Self-help in the Privacy Arena

-- By NelsonHua - 06 Mar 2015

On February 28, the Obama administration proposed the Consumer Privacy Bill of Rights Act. The proposed bill, supposedly in recognition of the extent to which “Americans cherish privacy as an element of their individual freedom,” creates a system of notice and control regarding firms’ collection of user data. However, the bill, if enacted as proposed, lacks the regulatory teeth to compel a meaningful response from the private sector. This toothlessness is illustrative of the American experience with (attempted)consumer privacy regulations: a fundamental tension with freedom of speech bars more comprehensive, European-style schemes. In light of such well-placed free speech protections, what is needed is not a congressional statement of the importance of privacy, but collective actions signalling a demand for more protection.

The Bill

The proposed bill places the burden on industry members to develop “codes of conduct” on their handling of consumer information. Such codes of conduct are subject to a transparent, public comment period and review by the Federal Trade Commission on the basis of certain enumerated requirements. Through the practices embodied in their codes, industry members required to provide notice of data collection, offer some level of access and user control over one’s own individual data, and “responsibly” collect, retain, and use personal data.

At a glance, the proposal seems to at least recognize areas of inadequate consumer protection. However, the language is ultimately so couched in concessions and exceptions to industry that it would be unlikely to provide any sort of consumer relief. For example, the collection and processing of personal data that is “reasonable in light of context” is not covered by the bill. Likewise, the requirement of individual access to data does not extend to such requests that are “frivolous or vexatious.” The broad language establishing the standard by which the bill evaluates industry practices suggest that privacy is ultimately a secondary concern.

The bill has also been criticized as one that “would effectively codify bad behavior. By placing the ultimate burden of drafting codes of conduct on industry members, and even upon review, offering broad latitude in doing so, the bill establishes weak final guidelines of practice. Furthermore, in pre-empting (sometimes stronger) state privacy laws, it could very well have a destructive effect.

Where's the Teeth?

The proposal represents nothing more than a very limited nominal recognition that some level of privacy protection in the digital age is important. Its terms are far from comprehensive and lack regulatory teeth. Such a light-handed approach is thematically consistent with the U.S. government's historical approach to consumer privacy protection.

Why is this the case, particularly when entities like the European Union have passed much more comprehensive consumer privacy protection laws? In the U.S. the drafters of any such bill must consider tensions with the First Amendment. Regulating the use of data obtained through a contract between private parties poses a threat of abridging freedom of speech. Even an interest in an implicit Constitutional right fails to outweigh a right so explicitly guaranteed as the freedom of speech. Likewise, other possible compelling interest exceptions in this case are ones that threatens to swallow the rule. Perhaps besides including a non-preemption clause, the proposed bill does about as much as it is able to.

A more comprehensive response is not only undesirable as a matter of policy but also politically impracticable. The question of whether this proposed bill would pass is still open, let alone a more protective one. The lobbying power of the firms collecting the data as well as constituent apathy in practice suggest that it would not.

Towards a Solution

The problem isn't a deficient bill, but a populace that turns to Congress before contemplating its own contributions to the privacy dilemma. It is reflective of a society that is invested in the idea of privacy, but not actually concerned with violations in practice. In a sense, this “Bill of Rights” is actually in direct proportion with what society demands.

Individuals that "cherish privacy" should act accordingly and signal to service providers that they want contractual privacy protections. A surrender of one’s own self is a high price to pay for the marginal convenience familiar products afford. Consumers should practice self-help by protecting themselves through measures such as encryption and seek out alternative services that are either structured such that data isn't positioned for exploitation or those that offer privacy guarantees. Firms should be forced to choose between a thirst for data and the risk of alienating its consumers.

Advancing social norms that demonstrate a general respect for privacy is also important. This would include norms against private and governmental data collection (rather, surveillance).

Ignorance is no excuse. The “new technologies” are hardly new anymore. Private parties and government agencies alike have been very publicly exposed for practices that show little to no regard for individual privacy. Yet, the public largely engages in willful blindness. Many shrug or even shake their heads at the work of individuals such as Edward Snowden, and consumers continue to use the very products that they know violate their privacy rights, in fact handing them information directly.