2010

Privacy on the Books and on the Ground

Kenneth A. Bamberger and Deirdre K. Mulligan, "Privacy on the Books and on the Ground" Stanford Law Review, Fall 2010. (March, 10 2010)

Abstract

U.S. privacy law is under attack. Scholars and advocates criticize it as weak, incomplete, and confusing, and argue that it fails to empower individuals to control the use of their personal information. The most recent detailed inquiry into corporate treatment of privacy, conducted in 1994, frames these critiques, finding that firms neglected the issue in their data management practices because of the ambiguity in privacy mandates and lax enforcement. As Congress and the Obama Administration consider privacy reform, they encounter a drumbeat of arguments favoring the elimination of legal ambiguity by adoption of omnibus privacy statutes, the EU’s approach.

These critiques present a largely accurate description of privacy law “on the books.” But the debate has strangely ignored privacy “on the ground”—since 1994, no one has conducted a sustained inquiry into how corporations actually manage privacy, and what motivates them. This omission is especially striking because the neglect of the 90s has been replaced by a massive dedication of corporate resources to privacy management, the inclusion of privacy officers at the c-suite level, and the employment of a 6,500-strong cadre of privacy professionals.

This Article presents findings from the first study of corporate privacy management in fifteen years, involving qualitative interviews with Chief Privacy Officers identified by their peers as industry leaders. Spurred by these findings, we present a descriptive account of privacy “on the ground” that upends the terms of the prevailing policy debate. Our alternative account identifies elements neglected by the traditional story—the emergence of the Federal Trade Commission as a privacy regulator, the increasing influence of privacy advocates, market and media pressures for privacy-protection, and the rise of privacy professionals—and traces the ways in which these players supplemented a privacy debate largely focused on processes (such as notice and consent mechanisms) with a growing corporate emphasis on substance: preventing violations of consumers’ expectations of privacy.

Two alterations to the legal landscape contribute to this definitional shift. First, the substantive definition tracks the emergence of the FTC as a roving regulator with broad yet ambiguous power to evaluate privacy practices in the marketplace through its consumer protection lens. The FTC’s mandate to protect consumers from “unfairness” and “deception” permits dynamic regulation that evolves with changing contexts, and forces corporate practices to develop accordingly. Second, state security breach notification laws raised the soft and hard costs of mismanaging personal information. Together these changes led companies to integrate substantive considerations of consumers’ privacy expectations into their workflows, rather than leaving privacy to the lawyers and their process-based “click through if you ‘consent’ to the privacy policy” approach.

Our grounded account should inform privacy reforms. While we have no truck with efforts to expand procedural mechanisms to empower individuals to control their personal information, doing so in a way that eclipses robust substantive definitions of privacy and the protections they are beginning to produce, or constrains the regulatory flexibility that permits their evolution, would destroy important tools for limiting corporate over-reaching, curbing consumer manipulation, and protecting shared expectations about the personal sphere on the Internet, and in the marketplace.

Author(s)

Research Area(s)

Last updated:

September 20, 2016