The world has changed; our laws haven’t.
Let’s roll the clock back 40 years. A customer walks into a store looking for a pair of sunglasses. She tries on several pairs and settles on one. She pays by cash and takes the item home. The store doesn’t know her name or anything about her. She leaves with her item and that’s it.
Today, data flows have become infinitely more complex in what has come to be known as surveillance capitalism – the pervasive and comprehensive tracking of consumers’ movements. Increasingly, companies collect and share a huge amount of information about consumers. According to the Federal Trade Commission:
“Once a company has collected consumer information, consumers typically have no control over what is being done with it, how it is used, or who it is sold to next. Worse than this unchecked collection is the continuous cycle of companies buying more data on each consumer, aggregating, creating profiles, and selling these profiles to additional third parties with little screening about potential uses. Countless data aggregators collect, buy, and combine data from multiple sources and sell it to marketers, researchers, or government agencies.”[1]
Let’s return to a customer shopping for sunglasses, only this time today online. The website may be able to identify her from her IP address. Based on her prior online activities, she may have countless cookies on her computer and mobile phone which can be used to create a profile of her based on the sites she has visited and where she has traveled. Information about her transactions may be shared or sold to third parties, data brokers, who in turn sell it to other merchants so in turn they can market to her. Privacy laws, such as the European Union’s General Data Protection Regulation (GDPR), largely focus on the data subject (the customer in this case), the data controller (the store), and the data processor (such as firms that maintain the store’s billing and payment records), but not on the mix of databases that may hold information about her. The sunglasses store’s website’s privacy notice, probably a lengthy document written in legalese and rarely read, may authorize the store to share its customers’ data with third parties, such as brokers, who don’t fit neatly into the controller/processor boxes.
Imagine this same customer next visits her doctor’s office seeking treatment for a sensitive medical problem. The doctor spends 30 minutes taking the patient’s medical history (yes, they used to spend more than five minutes with patients back in those days), gives her a prescription and makes notes in the patient’s paper file. The patient pays the bill on the way out. No federal law prohibited this doctor from disclosing patient’s information. In 1996, Congress passed HIPAA (Health Insurance Portability and Accountability Act) which applies to health insurance companies, HMOs, company health plans, and certain government programs, and health care providers including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists as well as business associates (behind the scenes support companies). So far so good – her sensitive data is protected. But wait. Medicine has become increasingly complicated, and HIPAA doesn’t include many entities that handle sensitive health information, such as life insurers, employers, workers compensation carriers, schools, state agencies such as child protective service agencies, and law enforcement agencies. Beyond doctors and hospitals, medical data may go to researchers, managed care firms, and prescription benefit programs. Patients may unwittingly, when they sign an acknowledgement of the doctor’s privacy policies, also “consent” to the doctor sharing information with third parties that use their medical data to deliver ads on behalf of pharmaceutical companies!
It’s time to think of data flow as occurring in the context of a complex ecosystem in which large amounts of personal data move virtually instantaneously to multiple users and data brokers. According to Apple’s Tim Cook:
“Today [gossip] has exploded into a data industrial complex. Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency. Every day, billions of dollars change hands, and countless decisions are made, on the basis of our likes and dislikes, our friends and families, Our relationships and conversations…Our wishes and fears…Our hopes and dreams. These scraps of data…each one harmless enough on its own…are carefully assembled, synthesized, traded, and sold.”
To protect our privacy, laws need to recognize these many uses and flows. Maybe we need to go back to the future. Believe it or not, credit bureau regulation, which started in the 1970s, offers a better model of technology-neutral database regulation than what we generally have today in most data protection laws.
Credit bureaus run massive databases on hundreds of millions of people containing sensitive financial information, sharing this information with creditors, insurers, employers, and others. Consumers usually don’t consent to being in the bureau’s databases – understandably, because those with bad credit would tend to opt out. Instead, consumers are given a bundle of rights some of which have been added over the years, including being able to get free copies of their reports annually (the bureaus now voluntarily provide free copies weekly), the ability to dispute and have corrected inaccurate or incomplete data in their files, and the ability to vindicate their rights in court. Credit bureaus are only permitted to share data with third parties that have a statutory permissible purpose for getting and using it, such as evaluating a loan or employment application. The bureaus are responsible for the accuracy and security of the data they hold.
