Poor Richard Goes to Washington, to Work on the U.S. Privacy Law

The privacy world has been abuzz about a great post on Brookings’ TechTank blog by Cameron Kerry and John Morris, Why data ownership is the wrong approach to protecting privacy.  Poor Richard was impressed with its pragmatism, and since the post was a precursor to two panel discussions, we thought we would give him a break from the state privacy law circuit and let him take in the capital, hoping that the candor of a fictitious Eighteenth Century pragmatic philosopher might jumpstart some activity. 

In the face of Congressional bills from both parties and statements from Silicon Valley CEOs that treat a consumer’s personal information as personal property that can be traded or withheld, the Kerry/Morris post argues for a more nuanced approach that regulates uses rather than encouraging the consumer to simply prohibit sharing:

"Treating personal information as property to be licensed or sold may induce people to trade away their privacy rights for very little value while injecting enormous friction into free flow of information. The better way to strengthen privacy is to ensure that individual privacy interests are respected as personal information flows to desirable uses, not to reduce personal data to a commodity.”

Trevor Hughes started the first panel off with a concise, careful view from the pinnacle (not position):  We are moving beyond Alan Westin’s view of privacy as control over the sharing of information about oneself, he offered, toward accountability of organizations for what they have and how they’re using it and the ability of consumers to access or delete or take their data. 

Poor Richard has to agree that the visions of Kerry/Morris and Hughes would work if people trusted the definers of desirable uses and the holders to account, if that were where we lived.  The reason all this is happening is because of a law that focuses everyone on a button on websites asserting CONTROL over the sharing of MY information, a button that is the 2020 equivalent of "I'm mad as hell, and I'm not going to take this anymore!"[1]  So the problem with Kerry/Morris is that in the context of 2019 politics, they’re dreaming; how can you take away a referendum opt-out process that is itself the political result of a very popular referendum from the angry electorate of the referendum state by telling them that preemption will allow federal regulators to make better choices for them?

Poor Richard predicts Congress will get nothing done this year, so we will probably have to live with that button through the 2020 elections, and see just what it does to digital advertising (California only) as well as data brokering (both California and Nevada).  But digital advertising is faring no better in Europe, where people believe more in those definers of desirable uses and holders to account; the French CNIL and the UK ICO have both just turned up the heat, so property or accountability/norms may be the frying pan or the fire.

Irony upon irony, the pain that lies ahead for digital advertising may be a major driver toward more thoughtful privacy regulation, but such non-control-based regulation may have to await the next progressive era in government.  Meanwhile, Poor Richard is asking us whether he should return to the laboratory of the states, continue on the federal beat, or travel abroad.  Let us know your preferences; we can’t control much about him, either, but we can at least direct his attention.  Happy 4th of July!

[1] As Hughes noted, Woody Harzog is the strongest current voice showing that personal control over information as a basis for privacy law is illusory and counterproductive, but Hartzog fully acknowledges control to be the foundation of the CCPA and its predecessors.  And the CCPA has a lot more to it than rage, of course; in a certain light, it even contains most of the "five critical elements of a model for propertized personal information that would help fashion a market that would respect individual privacy and help maintain a democratic order” developed by Paul Schwartz in 2004.


Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their