite-expectations-of-personalization-most-shoppers-dont-
want-to-share/439610/
 Accessing the layers of systems by which consumers’ personal information is collected, to
include consumers’ mobile network operators, social media platforms, and applications for
smartphones, the analogy of an onion comes to mind. The further one peels back layers of the onion;
the more convoluted and complex consumer data privacy becomes. For this reason, the FTC should
seek to provide more equitable responsibility amongst both the companies that initially capture
consumers’ personal data as well as the down-stream third-party users of consumers’ personal data.
The need for thorough transparency on what data is collected, who it is shared with and how it is used
will become increasingly important as consumers’ physical identities become synchronous with the
digital world. While the movie Minority Report is a work of science fiction, the idea of digital-physical
identity becoming one and the same is not farfetched, particularly as individuals’ adoption of digital
devices becomes, inexpensive Internet of Things devices, and the long-term usage of smartphones and
social media sites affords both the collectors of data and the third-party users of consumer data with
years of personal information.