Credit reporting law recognizes that sometimes people need a fresh start. Just because someone once had to file bankruptcy when facing a mountain of unexpected medical bills or for having fallen behind due to the loss of a job doesn’t mean that it should hang over their head forever. Accordingly, after seven years credit bureaus are not permitted to report most negative information they hold. Imagine if this concept was applied more generally to negative data in databases. The GDPR has an analogous “right to be forgotten” which allows people to require a search engine, such as Google, to not list websites in search results where the information in those links is irrelevant, outdated, inaccurate or otherwise unlawful. While broad application of this concept could raise free speech issues, it does have some benefits for people who are being tarnished by past negative information.
Artificial Intelligence (AI) is the hot topic du jour around the world with debates about whether it will solve a great many problems, create even more profound problems, or both. From a privacy perspective, AI makes it “easier to extract, re-identify, link, infer, and act on sensitive information about people’s identities, locations, habits, and desires,”[2] vacuuming up huge numbers of peoples’ data and analyzing it in ways that even AI experts sometimes don’t understand, producing insights or some erroneous conclusions, and sharing the results widely, demonstrating how antiquated approaches to data protection are no longer adequate.
The challenge is how to future proof privacy legislation, learning the lesson of what worked with credit reporting laws as well as other more recent measures. This will entail imposing data collection, use, sharing and retention rules and requiring disclosures regarding the use of personal information including:
Use restrictions as the new consent. Who reads the privacy notices for all the websites they visit? Or app privacy notices (yes, those are a thing – just check the app store) for each of the average of 80 apps people have on their phones. Providing (unread) notice of privacy practices is clearly not enough protection. Even for those brave souls who try to read the countless pages of legalize, it may still be impossible to find out who in the data ecosystem has received their personal information, how they are using it, and who they are sharing data with. As a result, there is a growing recognition that consent is no longer enough. It shouldn’t be the consumers’ job to police how their data is being used, in the same way that diners at restaurants should not have to go into the kitchen to make sure their food is being properly and hygienically prepared. Instead, companies that handle your data should be legally responsible for proper data usage. They should only use your data for a legitimate purpose related to how the data was collected in the first place, such as sending you something you buy online. A shorthand for this would be only using data in ways the consumer would reasonably expect. In addition, companies should have a fiduciary duty to only use data in ways that are in their customers’ interest. It will be key to have these rules apply to downstream databases, such as those that will be covered by a new California law (see below).
Give me a hand. Since consent may not go away completely, it is worth considering India’s effort to pioneer the concept of Consent Managers, a tool to help people manage how their data is collected, used and shared. People can give, manage, review or withdraw their consent through delegation to a Consent Manager, someone who is accountable to the consumer and charged with acting on her behalf as a single point of contact. In theory, these Consent Managers could research how firms handle data and make recommendations to their clients about whether consent should be provided or not. One immediate function Consent Managers could perform is abandoning the need to respond to website cookie consent requests by giving such decisions to each person’s Consent Manager.
Who’s on the hook? As the datasphere becomes more complex, the entity collecting your information may only be an agent for another behind-the-scenes company, e.g., a money transmitter may really be an agent of a bank. It may be almost impossible for a consumer to figure out who they are dealing with. This challenge can be made easier by making the entity that collects consumers’ data liable for data problems that arise. This would create an incentive for this first firm in the chain to vet and police the other firms down the data chain that handle personal information and impose contractual data security requirements, while giving the consumer a clear place to go for redress. Otherwise, consumers could be running in circles trying to find a responsible party. The consumer-facing firm would always be free to contractually seek indemnification from the other firms in the data chain.
