OREGON STATE UNIVERSITY

Researcher Studies Mobile Commerce, Recommends Privacy Enhancements

04/10/2008

CORVALLIS, Ore. – A new commercial environment is emerging that focuses on cell phones as a portal for business and for advertisers to reach consumers through their mobile phones. While this new market can provide many benefits, mobile advertising has the potential to plague consumers in similar ways to “spam” on the Internet.

According to a new study by an Oregon State University researcher, creating a business environment in which mobile commerce thrives will require steps to protect consumer privacy.

In the forthcoming issue of Federal Communication Law Journal, OSU’s Nancy King lays out the case for privacy practices along with government regulations that are needed to protect consumers in the new business context of mobile advertising. King is an associate professor of business law in the College of Business at OSU and recently was awarded a Fulbright fellowship to conduct European Union/U.S. comparative law research on privacy issues relating to emergent technologies associated with mobile commerce.

According to King, advertisers soon will be able to target messages directly to consumers’ cell phones. In addition, with the use of radio frequency identification technology (RFID) and global positioning systems, companies will be able to know the location of consumers at particular times. So you could be on your way to grab coffee, walk by a major department store and have that store scan your cell phone and send you a pop-up message generated by software on your phone that alerts you to a sale.

If you have “opted-in” to receive these messages, King says, you may be quite happy to receive them. But if not, they could be a real bother.

“The idea that location tracking technologies associated with your cell phone alerts the advertiser where you are, rather than you using your phone as a convenience to find information that you want – that’s a privacy issue,” King said. “Use of location data about mobile phone users by businesses raises important privacy concerns.”

King’s research is complex and far-reaching. Privacy concerns from a consumer perspective include the collection, use and disclosure of personal information and the generation of unsolicited mobile advertising, or mobile spam. From a regulatory perspective, mobile commerce involves numerous parties, including advertisers, mobile carriers, cell phone handset manufacturers, commercial databases that collect and sell consumers’ personal data, government regulators and consumers.

“There are private databases out there that are selling personal information – including consumers’ mobile numbers – without their permission, and in most cases there is currently no U.S. law to stop them,” King said. “Although there are currently no official cell phone number directories in the U.S., there are businesses that profit from selling cell phone numbers and other personal information without the cell phone subscribers’ knowledge or permission.”

King says mobile phone users should be concerned about the privacy implications of companies tracking cell phones and advertising directly to them based on personal information about the cell phone user, including location.

“To be able to walk down the street and be anonymous is an aspect of personal privacy,” she said. “But it’s also a personal data issue. Most people view their cell phone numbers as something they control; they give their cell phone number to people or not as they choose. However, if your cell phone number is published in an online directory or sold by a commercial database to an advertiser, and you haven’t given your consent for this, you are not making the choice to disclose your number, yet it is being disclosed for someone else’s profit.”

King has completed the first component of her study – a comprehensive and detailed examination of U.S. law related to mobile advertising and consumer privacy. Because a patchwork of U.S. laws at the federal and state level make compliance a challenging task for those in the mobile advertising industry, the study’s examination of current privacy laws that apply to mobile advertising is useful to businesses in order to help them understand the current regulatory environment. However the study goes further, assessing the strengths and weaknesses of existing federal regulation, identifying regulatory gaps that need to be addressed in order for consumer privacy to be adequately protected, and making a few simple recommendations to ensure basic privacy and data protection for consumers.

Some of the key recommendations include:

• Disclosure of cell phone numbers to third parties, such as mobile advertisers, should be prohibited without explicit consent from consumers on an “opt-in” basis. Consumers should also have the right to be consulted before their cell numbers are published in directories or made available on the Web.

• A multilayered method for distributing companies’ privacy policies should be adopted by companies engaged in mobile advertising, beginning with a short notice suitable for display on cell phones and linking to a complete policy on a Web site.

• Consumers’ privacy and personal data should be protected by companies through adoption of company privacy policies and mobile carrier-consumer contracts that promise not to disclose consumers’ personal information and location, without their express written consent.

Beyond these initial recommendations, which King views as “first steps,” more regulatory work is needed to create an environment that will protect consumer privacy in mobile commerce, yet enable the mobile advertising industry to grow. The regulatory tools chosen could include: industry-self regulation, privacy-enhancing technologies, government regulation, or some combination of the three.

King said the U.S. could learn a lesson from how the federal government dealt with the Internet in its early days. Initially the government hesitated and did not adopt baseline regulations to prevent consumers from being spammed or having their personal information misused or even their identities stolen, in order to give businesses a chance to regulate themselves. To this day, there are not adequate protections for Internet users, King said, and the result has been that consumers’ experience in e-commerce was not as positive as it could have been with adequate privacy and data protection in place.

In the next part of her study, King will look at how the European Commission (the regulatory body of the European Union) has addressed complex privacy and data protection issues related to mobile commerce and mobile advertising.

“Because there is general data protection legislation in Europe that has been in place since 1995, Europeans have a starting point that we don’t have in the U.S.” King said. “Instead, our legislation has taken a piecemeal approach to protecting privacy and data protection, as problems arise we adopt specific legislation to address them, but we lack general regulatory framework.”

King said U.S. businesses, whether small or large, have something to gain from effective privacy regulation for mobile commerce. Some businesses have been vocal advocates of having the United States adopt at least minimum privacy regulations, analogous to the general privacy laws in place in Europe. Many companies already follow these rules when they do business in other countries, and it would make it easier for them to have the same playing field everywhere. Also, even small businesses in the U.S. have privacy interests that would be protected by new mobile commerce regulations. For example, small as well as large businesses are vulnerable to having their employees’ time wasted receiving mobile spam.

“When we let market forces deal with Internet spam, and did not regulate it, it didn’t work, and we shouldn’t let similar problems discourage the growth of mobile commerce” she said. “Choosing a good balance of the available tools to protect consumer privacy is what it is all about, and I believe that will be good for business and consumers.”

To view a copy of King’s publication by the Federal Communications Law Journal, go to http://www.law.indiana.edu/fclj/pubs/v60/no2/King.pdf.

This journal is published by Indiana University’s School of Law and is the official journal of the Federal Communications Bar Association, an association of legal experts on communications law.