U.S. Rep Ed Markey (D-Mass.) has sent a letter to Disney CEO Bob Iger, asking questions about Disney's new MagicBands and their use, particularly regarding children and privacy.
I think some perspective might be helpful before anyone reacts to this story, one way or the other.
First, I believe it is entirely appropriate for lawmakers to be asking questions about new technology and its application in business. The last thing any of us should want is for legislators to make laws (or fail to make laws) in ignorance. They should be learning about new tech, and if it takes a letter to a corporate CEO to start that process, so be it. I also believe that it is entirely appropriate for our elected representatives to create laws that set ground rules about the application of technology, to ensure that it is not used to damage or destroy the quality of our lives. (And if we don't like the way our representatives are doing that, the solution is to elect different representatives, not to say that lawmakers should quit making laws.)
Also, keep in mind that lawmakers (and reporters!) often know the answers to the questions they ask. They're simply looking to get the person they're questioning "on the record" with a response. (I should note that Rep. Markey's office has helped get information for Theme Park Insider in the past, especially with the Accident Watch feature we started back in 2001.)
There's a federal law, called the Children's Online Privacy Protection Act, that prohibits businesses from collecting personal information online about children under age 13, without their parents' consent. That's why website registration forms almost always include a line saying "You must be 13 years of age or older to register" or something like that. Does COPPA apply to My Magic+? That's a fair question -- it uses wireless technology that might (or might not) be transmitted over the Internet, and there's definitely an online registration element to the system. If parents are compelled to give up their kids' identity and personal info to get access to Disney attractions, the government might choose to argue that's a violation of COPPA, as Disney would be taking away something it previously offered kids in retaliation for their parents not giving up their personal information. (FWIW, I think continued standby lines provide Disney an easy "out" here.)
That said, as a parent, I want full control of how my children use their Disney wristbands. I don't want Disney making decisions for me about my kids using charging privileges, and such, based on arbitrary age cut-offs. Let me decide. The spirit of COPPA was to give us parents that control for our children under 13. It's appropriate for members of Congress to defend that.
Two more thoughts, about privacy. First, about the use of personal information for marketing purposes. The big fear seems to be that companies are collecting all this information about what we do, write and share in order to send us more ads. It's true that companies crave information about consumers, but having worked with many advertisers over the years as a news publisher, I think it's worth noting that the primary aim of microtargeted ads is to stop sending advertisements to people who don't want them. Companies want to stop wasting their money buying ads seen by people who aren't ever going to buy the company's stuff. When microtargeting works, you get fewer ads you don't care about, not more. So the whole "advertisers are collecting information about you!" thing's pretty much a non-starter for me.
It's the non-marketing use of my personal information that worries me. And that's my second thought. I want some assurance that anyone tracking my day in a theme park has locked down access to that information so that it can't be used for any purpose beyond what I and the theme park have intended. Here's an example: A cast member sees a cute guest during the day, then logs into the park's reservation system to find out where that guest will be going in the park later in the day, in order to stalk him/her. That's creepy and potentially dangerous and I'm totally cool with Congress tightening laws to try to prevent that from happening.
So I hope that Rep. Markey's questions lead to some honest answers from Disney and show that the company's done the planning necessary to prevent problems with MyMagic+, FastPass+ and all of its NextGen initiative. This is some really neat technology that creates the potential to make theme park vacations into even more fun and engaging experiences. If Disney (or any other theme park company) is going to take this step, they ought to do it right.
Tweet
There I fixed that for you.
OK snark aside, I generally agree with your points. Initially my thought was that coming from such an established business as Disney, their lawyers would run through everything to make sure it is legal. They're not amateurs. But you raise good points that it may be abused in ways that law currently doesn't cover and it is good to find out what those ways are and perhaps refine the law. The biggest problem with crafting good legislation is that if it is too broad, then it can be misapplied, and if it is too narrow then loopholes can be exploited (consider the legal definition of "assault rifle" for a case in point of good intentions running afoul of reality). I personally hadn't considered your example of a CM stalking a guest, but I have a friend who really did encounter a CM that creepy.
And this is a violation of a federal statute? Please.
And I think that's the problem with most legislation. In this day and age, the spirit of any law doesn't really matter. It's the letter that gets all of the attention.
This whole bizarre Disney thing only brings one thought to mind. Data mining.....
