The Supreme Court is hearing arguments today on the case of Sorrell v IMS Health, arguing the merits of a law in some New England states to prohibit dissemination (selling) of prescription records to pharmaceutical marketeers. These records, purged of patient identifying information under HIPAA, contain the specific identity of prescribing physicians and dispensing pharmacists. The marketeers want to mine for information about who is dispensing what so they can direct marketing campaigns promoting their pharmaceutical alternatives. The doctors and pharmacists are demanding privacy protection.
This is an important case in the whole business of data selling — a critical, and presumed legitimate, use of your private transaction data by marketers to "personalize" your advertising experience.
I trust that, if the marketers lose and the states prevail, that this same principle can and should be extended to other areas — marketing certainly, but more importantly consumer credit reporting which is the scaffolding upon which the credit industry stands. Imagine what happens if credit bureaus are prohibiting from selling, or even collecting, your transaction data (billings and payments) from your mortgage firm, your auto loan company, Visa/Master Card/Amex, department stores and so on. Those credit reports — and the mysterious "credit score" — make the credit industry work. What happens if the flow of data is cut off?
What about those loyalty cards that stores use to offer you "discounted" prices? They are collecting personalized data about your shopping habits, and probably selling that info to product makers (Proctor & Gamble, Kraft, Coke, Purina, etc.) for their marketing. This "360-degree view of the customer" has been in play for several decades, but it depends on the flow of your personal shopping data out to the world. What you think is a private transaction between you and Target and Visa turns into a transaction shared with most of the product suppliers. You buy a 10-pound bag of Purina Puppy Chow at Pet Smart and you are suddenly inundated (at home and by email) with ads for dog products from Purina, its competitors and other unrelated suppliers and merchants. How did they know?
This may turn out to be an important case if the states prevail. My guess is that they will not, given the current court makeup and tendency to give for-profit business plaintiffs the advantage over private individuals. Still, I am curious about the nature of the arguments to be made.
The governing principle here lies in the answer to the question: who owns the data about me? When I enter into a private transaction with a store, does information about that transaction belong to me? to the store? to the credit card vendor? I believe the answer is "Yes" to all of these, but the answer is a clear "No" to each of these individually. Here’s what I mean.
Current practice is for the merchant to assert complete and independent ownership of this data. In line with this assertion, the merchant believes that it can do as it wishes with the data — publish it on the internet, sell it (as a non-rival product) or exchange it for money or data in kind, destroy it, re-use it internally. All of those actions can be taken with no permission from you, and with no notice to you.
But what are your rights to that data? Did you surrender this data — who you are, where you shopped, what you bought, how you paid, what you paid — did you surrender this data to the merchant with full license to do with as it wishes?
As case can be made — and perhaps, is being made in Sorrell v IMS Health — that the data is, in whole or in part, as much your property as it is the merchant’s. And because you have ownership in the data, as property, the merchant cannot do anything with it without your permission.
This is not a viewpoint that has traction in the business community. The data mining industry is huge, and every business is or wants to be a player in that industry. But the industry cannot continue if there is a constraint on the data.
Suppose, for example, that the merchant needed your permission for each piece of data it transferred to someone else? The sheer logistical burden would be overwhelming. And imagine if the data collector needed your permission to mix your data with others and then to sell the results? They wouldn’t do it. The cost would exhaust all possible benefit.
But cost aside — what’s the right thing to do here? Do you get real benefit from all this back-room data transacting that started with you? Could you live without getting personalized advertising in the mail? Could you shop just by making your own choices, without the merchant guiding you to "your" preferences? I’m betting you can.
So, cui bono? Who benefits? You started a transaction, gave up information about yourself in doing so (often without realizing it — any credit card transaction or loyalty card gives it all up), and got nothing back. Yet you started a chain of events that results in benefits and profits for companies and services you’ve never heard of.
Under good government, the question of ownership of data about me would be asked — and answered — openly. And if data is property, to be bought and sold, and I created the data by participating in the transaction, then the data is my property and cannot be sold without my permission.
It will be an interesting decision to watch.
Special thanks to Joanne for positing the ownership question in the first place. And acknowledgement to Seth Godin, whose "Permission Marketing" arguments got me started thinking about this 10 years ago.