Permissible Purpose

Permissible purpose.

It is a legal term. It has been used to regulate the use of certain kinds of sensitive data for advertising and other legitimate direct mail and CRM marketing purposes in the past. It was the core principle behind the Fair Credit Act of 1970 that holds organizations responsible for the proper use of consumer credit information.

As we set up to hear and (perhaps in part) judge two days of Congressional testimony from Mark Zuckerberg of Facebook – he released his prepared remarks that outline Facebook policies and the litany of actions the company has taken to secure the data they collect from users. To his credit, the prepared statement is pitched in a manner that recognizes the issues involved and the social responsibility that Facebook has going forward.

The position of Facebook may, in part, be summarized in one of Zuckerberg’s prepared remarks:

“It's not enough to just connect people, we have to make sure those connections are positive. It's not enough to just give people a voice, we have to make sure people aren't using it to hurt people or spread misinformation. It's not enough to give people control of their information, we have to make sure developers they've given it to are protecting it too. Across the board, we have a responsibility to not just build tools, but to make sure those tools are used for good.”

Through a certain lens this underlying statement may be about how Facebook plans to adopt responsibility for assuring that access to its user information will require that its advertisers and account holders have a beneficial “permissible purpose." Perhaps this loaded legal phrase should serve as a linchpin for first and third party data collectors and data brokers going forward.

Some would say the problem is that collection of data is allowed at all. Some would say that any collection, holding, or using, of the identity of a person for marketing purposes is the problem. Some would say that targeting any user without opt-in permission should be prohibited.

The challenge of overreaction is real when you consider the commercial impact and enforcement of a no-data, no-user information policy. In the online world are we ready to accept that the Freemium model is no longer possible? Are users ready to write off the discovery of the long-tail products, which are only made viable through the ethical application of online targeting? Does Facebook, Google or a retailer no longer have the right to cross-sell or promote advertising services to their first party account holders or search visitors? Are we ready to declare Internet advertising a region broadcast business model where only the big-boys can play?

Writing off consumer-based direct marketing as an opt-in only solution would not only crush Internet commerce – it would elevate all kinds of bad actors to enter into the ecosystem – perhaps poisoning the Internet well, and accelerating dysfunction.

Privacy is too important to ignore and it is too impactful to the consumer and the economy to simply have a protectionist response. Consumers, politicians and marketers need to embrace a rational and balanced approach.

Toward that end, marketers need to step up to a common code of conduct that requires “permissible purpose” in the collection, management and application of any user data. Marketers need to be transparent about it, and while erasing the user ID may satisfy the crowd at the moment, the balanced response may be to give consumers the ability to “adjust their settings” on what they are willing to share publicly.

At the moment, consumers need better assurance from marketers that the advertising being targeted their way is the result of a legitimate and good faith marketing purpose that was designed to benefit them. First party information that is beyond publicly available information about a consumer, should be restricted to those that actually have permissible purpose. The default owner of the data should be the organization with a direct commercial relationship in place with a user, and they should only be able to sell access to those users if they can guarantee a permissible purpose.

Consumers also need a clear path to opt-out – they always should be able to exercise their choice to opt-out in much the same way as they have the right to opt-out of telemarketing or the receipt of junk postal mail.

Finally, Congress needs to not take the bait. Overreaction or the exercise of partisan demons over 2016 will not help us address our privacy challenges. Congress should require that the Internet, and Internet marketers in particular, adopt an agreed upon code of conduct for user information where the collection and application of data always has a “permissible purpose” that will not place a user or their reputation at risk.