I Respond: Really? You honestly believe that Disney's interactive NextGen technology represents a significant risk that participating families may be exploited by "a child predator."
Um ... okay.
(Chuckle)
So where's the crime spree?
From your perspective it should already be "easy to track the where a-bouts" of a family using the Old/EXISTING system.
After years and years and years and hundreds of millions of resort guests, where is the significant, documented, detriment?
1. Apparently Mr. Markey is doing what he is known for doing best---being a jerk and gadfly who just automatically assumes Disney either does not understand the privacy laws or will not follow them if it does. Typical reaction from him.
2. We really question the need for a system to reserve a ride. This takes all spontaneity out of the Disney experience and if it means longer waiting in line for an attraction because they are allowing people to reserve rides months or weeks in advance, then people like us will just stay home. The trips to WDW are costly enough as it is. To put up with a system like this would be the final straw.
Shall we use the Google example?
http://www.reuters.com/article/2012/01/27/us-google-privacy-idUSTRE80P1YC20120127
"The lawmakers said the announcement raises questions about whether consumers will have enough power to opt-out of data sharing systems. They also asked what security steps are being taken to ensure the safety of customer data."
http://news.cnet.com/Judge-Google-must-give-feds-limited-access-to-records/2100-1028_3-6051257.html
In a move that alleviates some privacy concerns, a federal judge granted part of a Justice Department request for Google search data but said users' search queries were off-limits.
---
Thus the data collection problem is two-fold, actually three-fold.
1. Is Disney providing sufficient privacy protections for their customers?
2. Since the data is collected, will Disney be forced to give the data to the Federal Government if so ordered? (Contradicts what lawmakers are concerned about.)
3. (Not in the articles) I heard Google has been giving the customer data to the government all along.
4. Insider customer data leakage. What do you do if a rogue employee decides to use this information?
http://www.campussafetymagazine.com/Channel/Mass-Notification/News/2008/04/14/NY-Hospital-Employee-Admits-Stealing-Selling-Patient-Data.aspx
"NEW YORK – A former admissions department employee of New York Presbyterian Hospital/Weill Cornell Medical Center confessed April 11 to stealing the personal records of nearly 40,000 patients and selling the information."
But Anon Mouse asks some reasonable questions:
1. Is Disney providing sufficient privacy protections for their customers?
Has their existing system been deemed inadequate -- lacking protection from external invasion? And what information does the NextGen program provide a thief that is more tempting than the names, addresses and credit card numbers that are already in Disney's system?
2. Since the data is collected, will Disney be forced to give the data to the Federal Government if so ordered?
I'm not sure. But here's the link to Disney's privacy policy.
http://corporate.disney.go.com/corporate/pp.html
3. (Not in the articles) I heard Google has been giving the customer data to the government all along.
Okay. And ...?
4. Insider customer data leakage. What do you do if a rogue employee decides to use this information?
It's already happened:
"Former Walt Disney resorts employee Ana Rosa admits that she used various credit card skimming devices to steal bank or credit card numbers from traveling tourists—all while she worked for Disney in the role of receptionist for Disney's Saratoga Springs and Old Key West resorts."
But that incident was certainly not unique to the Disney system. Credit card numbers can be stolen at any business. In the Disney case, the thief was caught and sent to jail.
That is the unknown. If you're aware of the hacking activities from "Anonymous", nothing is safe ANYWHERE for anyone that draws their ire.
"I'm not sure. But here's the link to Disney's privacy policy."
Which means what(?) if the court orders Disney to hand out customer data? It means your customer data is in the government's hands to use at its pleasure.
Read here "Please keep in mind that when you provide information to us on a third-party site or platform (for example, via our applications), the information you provide may be separately collected by the third-party site or platform."
Are you naive to think a third party is capable of keeping your data safe?
"Okay. And ...?"
I suppose this is your attitude for #3 and #4. Customers beware. Your data isn't as safe as you expect.
If I check into a Universal Orlando resort or a Holiday Inn in White Plains, New York why should is the onus on the Disney system any greater when "nothing is safe ANYWHERE for anyone that draws their ire"?
I know I am missing something here and I'm hopeful that someone can slap me into consciousness.
Anon Mouse: "Customers beware. Your data isn't as safe as you expect."
I Respond: I could not agree more!
This article has been archived and is no longer accepting comments.
