Evan Schuman's StorefrontBacktalk

But in reality, what we have is a situation where thousands of companies simply post privacy policies on their Web sites, embed them in applications, send them in multipage notices or obscure them in one way or another, knowing that consumers have neither the time nor the inclination to read them. This may be fine for the ordinary day-to-day transactions. But when a Web application or a device gathers information that most reasonable people would consider to be intimately personal, or whether it uses that information in an unusual way, the ordinary “simply click here” of day-to-day life may not be sufficient.

The application in question authenticates a user and his or her device by gathering information about how the user has used the device. Thus, if you use your cell phone as an authenticating device, the payment system will examine how you have used the device, who you have called, who your most frequent contacts are, what applications you have installed and how often you have used them, and then essentially create a digital signature of the phone and its user.

This type of data analytics reveals much more about the user than simply the fact that he or she isn’t an authorized individual. The contact information, frequency of use and other personal information could certainly be used by the authenticator to market to that user’s friends and relatives, to develop a profile of his or her personality, to learn whether or not that person is having an affair and a host of other personal information. When you decided to opt into a mobile payment system, did you really think that this was what you were buying?

Another problem with this system, like Target’s CRM data mining, is that it’s all or nothing. If you don’t like my privacy policies or you don’t like my settings, well, find yourself another mobile payment system or get out of the loyalty program. It’s my way, or the highway. In many cases, the consumer either has no choice or the available choices are so limited that it amounts to virtually no choice.

As a result, the permanent loss of intimate privacy ends up being a cost of doing business in a modern society. Once this privacy is lost to a specific merchant, it may be lost to all merchants and to other third parties. We can all anticipate a situation where, once the payment system has authenticated you, law enforcement or other government agents can now collect that information from the merchant in furtherance of some legitimate investigative need. Privacy, like virginity, once given up cannot be restored.

So for companies that are thinking of gathering intimate information, or information about which they believe consumers might be squeamish, I suggest there be a super opt in. In addition to the normal privacy policy containing a host of terms and conditions that no consumers are really going to read, if you truly want the “benefit of the bargain” with the consumers willingly giving away their privacy in return for some feature, then I suggest you tell them about it in bold print with capital letters in a 14-point font and throw in a few exclamation points while you are at it.

If you are collecting the names of consumers’ friends and relatives and intimate personal information, and using information for unusual purposes or other “non-standard” uses, then I suggest you tell your customers. Something like, “Hey, this is not the ordinary privacy notice. This is important.” might work, although I am not sure customers would even read that. What you really want to do is make sure customers really do know what they are getting into.

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.