Choice permeates nearly every facet of American life. We celebrate our freedom to voice a preference with every election and every episode of American Idol. We also want a choice in information privacy– the power to dictate exactly how our personal data is collected and used.
In a recent Foreign Affairs note, Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Canada, put it this way: “When it comes to regulating privacy, let the people decide.” This concept of privacy as choice originated with Alan Westin, in his groundbreaking 1967 book Privacy and Freedom. He defined privacy as “…the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.
The reality, however, is that pervasive data gathering and analytical techniques fueled by advances in communication and information technology are rendering true data democracy obsolete.
The idea of letting the people decide is appealing. We each have different ideas of what should and should not be done with our information, and we all seek some level of protection from prying eyes. With that, policymakers developed a “notice and choice” framework, requiring people to decide at the point of data collection whether they accept the specified uses of their information.
The limitations on this approach are, by now, obvious. In practice, it means providing consumers with incomprehensible legalistic privacy policies, which no one reads, but that are treated as “informed consent” for companies to do as they please. One study estimated that if an average consumer read the privacy policies of all the websites they visited, it would take 224 hours a year.
The problem is only getting worse as the Internet of Things continues its rapid expansion. When refrigerators, automobiles, smartphones, and just about every object in daily life are all equipped with communications capabilities, it will be impossible to execute a privacy framework in which consumers can examine all the possible data uses before information is collected.
In today’s world of pervasive data collection and use, this blind insistence on a data democracy provides only the illusion of individual control. It is a fake mechanism of autonomy, offering no real consumer protection.
There is an alternative. Years ago, former Obama Administration official Danny Weitzner put it this way: “Consumers should not have to agree in advance to complex policies with unpredictable outcomes Instead, they should be confident that there will be redress if they are harmed by improper use of the information they provide…”
A reform movement is gaining steam. The goal is to prevent consumer harm—to ensure that information is not used in a way that is adverse to an individual’s legitimate interests. The basic concept is to make companies and institutions responsible for how they use collected data. There will clearly be some role for consumers in this regime, but they will not be the only, or even the primary, agent of enforcement.
The Obama Administration’s recent big data report moved in this direction, recommending that policymakers “look closely at the notice and consent framework that has been a central pillar of how privacy practices have been organized….” The accompanying report from the President’s Council of Advisors on Science and Technology is more direct, urging that “policy attention should focus more on the actual uses of big data and less on its collection and analysis.”
The answer is to focus on vigorous enforcement of existing laws that have proven effective at governing the collection and use of personal information. Policymakers and regulators must be vigilant in monitoring business activity to make certain our legal framework offers adequate consumer protection, and they should consider new restrictions on data collection and use only when real consumer harm is proven.
While it may sound paternalistic to have consumers protected instead of actively protecting themselves, the era of privacy notices has passed. Every new innovation in the Internet of Things provides another crack in the illusion of data democracy. It’s time to move beyond this outdated notion — just as it would make no sense for each of us to become our own meat inspector or bank examiner, it no longer makes sense to expect each of us to be our own privacy enforcer.