It is not hard to compile a list of companies that have mishandled privacy. DoubleClick, US Bancorp, Toysmart, Microsoft, AOL, eBay and Metromail come to mind. There are plenty of others.
Qwest Communications jumped over a raft of competitors to put itself in the top three on the list of privacy-insensitive companies. Qwest's mistake in judgment and the consequences of its decisions are stunning in their scope. It angered customers, provoked regulators, attracted unwanted attention from politicians and undermined the company's own arguments before the Federal Communications Commission and the courts.
The problems began last year when Qwest began notifying customers of its privacy policy. Defining and disclosing a privacy policy should be a good thing for a company to do. It is not hard to have a balanced privacy policy that accommodates the concerns of individuals and still allows a company to make a profit. However, Qwest went too far. It told customers that their personal data would be disclosed to subsidiaries and to others unless the customers took steps to opt out.
Local telephone companies have lots of personal information about customers, including the type of service, address information, usage data, billing and payment history, telephone numbers called and more. Some of the data is the same as that maintained and disclosed by others. Some of the data is different. No other institution can produce a list of local telephone calls by time, number and name. That can be a particularly sensitive collection of data. Qwest apparently did not consider the sensitivity of the data that it maintains.
Qwest's privacy notice went off like a bombshell. Customers throughout its service area (much of the Western United States) were outraged. A quote from the director of the Utah Division of Consumer Protection summarizes the public's views: “The unhappiness with Qwest seemed to be pretty overwhelming. We got a lot of calls and most were unhappy that they had to take a proactive stand and notify Qwest they didn't want their information shared.”
The public objections produced reactions from the media and from state public utility commissions in Minnesota, Washington, Arizona, Iowa, Nebraska, Montana and others. In some states, Qwest's privacy gaffe was in the newspapers day after day. Privacy advocacy organizations had a field day.
Some states started or threatened formal actions that would force Qwest to change its policies. Sen. Paul Wellstone, D-MN, called on Qwest to adopt an opt-in policy. State attorneys general got into the act. There was even fallout in states where Qwest does not offer telephone services. Other companies, including Ameritech and Verizon, came under pressure for their privacy policies as well.
After defending its policy for a while, Qwest finally backed down. It withdrew its opt-out policy and decided to wait until the FCC completed its ongoing proceeding on the subject. Even the attempt to back out of the storm went awry. The press reported that Qwest continued to offer customer data despite the announcement of a policy change.
That is all pretty bad, but we have not come to the worst part. A few years ago, the FCC adopted rules governing the use and disclosure of customer information by telephone companies. The rules generally called for an opt-in. Qwest (which used to be U.S. West) challenged the rules in court. The federal court of appeals handed Qwest a partial but significant victory by overturning the rules and sending it back to the FCC for reconsideration. The court was not convinced that the FCC's opt-in policy was justified.
The legal and constitutional issues in the court case are too complex to discuss here at any length. One question that the court asked was whether there was sufficient evidence showing that the harm to privacy that would result from an opt-out rule (as opposed to the opt-in rule that the FCC wanted) was real. The court's ruling was based in part on a lack of evidence on that point.
An outcome of Qwest's poorly timed and poorly written privacy policy is to provide just the evidence that the court said was lacking. The strong response from the public and from state regulators underscores that the public cares about privacy and wants greater control over how personal information is used and disclosed. The degree of public concern will not go unnoticed at the FCC or when the case returns to the courts.
I do not know how or why Qwest decided to proceed with its privacy notice when it did. Based on other companies, I would guess that the marketers pushed to make greater use of customer data. When someone dangles the prospect of new revenues before management, it can be hard to argue for caution and for privacy.
Mix this with the lawyers, who can say what is legal but who usually have a tin ear for privacy, and the result can be a monumental mistake.
I have no way of estimating how much revenue Qwest expected to make using customer information. The cost to the company in bad publicity, poor customer relations and fighting battles in the states over new regulations must be measured in the millions.
Not every poor privacy decision by a company leads to such a spectacularly bad outcome. Still, it is amazing to see how often companies make the same mistakes.
