I. Why Does Privacy Matter?
Everyday brings new concerns about data in the online realm. From high-profile hacking incidents to issues around the use of personal information, our migration to digital platforms has tested traditional ideas about privacy. These developments also affect musicians and fans, especially as music is increasingly accessed via mobile devices, “apps” and social networks.
Future of Music Coalition has always been interested in issues at the intersection of music, technology, policy and law. So, while we may not have the expertise to “solve” the issue of privacy in digital music (and we’re hardly alone there), we do feel that we have enough of a stake to join the conversation. This article will hopefully be useful to those who have questions, concerns or are just plain curious about where the issue may be heading. To a large degree, we’ll be focusing on the mobile space, due to the explosion of popular music-related apps.
Among other things, the development of the internet has allowed artists to connect directly with fans. This is very different from previous versions of the music business, where musicians’ access to audiences was limited and tightly controlled. Today’s digital environment allows both established and developing artists to do everything from market and sell product to route tours to build anticipation for upcoming releases, appearances and more. Much of this is accomplished through the collection of certain information. We also recognize that the ability for digital services to make money from user data could go some way towards attracting greater investment in music.
Large-scale data collection can be extremely beneficial to leverage fan interest in the most efficient and effective manner possible. Likewise, technology platforms harvest user data to create revenue beyond their core services. Yet many musicians and fans have yet to consider what such activity means for individual privacy and information security. Some artists are certainly ready to start asking the question, however. At the 2009 Future of Music Policy Summit, musician Erin McKeown voiced concerns about data collection that have only become more relevant as technology progresses. McKeown isn’t entirely comfortable when websites and applications collect and use information based on her internet browsing. She is even more worried about sites that she directs her fans to which may have dicey data collection practices. What should the standards be for collecting third-party user information? How much transparency in data collection policies is appropriate? How is the data shared, and with whom? What is the tradeoff between investment, utility and informational security?
We know that some data collection is reasonable and consumer friendly — who doesn’t like it when Amazon recommends what else you should buy with that DeVotchKa record? Still, with so many uncertainties around data collection, we thought it prudent to examine privacy and technology as it applies to musicians. We hope this aids artists in their cost-benefit analyses when it comes to choosing potentially useful applications and services.
We will begin by examining privacy policies in terms of their basic structure and scope. Clearly, our review is not meant to be comprehensive, but we hope to give readers a better sense of the landscape. Second, we will explore the practical impact of these policies on users. Finally, we will offer some constructive options to consider for musicians who are concerned about their online privacy and that of their fans.
II. Current State of Privacy Law
At present, US privacy law is very fragmented and confusing. Even the definition could benefit from clarification. Generally speaking, “privacy law” is an umbrella term that covers many different areas — everything from how the government collects and manages personal information to Constitutional restrictions on laws regulating individuals’ private lives. For the purposes of our discussion, we will focus on personal privacy online: what protections are in place for individuals’ personal information as they interact with companies, other users and anyone else they may encounter on the internet.
Personal privacy protections online are further divided into those governing internet use by children and those that apply to adults. Websites and apps that target young children are regulated by laws like the Children’s Online Privacy Protection Act (COPPA), which restricts the types and amount of information these websites can collect about their minor users. For adult users, however, there are no federal legal protections in place. Instead, the privacy framework is made up of a patchwork of state laws and some industry “best practices” that are essentially suggestions for self-regulation, not actual legal rules.
Without federal laws protecting user privacy online, can websites do whatever they want with regard to their users’ information? The answer is “sort of,” and this is where things get tricky. Some states, for instance, have laws that dictate how websites may use information collected from individuals who are residents of that state. Utah and California require businesses (both off- and online) to disclose to customers, in writing, the types of personal information they share or sell to third parties for direct marketing purposes or for compensation. Some states also require websites to have (and abide by) privacy policies with certain baseline requirements. Other states, however, don’t have any online privacy protection laws at all.
Despite a lack of legal consistency, some industry standards, including those adopted by many website operators on a voluntary basis, have evolved. Several organizations issue “badges” or “certifications” for websites they believe meet favorable privacy standards. There are different variations of industry standards, but they are all generally based on the Organization for Economic Cooperation and Development (OECD) guidelines established in 1980. Note that the OECD principles are “guidelines” — not actual laws — so private entities that operate websites don’t have to obey them, and the FTC has no power to force them to do so. Still, the guidelines provide a helpful framework for websites that wish to protect their users’ information, and they continue to shape the way policymakers think about online privacy when proposing new legislation or other regulations.
