September 1997

Data Collection as Free Speech

by Solveig Singleton

This article explains why I have a right to collect information about you--and sell it for commercial purposes to third parties. Nobody said that free speech would never make anybody nervous.

A New Yorker cartoon notoriously said, "On the Internet, Nobody Knows You're a Dog." But it isn't true. The operators of note that "on today's Internet, people do know you're a dog." Web sites offering fun and games collect information from hapless children. Technology enables operators of web sites to collect information about the equipment and software you are using to access their site, to learn your email address, to track your visits to other sites, and to record what content you view there. This information could be supplemented with that from other sources, such as records of credit card transactions, to provide detailed profiles of customer buying patterns.

This prospect angers a lot of people. Many privacy advocates support the idea that businesses should not be permitted to compile or transfer information about a customer's buying habits without the customer's knowledge or consent. But this regime, generally known as "mandatory opt-in," would run afoul of free speech principles. This article explores this conflict between privacy and the free flow of information. It concludes that the creation of new privacy rights would do more harm than good, eroding free speech and impeding the growth of new businesses and business models.

The idea that one should have the right to give consent before information about oneself is relayed to third parties has been explored thoroughly in the area of medical ethics, where the right is incorporated by custom into our ordinary understanding of medical contracts. But what about more ordinary transactions, where a customer simply visits a web site or uses the Internet to buy aquarium supplies or sweaters on sale? Do we "own" this information? Would it be wrong for others to collect this information and sell it without our permission?

The Dubious Origins of Privacy Rights

In the nineteenth century, legal limits on the power of governments to collect information were familiar. The Fourth Amendment to the United States Constitution, which prohibits law nforcement officers from conducting searches and seizures without a proper warrant, is typical of these. But there were very few limits on the power of the private sector to collect and distribute information, other than laws protecting the sanctity of physical property.

Rights to privacy independent of physical property rights began with an 1890 article authored by Louis D. Brandeis (before he became Justice Brandeis) and Samuel D. Warren. The authors' target was the press, which was "overstepping in every direction the obvious bounds of propriety and of decency." Warren was especially irritated to discover details of his home life discussed in the Boston press. Brandeis and Warren argued that courts should create a new kind of property right in personal information. Disastrously, they never considered whether the creation of new rights to restrict information published by the press would violate principles of free speech.

The publication of the Brandeis and Warren article gave birth to a hodge-podge of privacy torts and statutes. But courts and commentators only occasionally recognized the conflict between privacy and free speech. Luckily, the new privacy rights were narrowly defined. The general rule remained that human beings could gossip and exchange information about one another as they always had.

Free Speech Versus Privacy on the Internet

The conflict between privacy rights enforced by mandatory opt-in and free speech is a straight-forward one. Suppose I visit a web site or buy goods from a web vendor. At least two parties are involved in this transaction--myself, and the web site operator. It is flatly incompatible with principles of free speech to prohibit the web site operator from communicating truthful information about this real event and the real people involved to others, including other businesses.

Clearly, I should be free to communicate information about my purchase from or visit to a web site to my friends, to participants in a newsgroup, to Consumer Reports or the Better Business Bureau. There seems to be no reason that the web site operator should not be equally free to communicate information about the transaction--even for profit. Journalists are not required to ask the subjects of a news story for permission to print the results of the journalist's research (traditionally, the story may not be defamatory...but defamation law itself conflicts with free speech).

One might argue in response that consumers need to be protected from business, while the converse is not true. First, though, there seems to be little or no danger here for consumers to be protected from. Businesses that collect data on customer profiles usually do so because they are trying to sell something. As human motives, go, this is not an especially sinister one. Even web sites that successfully collect data from children and use that data to launch marketing pitches are likely to expose children only to the danger of accumulating somewhat more trendy junk than the children otherwise would. The "consumer protection" rationale is unconvincing.

In-so-far as there is a real danger from data collected over the Internet, this danger is not unique to Internet sites. Certainly, consumer profiling data might be used by criminals such as pedophiles to identify potential victims. But information commonly printed in newspapers and phone books could be used the same way. In one infamous case, an imprisoned pedophile used stories about children cut from small-town newspapers to compile a list of 300 children to target. But this would not justify regulation of newspapers, even though it is more likely that convicts would see newspapers than to marketing lists.

Furthermore, the danger posed to children or others from data collected by commercial Internet sites is probably much less, on the whole, from data that could be collected in noncommercial chat rooms, or from sites devoted to political discussions. Those who value the free flow of information usually will not submit to regulation just because regulation might possibly forestall the remote possibility of some harm.

