We all agree, they said. Please make more rules for us, they said. Give more money to our regulators, they said. When an assemblage of savvy corporate lawyers converges on such improbable sentiments, skepticism is usually in order. A recent privacy hearing on Capitol Hill demanded a load of it.
Representatives from numerous tech and telecom luminaries – including Amazon, AT&T, Google and Twitter – told the Senate Commerce Committee Sept. 26 that there was “widespread agreement” in their industries about the need for a new federal privacy law. It all sounded quite cooperative and public-spirited.
A federal law is desirable for these companies not because privacy is a “core value” or “human right,” as the lawyers professed, but because they’d no longer have to comply with different rules in different states.
It’s hard to blame them for pursuing their interests. The problem is that their preferred cure would create more problems than it would solve.
A federal privacy law of the kind they envision – offering more “transparency” about data collection, giving users more “control” over their privacy – would be of no benefit to anyone. In the abstract, these seem like worthy principles. In practice, they invariably mean privacy policies no one reads, settings and options no one understands, and chipper compliance notices intended to reassure users while allowing companies to mostly keep doing what they’re doing.
Their business models, after all, depend on it. Much of the digital economy is premised on consumers getting free services – search, maps, email, social media, and so on – in exchange for their personal information. Consumers have grown accustomed to freely traversing the web, unimpeded by contractual demands from individual sites and services. And tech companies have grown accustomed to quietly tracking them as they do. It all works brilliantly so long as users don’t think too hard about what they’re divulging. Giving them the illusion of transparency and control turns out to be just the trick.
Efforts to improve this situation bureaucratically have almost universally failed.
A better idea is to dispense with this approach to regulating privacy altogether. In its place, Congress could offer an “information fiduciary” standard. By becoming fiduciaries, companies would agree to a set of best practices. For instance, they’d refrain from exploiting data to manipulate users, sharing it with unscrupulous third parties, or using it in unexpected ways. Companies would be free to sign up for the standard or not. Those that did could be offered protection from certain lawsuits and immunity from state and local privacy laws.
This would grant companies the nationwide consistency they desire and reduce their legal uncertainty, while imposing clear duties on them in return. It would give users more confidence that their data is in good hands and relieve them of the burden of trying to parse opaque privacy policies.
Under such a system, companies that claimed to care about your privacy would actually mean it – and that would be to everyone’s benefit.
Bloomberg View editorial.