Technology neutrality. There is a risk to making rules based on today’s technology because subsequent developments could make those rules and protections obsolete. When the credit reporting rules referenced above were adopted in 1970, there was no internet. Nonetheless, that law still works even though bulky computer tapes are no longer mailed to the credit bureaus once a month and, instead, there are faster and more efficient means of communication today. This is a valuable lesson in how to regulate data by not legislating for yesterday or even tomorrow but, instead, on the consequences of data use and disclosure.
Technology as protection. Laws should encourage the development of “privacy-enhancing technology” meaning tools for mitigating privacy risks arising from data processing through technology. This may include encryption, anonymization, differential privacy, and synthetic-data-generation. These tools can maximize the benefits of data while reducing the risks.
Powerful opt-out. California has taken an ecosystem approach to the proliferation of individual databases by adopting a new law, the Delete Act, that applies to “data brokers” that gather and sell people’s personal data such as addresses, spending habits and employment status. California has some 500 registered data brokers including individual look-up websites. The new law enables residents to get data brokers to delete their personal information with just one request, rather than the multiple asks they had to make before. In the past, it was “tough for consumers to know which data brokers have their personal data.” Starting in 2026, instead of hunting those data brokers down, one deletion request will apply to all of them.
You can’t lose what you don’t have. Data minimization is the concept that companies should not collect more information than they need and should keep it only as long as needed.
Privacy and security baked in. When designing data communications and storage systems, privacy and security should be built into the technical features. For starters, it is more efficient to build these protections in than having to retrofit systems after the fact. The “privacy by design” approach also requires thought be given to these issues as new products and services are developed and, in many cases, make the default settings the ones that most protect people.
As individual data moves through the ecosystem, there will be greater challenges to protecting privacy. For example, in cases where there had been no prior direct dealings between the individual and broker, individuals may want to access data about themselves from data brokers, including to correct erroneous information. Importantly, the broker will need be sure they can authenticate that the person making the access request is in fact the subject of the data. Hence, the technology must ensure that a proper ID or other form of identification is presented.
Put consumers in the driver’s seat (sorry self-driving cars). Building ever larger databases with information about consumers may no longer make sense in a networked world. For one, they become an attractive target for cybercriminals who can hack into the databases and access sensitive data that they can exploit for ID theft. India has come up with the concept of “digital lockers” which are effectively reverse credit bureaus. Instead of banks and credit card companies reporting data to the bureau, they instead report the data to the consumer’s digital locker. In turn, the consumer could then decide who should have secure access to their digital locker, for what purpose and for how long. Another advantage is that consumers can access their own data 24/7 and easily dispute inaccuracies. A hack of a locker would impact one consumer whereas a credit bureau compromise could reveal data of almost 150 million or more people. Decentralizing storage of data would minimize the role of database operators and maximize consumer control over their own data.
It is almost impossible to shut off the flow of personal data in the digital ecosystem nor would that be a good idea. However, there are a number of tools, from consent managers to digital lockers, that can give people if not complete privacy, some control over how their personal data is used, shared and maintained. However, to effectively provide this control, the law must recognize we live in a highly complex data world and the paradigms of data regulation from the last century no longer apply. This complexity can provide tremendous benefits but in order to be used for people’s benefits, the law must create appropriate constraints and controls.
One of the keys to the success of credit reporting laws of the past is their broad application covering employment screening, landlord/tenant databases, even lines of credit at gambling casinos – virtually any data held by third parties used to make decisions about consumers. The laws also do not specify which technological methods of data collection and use are covered which has allowed them to effectively work for more than 50 years. Accordingly, while we are concerned today about facial recognition, artificial intelligence, retina and fingerprint scanning, and genetic data, it is important to craft laws that not only apply to all of these technologies but also to data management technologies that have yet to be invented.
[1] Levine, Sam, remarks at the 2023 Consumer Data Industry Association Law & Industry Conference Surveillance in the Shadows – Third-Party Data Aggregation and the Threat to our Liberties September 21, 2023, https://www.ftc.gov/system/files/ftc_gov/pdf/cdia-sam-levine-9-21-2023.pdf.
[2] White House Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, October 30, 2023, https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/.
