Dennis D. McDonald ( is an independent consultant located in Alexandria Virginia. His services are described here. Application areas include project, program, and data management; market assessment, digital strategy, and program planning; change and content management; social media; and, technology adoption. Clients have included HHS CMS, U.S. Dept. of Veterans Affairs, National Academy of Engineering, the World Bank, Catalyst Rx, the National Library of Medicine, and the U.S. Environmental Protection Agency. Follow him on LinkedInTwitter, and Google+.

By Dennis D. McDonald

Many companies benefit from the buying and selling of personal, financial, and medical information about individual US citizens. Usually these companies behave in a responsible, law-abiding fashion.

Sometimes, though, the controls they put in place to protect this personal information break down. We saw this happen recently when it was revealed that Equifax subsidiary ChoicePoint had sold information to a bogus company intent on fraudulent uses of the personal information.

As much as I am an advocate of privacy protection, I believe that, as far as the buying and selling of personal information are concerned, the genie is probably out of the bottle. Too many business decisions require access to some type of personal information. Examples are credit reports, medical information, and legal and security information. While there may be increased attempts to regulate the companies that trade in private information, ultimately I believe that there will need to be a balance struck between absolute access and absolute privacy.

Perhaps a change in intellectual property law could help the situation. Specifically, legal ownership rights of individuals could be spelled out concerning the credit, financial, employment, and medical information about them that is currently being collected, bought, and sold. Individuals could be legally recognized as the owners of information about them and their personal, legal, and financial relationships. On the basis of this ownership, individuals would then be in a position to control access to, and commercial exploitation of, their personal information.

Once the nature of this ownership is defined legally, systems and procedures could then be put in place to support management of access to this information by those who need it. Companies that make money from collecting, buying, and selling personal information would, in return for the individual’s willingness to release this information, pay that individual for the use of the information.

Here’s how I see this working. Legislation would be introduced to explicitly define the nature of ownership of certain types of information by individuals. Individuals should then be given the ability to define the level of access they wish to provide to their personal information.

Some may not wish to participate at all. That would be their right. Access to their personal information would be restricted and limited to certain governmental, national security, or public health uses, with appropriate safeguards to protect privacy.

For those individuals who wish to allow the commercial use of their personal information, they would register with an appropriate “access rights” organization. This would be their public declaration of their willingness to allow for the commercial exploitation of their personal information. Any organization desiring to buy and sell information about these individuals would then need to check the registry to see what access level is being defined by that individual, and pay accordingly.

Such a system would have the following types of benefits:

  • It would explicitly recognize the desire of some people to prevent commercial exploitation of their personal information.
  • It would provide for an incentive – payment – for others who wish to allow the commercial exploitation of their personal information.

Some companies will argue that adding a layer of extra payment over and above the current fees associated with collecting and managing personal information would be an onerous burden. On the other hand, paying for personal information might actually encourage more participation and potentially may provide access to more (and more valuable) information.

I believe in the rights of an author, composer, or performer to control exploitation of creative works. I also believe that if someone benefits financially from buying and selling information about me or my family’s financial transactions or medical history, I should be able to share in that money.

I’m under no illusion that such an arrangement would provide a financial windfall for any individuals. I do know that, as the sophistication of marketing and sales technology grows, there will continue to be a drive on the part of merchants, vendors, and service providers to “personalize” what they offer me. They do this by storing and manipulating information about my habits and financial status. Some of that information they get directly from me, some they buy from vendors such as ChoicePoint.

I say, let’s cut to the chase. If a vendor of, say, home appliances wants to know my age, sex, race, income, religion, ethnic origin, sexual orientation, hobbies, dreams, hopes, and fears, I say, let the vendor pay me by using the “licensing” or “permissions” organization I’ve authorized to serve as my agent. The vendor’s  information will then come directly from the horse’s mouth, so to speak.

There are many questions unanswered about such an arrangement. What kind of dollars are we talking? How complex would systems have to be to support this? How many people would opt in – or opt out? What kinds of information would be “reserved” by the government as being both essential to be collected – and private? Is “intellectual property” law an appropriate model for such a system?

I don’t know the answers to these questions, but I would like to give people some options that balance privacy and commercial interests.

Copyright (c) 2005 by Dennis D. McDonald 

Proposed: A Choice-Based Approach to Controlling the Commercial Exploitation of Personal Data