The imposition of a mandatory opt-in regime for the Internet would therefore be the equivalent of a law banning gossip. In the course of every casual encounter, human beings exchange a good bit of detailed personal information about one another. Only in rare circumstances will anyone feel any obligation to ask another's permission before relaying this information to third parties, however embarrassing it could be to the subject of their conversation ("don't you think that Ms. Smith is spending a lot of time with Mr. Jones?"). Just like a law banning gossip, a law against consumer profiling on the Internet shrinks the traditional sphere of freely flowing information.

Gossip and customer profiling cannot be distinguished on the grounds that gossip is harmless. From the standpoint of an individual, gossip can be devastating. Anthropologist Sally Engle Merry describes life in a isolated Spanish village:

" Every event is regarded as common property and is commented upon endlessly. . . . People are virtuous for fear of what will be said."

Indeed, gossip and customer profiling serve similar and related social functions. While it seems harmful to the subject of gossip, to others, gossip is not only interesting--it can be the glue that holds communities together and informs economic decisions in preliterate societies. Customer profiling does the same thing. Once, entrepreneurs could increase their sales through personal knowledge of their customers' buying habits and local gossip. Businesses relied heavily on such informal networks. Dun & Bradstreet, which reports on the creditworthiness of businesses, originated when Lewis Tappan, who managed credit accounts in his brother's silk business, begab to exchange letters with 180 correspondents throughout the country about the creditworthiness of businesses in their communities. The increased automation of commerce over electronic networks such as the Internet will make personal contacts between businesses, and between businesses and their customers much more rare.

In the new computerized world, it would be very surprising if entrepreneurs did not try to learn about the customer from customer profiles, lists, and credit reporting services. Databases are a natural entrepreneurial adaptation to a world where we have freed ourselves of many informal social ties. Once this evolution is understood, proposals to prohibit businesses from trading information about their customers without the adaptation to a world where we have freed ourselves of many informal social ties. Once this evolution is understood, proposals to prohibit businesses from trading information about their customers without their consent appear to be wholly unnecessary restraints on traditional freedoms, shrinking the public domain of information without making the public any safer.

Conclusion: Mandatory Voluntary Opt-In for the Internet.

Once one recognizes the conflict between free speech principles and privacy rights, current proposals to regulate privacy on the Internet seem particularly alarming. In the United States, the regulatory tactic of choice is to demand "industry self-regulation." Of course, "self-regulation" approved, demanded, and supervised by regulators is not "self-regulation" at all. NTIA chief counsel Barbara Wellberry says, "we favor self-regulation, but self-regulation with teeth. But people say self-regulation, and that's the end of the conversation. We're looking at self-regulation more analytically: to see where it works, where it may not work." True self-regulation does not violate rights of free speech, because no government action is involved. But this faux "self-regulation" may substantially restrict the flow of information, without anyone clearly recognizing the free speech issues.

The United States government is also willing to consider more heavy-handed regulation, such as the creation of a federal privacy agency or office. Other governments, particularly those in Europe, have long gone far beyond self-regulation. To those who are concerned with the free flow of information, neither the abandonment of "self-regulation" nor the insistence on false "self-regulation" provide much comfort.

Some, of course, simply do not care about the free speech rights of commercial enterprises. In my view, this is a serious intellectual error. Commerce and trade drive real improvements in standards of living worldwide. It is a mistake to subordinate commercial speech to political speech in one's scheme of values.

Some predict that a mandatory opt-in regime would effectively prohibit trade in customer profiles in marketing lists. This would have its greatest impact on newer or smaller businesses, who rely on the profiles to get started. Older, established firms will have existing customer databases to draw on. Mandatory opt-in might preclude the formation of entirely new business models. Had mandatory opt-in been in place a couple generations ago, for example, consumer credit reporting might never have developed. Consumers, especially the poor, would be unable to buy goods on credit unless they were well known by reputation to a particular business.

The current rush to impose new privacy regulations cannot be reconciled with a principled approach to individual rights. In the long run, it will only hurt the Internet community to join the ranks of those who greet any new technology with fear.

Solveig Singleton ( is Associate Director of Telecommunications & Technology Studies at the Cato Institute, Washington, D.C.

Copyright © 1997 by Solveig Singleton. All Rights Reserved.

Contents Archive Sponsors Studies Contact