Opt-in vs. Opt-out

Sarcasmo writes: "The Internet Law Journal has a very in-depth piece on the issue of opt-in vs. opt-out that takes on the good and the bad from both sides. How the current situation will (or will not) be handled, will depend on what conclusion lawmakers come to on this core debate. An opt-in requirement is TILJ's conclusion. What's yours?" This is a good, well-reasoned analysis - exactly the type of analysis that holds no weight in legislatures.

Opt-out is a cop-out.

Just a friendly public service reminder for those of you in the USA:

When your bank or brokerage sends you a copy of its privacy policy, full of ambiguous language, and saying "Since we protect your privacy, there's no need for you to opt out of our information sharing among our family of companies", do two things:

1) Opt-out. Yes, it means writing a letter and putting a stamp on it. Deal with it.

2) In your letter, mention that you're opting-out because it's your only option available under the law, but that you're doing so under protest - and that you consider anything less than opt-in a violation of your privacy rights. Congratulate the bank on coming up with a wording ("information sharing") that sounds so harmless that most consumers are unlikely to realize what it really means.

3) Print out a second copy and send it to your Representative and Senator. Use proper "Cc:" snail-mail etiquette -- you want your bank to know you're telling your Congresscritter, and you want your Congresscritter to know that your bank knows.

Thank the critter (especially if he or she voted for it) for the new privacy law that's forced banks to do this very small ("opt-out") notification. Tell them that you realize the bank (or more accurately, the DMA, on request of its members) to use a low response rate to this "you have an opportunity to opt-out" mailing campaign as "evidence" that the consumers really do like to eat their spam, "or they'd opt-out, but since 0.00001% actually bothered to opt-out, the other 99.99999% must like receiving special offers through the mail and telephone and email!".

Tell your congresscritters that silence does not imply assent.

You know the argument's bogus. But the DMA, with millions of dollars in lobby funds, is gonna try to make it. And they'll succeed, unless you - yes, you there, behind the keyboard - get off your ass and do something.

Silence does not imply assent. But the DMA is going to try very hard to convince your congresscritter that it does.

The logical response is to deny the DMA the silence it needs to pull off the scam.

Re:Privacy Is Fragile

Now I get regular calls from companies associated with this marketing firm on my cell phone. This in spite of the fact that I have twice demanded that they remove all references to me from their database. We've now sent them a registered letter demanding they do so.

KACHING!
They owe you $500/call. It is illegal to telemarket cell phones. See Junkbusters [junkbusters.com]

Fraud Detection

The Direct Marketing Association (study) makes an interesting point:

Since an "opt-in" approach reduces the amount of information available to sellers regarding the consumer's preferences, spending habits and typical behavior patterns, it hampers sellers' efforts to detect "unusual" purchases and alert the consumer to possible fraud.

Several months ago, we set up a tiny business and visa merchant account to do a bit of e-commerce from our little web site, and since then we've had a couple attempted fraudlent transactions. This is a brief story about what information we have available as a (tiny) merchant, with the current state of today's information sharing.

When we get a suspicious transaction, which usually means the shipping and billing addresses are very different, the first thing we do is stall. Normally we process the order in the afternoon when there's just enough time left to get to UPS or the post office (but since this is only a part-time effort, sometimes I'll do it at lunch time or some other window of opportunity... worst case in the next morning before work). For a suspicious order, stalling a day or two and then attempting to run the credit card almost always ends up in the card being declinded. Often times we'll get transfered to an operator who instructs us to hold the card (not give it back to the customer), but since we only do on-line orders and don't have a brick-n-morter store, that's not possible.

A couple months ago, we had a very interesting fraudlent transaction that didn't get declined. Robin immediately recognized that it was similar to another declined card from a few weeks prior, where the shipping address was to Indonesia and a billing address in the US, where the billing name was an anglo-sounding name, and the shipping name was the same last name, but an obviously eastern sounding first name. The order was placed on a Friday, so we waited and ran the card Sunday evening. We expected it to be declined, but it went through.

Now at this point, a giant database of all the spending habits of every card holder (or at least the one for this particular card) would be nice. I'm sure lots of people at the Direct Marketing Association dream of such a database, as is eluded to in section 1.B of the article, but the sad fact is that as a (very small) merchant, all we have is whatever information the customer typed into the form on our web site, and the phone number of our bank and credit card processing company (Nova in our case).

So, Robin called the bank, and not quite knowing exactly what to do, she said "I've got a transaction here that I'm not very comfortable with". They did the usual address verification, and the US address we received didn't match the card's billing address. The bank will never disclose the card holder's actual billing address... you only get "match", "partial match" or "no match". The operator did actually disclose that the zip code matched. They couldn't do much more, but they gave Robin the number of the bank that had issued the card.

Then Robin called the card holder's bank, and started a similar "I've got a questionable transaction here" conversation. They were really glad that we called... they really like it when merchants call if they see anything unusual. Again, the bank would not disclose any details to us about the card holder. They would not disclose any specific details about the card holder's purchase history. They did look into the history and warned us that the card holder had contested the charged from several internet-based purchases. The bank had the card holder's phone number on file. They would not give us the phone number, but they called the card holder for us and transfered us into the call. The woman wasn't home, but Robin got her answering machine and left a message with our number to call and confirm that she had actually placed an order with us.

By the next day we hadn't heard back, so we reversed the charge to the card and sent an email to the contact address that we could not process the order due to having the incorrect billing address, and that we would process it when we received a voice phone call.

