2024
Privacy Redux Part I: Is It Time to Rethink Federal and State Privacy Laws?
Is it time for a privacy redux, to visit privacy anew to determine whether our legal system is doing something more than entangling honest companies in a costly web of superficial and ultimately meaningless requirements?
I think so. I also think we need to act quickly before the regulatory cement begins to set and drags free commerce down with it.
Why now?
Privacy has come to dominate much of my work as a partner at Brann & Isaacson over the last twenty years, and that experience has led me to conclude we’ve gone down the wrong path.
My work has been driven by a huge uptick in litigation, arbitration, and regulation in the name of privacy, even though the motives and efficacy of “privacy enforcers” and regulators generally appear to have nothing to to do with either defining or protecting our genuine and important privacy interests. Indeed, one would not have to be Ambrose Bierce to conclude that what we are witnessing is mostly about electioneering and greed under cover of the good intentions of people who genuinely care about protecting our private lives.
In thinking through the tangled and growing mess of idiosyncratic state privacy laws (and their “bespoke data privacy frameworks“), while a federal government that, after years of silence, seems poised precipitously to wreck things for real, the first order of business was gaining some historical perspective.
Over the past fifty years, we have witnessed a remarkable change in how both the law and society more generally view personal privacy, and its against this backcloth that we should examine the current state of U.S. privacy laws and debate what ought to be scrapped, what can be improved, and what can be reimagined.
Privacy from the 1960s through the 1980s
Until the 1980s, the principal, if not exclusive, concern was access to and use of private information by the government. This focus grew in intensity as the public learned of extraordinary overreach by federal agencies to obtain personal information of the most sensitive nature about civil rights leaders, and to use that information for political purposes. The abuses were both legion and severe.
The 1990s and beyond
Now, however, the concern is mostly about private companies, with most of the legislative targeting (and public discussion) pointing to information collection by retailers and their service providers in support of marketing and advertising.
To a lesser extent, recent privacy-related laws (like those relating to data breaches) are addressed to genuinely malign actors, but those laws are beyond the scope of this blog post.
And if you look carefully at the many new and proposed privacy laws, you’ll discover that most either explicitly or implicitly exempt federal, state, and local government, leaving open a doorway through which personal information can end up captured by law enforcement, regulators, and intelligence agencies.
Some commentators and media organs applaud the shift away from government abuses of privacy to privacy abuses by private companies — particularly gargantuan companies like Google and Facebook — and argue that the shift has not been pursued with sufficient vigor. The problem is that the shift has ensnared far more than large social media and online tech companies.
Charting a path forward
With the 2024 election looming and a torrent of new privacy bills in the pipeline driven by reelection concerns, it is high time to look more closely at this inversion of privacy priorities. This should include not only examining how we got here, but taking a sober look at the actual state of individual privacy rights as consequence of our shifting priorities over the last thirty years.
Indeed, election year rushes to legislate are poised to do great damage under the cloak of “good intentions.” These bills evidence little to no original thinking or a careful analysis of their repercussions — let alone a balance of benefit against economic harm. Indeed, there appears to be no GAO analysis of the economic impact of proposed changes to federal privacy law, despite the Senate’s obligation to undertake such an analysis.
I suggest that what we may discover counsels a wholesale rethinking of the nation’s privacy laws with a focus on identifying the real harms facing individual Americans, closing back doors to information sharing between private enterprise and the government, and taking oversight and enforcement out of the hands of private attorneys.
My hope is that there can a constructive dialogue between representatives of commercial interests and privacy rights advocates who currently face off against each other as if mortal enemies. Such engagement could lead to simpler, more effective, and intelligent legal framework which protects both consumers and the national economy, and offers real protection from those who might use private information to do harm. If its simplicity can drain the economy of the scourge of expertise creep by “privacy experts” and anti-capitalist academics, so much the better.
A privacy redux should recognize that retailers and consumers have a common interest in treating visitor and customer information with respect
Today’s war over privacy, pitting retailers against their customers, overlooks the extraordinary alignment between these two groups, i.e., retailers are motivated by an interest in learning what consumers want and finding ways to offer those things. It simply is not in interests of any legitimate business to harm its customers and potential customers, nor is it in the interest of consumers to hamstring the ability of retailers to determine what consumers want or need and to offer it to them. If we can build on this common ground, more rational and effective legal protection for privacy rights could be just around the corner.
Stay tuned for Part II.