What You Must Know About DRM

7 Step #1: Define the privacy expectations of the public and identify legislated requirements Privacy expectations of the public In a consumer context, the success of new technologies is invariably linked to public acceptance. Consumers will not accept a new form of technology if it is costly, difficult to use or violates their rights to fair use, freedom of expression and privacy. According to a recent Harris Interactive survey, 83% of American consumers would stop doing business with a company entirely if they heard or read that the company misused customer information. 23 A Forrester Research survey of both Americans and Canadians found that almost 90% of online consumers want the right to control how their personal information is used after it is collected. 24 These survey results should serve as a reminder to companies that the consumer should be treated as a "first-class participant." 25 The relationship between a company that uses DRM and the consumer should be based on trust, co-operation and understanding. This can be at least partly achieved by respecting the privacy rights of consumers. Legislated requirements From a legal standpoint, DRM technology is inherently cross-jurisdictional because it often operates within an online environment. Web sites that make digital products available for sale or downloading can be accessed from anywhere in the world with an Internet connection. As a result, the legal requirements for organizations providing goods and services that can purchased by consumers living in various jurisdictions are often unclear. The reality is that many companies that provide DRM-protected products, particularly on the Internet, are based in the United States. Currently, there is no comprehensive national privacy legislation in the U.S. that applies to the private sector. Congress has enacted sector-based privacy laws that apply to the financial and health sectors. However, companies that use DRM technologies to protect digital music, movies or books sold online are not subject to comprehensive privacy legislation that would apply to the collection, use and disclosure of a customer's personal information. Rather, individuals who believe that the use of DRM technology violates their privacy rights would have to rely on consumer protection statutes or in very limited cases, state privacy laws. However, companies that use DRM technologies should be aware that comprehensive privacy legislation exists in other jurisdictions around the world. In 1995, the European Union (EU) passed the Data Protection Directive, 26 which sets out privacy-protection rules for personal information held by both government and private-sector entities and aims to harmonize data-protection rules in the EU. The directive also establishes rules designed to ensure that data (i.e., personal information) is only transferred to countries outside the EU, where continued privacy protection is guaranteed.