Concerns about "Big Data" and the implications for consumer privacy have spurred Congress and federal regulatory agencies to seek new legal protections for data privacy. But much of the debate is being conducted on broad, general terms, and often overlooks crucial distinctions between different kinds of data.
The U.S. economy embraces two broad submarkets — the business-to-consumer (B-to-C) market and the business-to-business (B-to-B) market. Although both systems involve the sale of goods and services, and often the same companies and individuals participate in both, many of the underlying transactions and communications within the two systems raise significantly different issues. Nowhere is this more true than with respect to privacy. Legislation will need to be carefully tailored to protect consumer privacy interests without harming valuable business practices.
As the law has long recognized, "privacy" is a concern of individuals, not corporations or business entities. As the Restatement of Torts states simply: "A corporation, partnership or unincorporated association has no personal right of privacy." Thus, while privacy is a legitimate concern for individual consumers who participate in the B-to-C marketplace, it is a somewhat alien concept in the B-to-B world, where all participants act in their business capacities.
The B-to-B segment of the U.S. market is huge and an essential driver of the nation’s economic growth. At its core it is supported by companies that build, share and use business data. In the past, trade journal publishers dominated the industry data business. Increasingly in the Internet era, many new entrants, such as Google Inc., also gather, classify and sell robust business data on an industry-by-industry basis. Such data collection, transfer and use lies at the heart of the B-to-B marketplace. Data-privacy legislation has been an objective of consumer privacy advocates for years, but the push took on greater velocity with congressional hearings into online behavioral advertising in late 2008. Initially, a few congressional privacy advocates considered legislation specifically governing behavioral advertising, but in mid-2010, then-U.S. Representative Rick Boucher (D-Va.) proposed omnibus data-privacy legislation that would broadly regulate practically all collection, use and sale of data about individuals, both online and offline.
Several similarly focused bills followed, and by 2011, nearly a dozen data-privacy bills had been proposed. In the current Congress, representatives Ed Markey (D-Mass.) and Joe Barton (R-Texas), co-chairs of the Bipartisan Congressional Privacy Caucus, are spearheading a number of privacy initiatives, including some addressing data privacy.
Data privacy has also become a major focus of several agencies. In December 2010, the Federal Trade Commission issued a comprehensive study of consumer privacy, Protecting Consumer Privacy in an Era of Rapid Change, that proposed a "privacy by design" framework in which consumer privacy considerations are built into a company’s default mode of operations. The Department of Commerce entered the data-privacy debate in late 2010 with its "Green Paper" report, which generally supported industry self-regulation but also suggested that government could assist in helping industry participants set appropriate standards through a multistakeholder process.
The congressional, agency and White House privacy initiatives are all directed at protecting consumers from unclear, overbroad or potentially deceitful data collection and use practices. For several reasons, removing data collection and use in the B-to-B marketplace from the coverage of these laws and regulations will not undercut their purposes.
First, privacy is inherently a personal concept and typically has not been considered to be involved with business corporations and their activities. Neither business entities nor the individuals who act on their behalf enjoy personal privacy rights in their business activities. Employment law also recognizes that employees have different privacy interests in their employment capacities than in their personal capacities. The U.S. Supreme Court, with a somewhat rare humor-laden decision, in 2011 emphasized in Federal Communications Commission v. AT&T Inc. the ridiculousness of the assertion that a company like AT&T Inc. could have "personal privacy" interests under the Freedom of Information Act. Chief Justice John Roberts Jr. concluded his opinion rejecting AT&T’s assertion of the FOIA privacy exemption with the memorable sentence, "We trust AT&T will not take it personally."
Second, several of the leading privacy bills in past Congresses have specifically exempted B-to-B communications. The Commercial Privacy Bill of Rights Act proposed by senators John Kerry (D-Mass.) and John McCain (R-Ariz.) exempted personally identified information dedicated to contacting an individual at the individual’s place of work. Similarly, the proposed Consumer Privacy Protection Act of Representative Clifford Stearns (R-Fla.) defined "consumer" as "an individual acting in the individual’s personal, family, or household capacity," thus exempting B-to-B communications from its coverage.
Third, the White House Privacy and Innovation Blueprint, issued in early 2012, clearly focused on "consumers," not businesspersons. Its proposed Privacy Bill of Rights was labeled as a Consumer Privacy Bill of Rights, and its initial report repeatedly focused on "consumer" interests and the relationship between companies and "their consumers," clearly referring to B-to-C relationships.
Fourth, data-privacy issues that may arise in the course of business-to-business communications and transactions are generally addressed through notice-and-choice safeguards and industry codes and customs that have developed over time, based on the needs of the business community and the pressures of the competitive marketplace. Just as the marketplace demands that businesses protect trade secrets and other confidential information when the sharing or use of such information is required, that marketplace ensures that notice-and-choice procedures and other means protect data privacy for the B-to-B community.
Even apart from the consumer-protection intent of the pending data-privacy proposals, business data need to be free of encumbrances designed for the B-to-C world. Subjecting communications with individuals in their business capacities to the same limits, rules and practice principles that apply to communications with individuals in their personal capacities would significantly hamper the flow of business information. It would also halt the flow of commerce crucial to America’s economic growth and prosperity.
B-to-B communications occur both online and offline. Especially as to offline collection of information, the capacity of an individual, whether he or she is acting in a professional capacity or a personal capacity, can be easily determined. Although it is slightly more difficult to distinguish business and personal capacities online, it is usually apparent from the context in which information is collected or used. For example, someone who shops online at Macy’s should be presumed to be acting in a personal capacity, but someone who visits the Engineering News-Record website should be presumed to be acting in a business capacity.
Although a business-capacity exemption would need to be thoughtfully considered and applied, such an exemption could cover many crucial B-to-B activities without permitting intrusions into truly personal matters. For example, a typical piece of B-to-B information about an individual may consist of a name, job title, business name, business contact information and particular business interest — all quite different from the data concerning individuals in their private capacities that are usually the subject of consumer-privacy discussions.
For all these reasons, data-privacy laws designed to protect consumer privacy need not cover collection and use of information obtained in a person’s business capacity — that is, information obtained about an individual in his or her capacity as an employee or representative of a business enterprise.
A simple and clear means of making this distinction would be to explicitly limit the application of new data-privacy consumer-protection legislation to activity involving a "consumer," defined as "an individual acting in the individual’s personal, family or household capacity." This definitional and scope clarification would limit the legislation to its intended purpose — consumer protection — and ensure that B-to-B communications were not improperly covered or chilled.
Mark Sableman is a partner at Thompson Coburn, where he concentrates in media, Internet and intellectual property law and chairs the firm’s privacy, data use and security practice. Tom Carpenter is vice president of Wexler & Walker Public Policy Associates in Washington.