As compelling as the Direct Marketing Association's arguement is, that a giant database of consumer spending habits would be useful in combatting fraud, the truth is that there is already a pretty good system in place that doesn't disclose almost any private information to merchants. The banks have this information, and they automatically monitor spending patterns on all credit cards and place a hold on cards that appear to be abused. Anyone who's made a few large purchases in a row has probably received a call from their bank to confirm. When a merchant has a questionable transaction, they can call their bank and ultimately the customer's bank. While the banks won't disclose virtually any private information about the customer, they are very helpful when it comes to detecting fraud. In almost every case, they manage to decline new transactions when there's been unusual spending patterns, and in the rare cases where the bank hasn't already placed a hold on the card, they are very helpful and effective without disclosing the card holder's private information.

How do I opt out of zillions of email addresses?

I have zillions of email addresses. Since I own whole domains, any username on any of them used exclusively for myself will come to me. So I should have a right, under an opt-out system, to opt-out of them all, right? If the opt-out system won't take domain wildcards, then I have no choice but to opt-out of each and every discrete address, in advance. Assuming usernames are made from just English letters and decimal digits, and run up to 8 characters, then I will need to do 2901713047668 opt-outs. That overflows an unsigned 32-bit integer 675 times. Then there are usernames with dashes, dots, underscores. And they can be longer (I've used as long as 60 and I bet it can go way more than that). Oh wait! I also have zillions of subdomains, too, with the power of wildcard DNS entries that have MX records.

In order to opt out just with that number I gave above, and to get it done within a year, I'd have to send in, and they would have to process, 91951 opt-outs EVERY SECOND of the whole year!

Privacy Is Fragile

As a person who has been the victim of having their personal information sold to a marketing company of questionable repute (look up "MemberWorks" sometime) without my permission, I can testify to the fact that once your personal information is "out there", you're pretty-much hosed.

I made the mistake of giving my cell phone number to a catalog company I ordered from around Christmas-time, so that in case there was a problem with my order they could easily contact me. (Since the present was for my wife, I didn't want to give my home phone number.) Now I get regular calls from companies associated with this marketing firm on my cell phone. This in spite of the fact that I have twice demanded that they remove all references to me from their database. We've now sent them a registered letter demanding they do so.

Not only that, but this MemberWorks company started charging my old CC account for services I did not order. We quickly cancelled that CC and got a new one. Looks like I'm going to have to change my cell phone number as well :-(. Which means notifying all my friends and business contacts of the new number. Some of whom I'll no doubt miss.

So when the DMA self-servingly argues that "opt-out" provides even the same, much less better, consumer protections, I can tell you from personal experience they're blowing smoke out their collective posteriors.

Re:Spam control

While I agree with you - it'll never happen in a form that is useful. Its hard enough to track spammers as it is. And we all know that by the time legislation actually gets out, it has so many loopholes it is useless.

THe other problem? No legislature in the world is gonna pass a bill with stiff enough penalties - non violent crimes like this always get slap on wrist punishments. So a spammer figures heck - IF I manage to actualyl get caught, I'll pay the fine and keep spamming.

Even if Congress passes a USEFUL law (imagine that), the spamming will all move overseas where we can't do squat.

--

Re:didn't know

They will try to claim that the person didn't put it down, didn't understand. Or it was the wrong department.

Doesn't matter. You can ask the phone company whether or not something is a cell phone or not. It is illegal to telemarket a cell phone, PERIOD.

From the TCPA (emphasis mine):

No person may Initiate any telephone call (other than a call made for emergency purposes or made with the prior express consent of the called party) using an automatic telephone dialing system or an artificial or prerecorded voice, To any emergency telephone line, including any 911 line and any emergency line of a hospital, medical physician or service office, health care facility, poison control center, or fire protection or law enforcement agency; To the telephone line of any guest room or patient room of a hospital, health care facility, elderly home, or similar establishment; or To any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call;

Opt in works in Europe

Contrary to the DMA's claims, opt-in works fine in Europe. The costs claim is utterly false. There is no difference in cost maintaining an opt-in database over an opt-out database. The reason the DMA hates the idea of opt-in is because most people would not opt-in and their business would crash.

Lost profits do not equal 'costs'. What the DMA calls costs are in fact lost profits.

The idea of opt-in requiring more direct mail is another deliberate falsehood. In Europe there is a box to tick on the original sign up, leave it blank and you are opted out. When the privacy directive came into force there was a long phase in period. The idea opt-in would generate more mail is a deliberate lie.

All 'opt-in' amounts to is attaching an implicit provision to every consumer contract that stipulates that the information provided is confidential.

In Europe the banks and credit card companies keep their customer's balances and purchases secret. They consider themselves to be under the same duty of secrecy as a lawyer. In the US this information is considered fair game to sell to anyone the bank chooses.

Most successful dotcom companies have made an issue of protecting their customer's privacy.

The only reason why the US is resisting European style privacy laws is the vast quantity of campaign bribes. Once privacy becomes an issue however the Congress types won't stay bribed and compete against each other to pass the most draconian privacy bill and claim ownership of the issue.

Opting Out: A Hobson's Choice

I have always opted out whenever I can, but I've always felt strange about it. It's like I'm going to the company, and saying, "Here's all the information you guys want to give your advertisers: my name, address, phone number, and email address. Now, please don't use it."

Call me crazy, but I just don't trust that my info won't "accidentally" find its way into some other database, somewhere.