Who Owns Customer Data?

Once again, AT&T’s actions have sparked a national debate over customer privacy. The company deliberately kicked off a new round of debate with its announcement last week that it was changing — or as it said, “modifying” — its privacy polices for Internet and video customers.

This comes on the heels of the recent revelation by news media that AT&T and other telcos had participated in the National Security Agency’s warrentless wiretapping program — a disclosure they, not to mention the government, could have done without. Now, AT&T is faced with a lawsuit filed by the Electronic Frontier Foundation claiming that it violated customers’ rights by participating in that program.

Little Protection Anyway?

To be sure, companies issue and reissue densely worded privacy policies all the time. That AT&T chose to do so while a privacy-related lawsuit was pending is only slightly unusual.

What is quite unusual, though, is the wording of the policy: In essence, it requires several million users of its Internet and video services to acknowledge that AT&T owns their account information. It also states that this is a clarification of its pre-existing privacy policy — not a new policy.

Privacy advocates view AT&T’s ownership claim as a bold new move designed to further erode privacy rights. The opposing argument is that companies had the rights to customer records all along; AT&T is just being more upfront about it now that it is being threatened with a lawsuit.

Either way, “this is a frightening development,” Paul Stephens, a policy analyst at the Privacy Rights Clearinghouse, told the E-Commerce Times.

In general, he acknowledges, privacy policies provide little protection to consumers. “They are more about disclosure — what the company can do with your information — than they are about privacy,” he said. “But I have rarely seen a company come out and arbitrarily announce they own a customer’s data.”

If the AT&T policy stands, it likely will lead to other companies releasing similarly worded policy revisions.

Still a Fact

AT&T stands on established law with its revised — or clarified — policy, according to Norbert Kugele, a partner at Warner Norcross & Judd in Michigan. “It is not a great departure from what most businesses believe about customer records,” he told the E-Commerce Times. “There is nothing in the law that stakes out a different position.” Kugele drafts privacy policies for companies, although AT&T is not one of his clients.

There are limits to what a company can do with privacy records, he added. It cannot resell Social Security numbers, for instance — a protection provided under a different law. It also cannot sell or post the content of e-mails, thanks to the tenets of yet another law.

“There are no universal laws that govern privacy in this country,” Kugele said. “It is a patchwork of regulations.”

Chief among the regulators are the attorney generals of each state and, on the federal level, the Federal Trade Commission. The FTC, in particular, has been strict in enforcing companies’ privacy policies, as it views them as contractual promises with consumers.

For instance, should AT&T have expressly said in earlier privacy policies that it would never release customer data to the government unless there were a warrant or subpoena, EFF’s suit would have more weight.

New Data to Mine

The AT&T Web site has a TRUSTe certificate, noted Harold J. Krent, dean of the Chicago-Kent College of Law. That doesn’t have the force of law behind it, he told the E-Commerce Times, but AT&T would be loath to see it revoked for violating a stated privacy policy.

AT&T may have been motivated in part to issue the new policy in order to avoid legal action, according to Sharon R. Klein, partner in charge of Pepper Hamilton’s Orange County, California, office.

“The other part is because this information is very valuable, and AT&T wants to secure its right to it,” she told the E-Commerce Times.

Cable companies cannot share their customers’ viewing habits, thanks to a law that failed to foresee that telecom providers might one day also offer video or Internet services. “This information can be resold; it can be used to solidify AT&T’s presence in this market,” Klein said.

For her part, Klein believe that both AT&T’s information ownership claim or its statement that its revised privacy policy should be considered retroactive are controversial.

“If it is new information to the consumer, it cannot be revealed like that on a retroactive basis,” she pointed out. If it is a clarification, though, then AT&T’s policy should pass muster. “The legal dispute would be whether this was new information or a clarification. If this is litigated, it would be at that point.”

Klein expects some litigation will follow AT&T on this point; perhaps that is what AT&T and other businesses want. “I think it is safe to say that if AT&T can get away with this — then everybody will be free to do the same,” Klein concluded.