Keep in mind that the privacy laws, regulations and concepts mentioned so far have been geared toward websites that individuals access through computers or internet browsers via a traditional online connection. An ongoing debate asks whether the same privacy practices and standards should translate to mobile devices, as well as the applications that run on these platforms. As this article largely focuses on the latter environment, our analysis in many ways is even more uncertain. Nevertheless, we’ll do our best to analyze this evolving landscape.
III. Privacy Policies
a. What do They Contain?
People can access music on their mobile devices in a host of different ways. Here, we are primarily interested in the privacy implications of mobile apps that involve creators putting up their own work and then asking their fans to access the work via their mobile phone. This brings applications like Bandcamp and Soundcloud to mind. Musicians also ask fans to interact with apps that deal more concretely with sensitive information such as Square, a credit card processing app that allows for transactions to take place via mobile phone. Later we’ll take a look at specific language from privacy policies. For now, we’ll try to shed light on several basic privacy questions: who is collecting data, what data is being collected and what can that data be used for?
Privacy policies primarily address two types of data collection: personally identifying information (PII) and non-personally identifying information (NPII). These terms are defined by the companies who run the specific websites and applications; however, there is a set of generally used terms which typically fall into one of the two categories. Things like your name, credit card number, email address, home address, phone number, picture and website URL are usually considered PII. However, there are some discrepancies as to whether data such as your location are PII or NPII. After identifying what information falls into which category, privacy policies outline what they intend to do with each type of data set.
Two ancillary points are worth making as well. Privacy policies generally say that they are subject to change at any time without warning; typically, they give a “last updated” date and it is worth re-checking privacy policies every so often. Second, privacy policies that say they will not sell or rent your information to other organizations usually stipulate that the data is itself an asset of the company. This means that, on the occasion of the sale of the business, data may in fact be sold along with the company. A question on this latter point, therefore: what if a credit card processing company decides to sell itself entirely, including its data, to a company that is not another credit card processing company but rather a different kind of company entirely, such as a data mining company?
At the end of most privacy policies, the website or app acknowledges that you, the consumer, may opt-out of giving the entity your information; however, that opt-out is sometimes contingent upon you receiving less than optimal service from the app or, sometimes, asking you to not use the app at all. So, with privacy policies being opt-out, subject to change and malleable depending on ownership of the company, it pays to stay abreast of terms for the online services that you use. In the next section, we will explore specific examples of some of the types of privacy policies mentioned above.
b. What is the Practical Effect?
Perhaps the most common issue arises when privacy policies provide different definitions for critical terms that appear in the policies of many services. The result is that Apple, for example, does not consider information like a user’s location and the identification number of his personal device (phone, computer or tablet) to be personally identifying information, while privacy policies of some apps sold in Apple’s App Store and that run over its operating system may specify that such information is PII. This is confusing to users who see the term “personally identifiable information” and assume it has the same meaning across privacy policies. It is even more confusing when the definition of that term seems counterintuitive, such as location and unique device ID not being considered identifying.
IV. After the Fine Print
a. How Can You (at Least Sort of) Protect Yourself?
The first step in privacy protection is education. By becoming aware of the possibilities that exist for different types of privacy policies, there is less of a chance that you will be surprised by outcomes. Choosing mobile apps based upon their privacy policies is always a cost-benefit analysis, and it is not inherently unreasonable — or inequitable — for apps to collect a certain amount of data from you as a musician or fan. The most important thing to focus on is your own comfort level. Choosing to not use products whose privacy policies do not align with your own personal ethics does not necessarily foreclose you from participating in today’s music marketplace (although a very stringent approach may make it more difficult). If you utilize and support apps with privacy policies that you feel comfortable with there is less of a chance that your friends, family and fans will take issue with your digital presence.
Remember, you have the ability to opt-out. While it may sound like a hassle to have to contact each particular servive you use and ask them to not collect your data, it could address some of your main concerns. If opting out leads to you not using a particular mobile app, do not fret. At this point, privacy is beginning to become an aspect of product differentiation. Your choice could help to create an environment where apps with more consumer-friendly privacy policies will be more successful than those that do not. And why not ask your fans how they feel? After all, you’re all in it together in this brave new world of content and information exchange.
There is always the possibility that Congress will act to clarify some of these issues. However, as we previously mentioned, there is no federal privacy law that really touches data collection online — particulary for the world of mobile apps and services. However, there may be state specific laws that apply to you and your fan base living in a particular area. It may be worth looking at those laws as you further your understanding of this subject.
Now let’s look at the reality of the entire situation. Don’t worry, it is not really that bleak.
b. Privacy Policies Aside, How Safe are You Online?
|FMC Musicians and Privacy.pdf||119.2 KB|