The privacy world has been abuzz about a great post on Brookings’ TechTank blog by Cameron Kerry and John Morris, Why data ownership is the wrong approach to protecting privacy. Poor Richard was impressed with its pragmatism, and since the post was a precursor to two panel discussions, we thought we would give him a break from the state privacy law circuit and let him take in the capital, hoping that the candor of a fictitious Eighteenth Century pragmatic philosopher might jumpstart some activity.
In the face of Congressional bills from both parties and statements from Silicon Valley CEOs that treat a consumer’s personal information as personal property that can be traded or withheld, the Kerry/Morris post argues for a more nuanced approach that regulates uses rather than encouraging the consumer to simply prohibit sharing:
"Treating personal information as property to be licensed or sold may induce people to trade away their privacy rights for very little value while injecting enormous friction into free flow of information. The better way to strengthen privacy is to ensure that individual privacy interests are respected as personal information flows to desirable uses, not to reduce personal data to a commodity.”
Trevor Hughes started the first panel off with a concise, careful view from the pinnacle (not position): We are moving beyond Alan Westin’s view of privacy as control over the sharing of information about oneself, he offered, toward accountability of organizations for what they have and how they’re using it and the ability of consumers to access or delete or take their data.
Poor Richard has to agree that the visions of Kerry/Morris and Hughes would work if people trusted the definers of desirable uses and the holders to account, if that were where we lived. The reason all this is happening is because of a law that focuses everyone on a button on websites asserting CONTROL over the sharing of MY information, a button that is the 2020 equivalent of "I'm mad as hell, and I'm not going to take this anymore!"[1] So the problem with Kerry/Morris is that in the context of 2019 politics, they’re dreaming; how can you take away a referendum opt-out process that is itself the political result of a very popular referendum from the angry electorate of the referendum state by telling them that preemption will allow federal regulators to make better choices for them?
Poor Richard predicts Congress will get nothing done this year, so we will probably have to live with that button through the 2020 elections, and see just what it does to digital advertising (California only) as well as data brokering (both California and Nevada). But digital advertising is faring no better in Europe, where people believe more in those definers of desirable uses and holders to account; the French CNIL and the UK ICO have both just turned up the heat, so property or accountability/norms may be the frying pan or the fire.
Irony upon irony, the pain that lies ahead for digital advertising may be a major driver toward more thoughtful privacy regulation, but such non-control-based regulation may have to await the next progressive era in government. Meanwhile, Poor Richard is asking us whether he should return to the laboratory of the states, continue on the federal beat, or travel abroad. Let us know your preferences; we can’t control much about him, either, but we can at least direct his attention. Happy 4th of July!
[1] As Hughes noted, Woody Harzog is the strongest current voice showing that personal control over information as a basis for privacy law is illusory and counterproductive, but Hartzog fully acknowledges control to be the foundation of the CCPA and its predecessors. And the CCPA has a lot more to it than rage, of course; in a certain light, it even contains most of the "five critical elements of a model for propertized personal information that would help fashion a market that would respect individual privacy and help maintain a democratic order” developed by Paul Schwartz in 2004.
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.