"I'm not a lawyer. That's why I can see what the law is like. It's like a single-bed blanket on a double bed and three folks in the bed and a cold night. There ain't ever enough blanket to cover the case, no matter how much pulling and hauling, and somebody is always going to nigh catch pneumonia."1
As e-commerce has expanded and evolved over the past decade,2 so have methods of collecting, organizing, and analyzing the data that unwitting consumers make available to interested commercial entities as they venture through cyberspace. Commentators, courts, consumer advocates, policymakers, regulators, and e-businesses have struggled to imagine systems that could safeguard consumer privacy while maximizing commercial interests in capitalizing on the back and forth stream of information that constitutes the Internet.3 An assumption that commercial entities violate consumer privacy by collecting data from Internet transactions pervades the information privacy discourse,4 but in this Note I seek to interrogate that assumption by focusing on the actual processes through which consumer data are collected as well as the broader dynamics of the interactions between consumers and interested commercial parties.
While the wholesale aggregation and disposition of consumer data may well pose a viable threat to consumer interests in certain contexts,5 I have found that the extant schema of legal and extralegal checks on the manner in which commercial entities may employ Internet-derived consumer information is broader and more protective of consumers than is generally recognized. However, although these protections are broad, an examination of their imperfect and improvisational nature reveals that business interests still generally prevail over consumer interests under the current regime.
Nevertheless, I seek to demonstrate how certain privacy scholars exaggerate both the probability and the actual extent of harm suffered by individuals as a result of commercial data aggregation. It is my position that many privacy scholars make their case by overemphasizing the tenuous link between personal information and person/hood.6 By taking a measured look at both the context in which most Internet information privacy concerns arise and the existing system regulating the collection of such information, I attempt to expose some of the shortcomings of certain academic abstractions characterizing what is at stake with respect to consumer information privacy on the Internet.
After all, we are no more defined by the junk email in our inboxes or the ads flashing across our screens than we are defined by the junkmail in our mailboxes or the ads on television programs. Fundamentally, e-tailers are not too different from brick-and-mortar retailers-they just want to sell us stuff. Lots of stuff. More stuff than we need, if they can just figure out how to tell us what we need. Businesses collect consumer data so that they can more effectively market their products, not, as some would argue, to hijack our identities for any sort of dark, Orwellian purpose. While any such motives-if they existed and if a company were willing to follow through with them-would make for an engaging conspiracy narrative, once such motives made their way into public view, it would be very, very bad for business.
In this Note, I portray the nature and extent of information exchanged between consumers and "commercial websites"7 and information exchanged between consumers and third party advertising companies that commercial websites hire to manage their Internet advertising practices. I do not examine spyware or adware utilized by a certain fringe sector of e-commerce participants8 but instead focus on information technologies employed by more reputable companies. Nor do I give extensive treatment to the issues raised by information crimes such as identity theft, other than to the limited extent that the threat of identity theft arises in the context of transactions between consumers and commercial websites. …