Last week, I had the honor of being a panelist at the  Information Technology and Innovation Foundation’s event on the future of privacy regulation. The debate question was simple enough: Should the US copy the EU’s new privacy law?

When we started planning the event, California’s Consumer Privacy Act (CCPA) wasn’t a done deal. But now that it has passed and presents a deadline of 2020 for implementation, the terms of the privacy conversation have changed. Next year, 2019, Congress will have the opportunity to pass a law that could supersede the CCPA and some are looking to the EU’s General Data Protection Regulation (GDPR) for guidance. Here are some reasons for not taking that path.

GDPR imposes three kinds of costs on firms. First, the regulation forces firms to retool data processes to realign with the new demands. This is generally one time fixed cost that raises the cost of all information using entities. Second, the regime adds risk compliance costs, causing companies to staff up to ensure compliance. Finally, the law will change the dynamics of the industry, as companies adapt to the new requirements.

Right now, the retooling costs and the risk compliance costs are going hand in hand, so it is difficult to suss out the costs of each. Still, they are substantial. A McDermott-Ponemon survey on GDPR preparedness found that almost two-thirds of all companies say the regulation will “significantly change” their informational workflows. For the just over 50 percent of companies expecting to be ready for the changes, the average budget for getting to compliance tops $13 million, by this estimate. Among all the new requirements, this survey found that companies were struggling with the data-breach notification the most. The inability to comply with the notification requirement was cited by 68 percent of companies as posing the greatest risk because of the size of levied fines.

The International Association of Privacy Professionals (IAPP) estimated the regulation will cost Fortune 500 companies around $7.8 billion to get up to speed with the law. And these won’t be one time costs since, “Global 500 companies will be hiring on average five full-time privacy employees and filling five other roles with staff members handling compliance rules.” A PwC survey on the rule change found that 88% of companies surveyed spent more than $1 million on GDPR preparations, and 40% more than $10 million.

It might take some time to truly understand the impact of GDPR, but the law will surely change the dynamics of countless industries. For example, when the EU adopted the e-Privacy Directive in 2002, Goldfarb and Tucker found that advertising became far less effective. The impact seems to have reverberated throughout the ecosystem as venture capital investment in online news, online advertising, and cloud computing dropped by between 58 to 75 percent . Information restrictions shift consumer choices. In Chile, for example, credit bureaus were forced to stop reporting defaults in 2012, which was found to reduce the costs for most of the poorer defaulters, but raised the costs for non-defaulters. Overall the law lead to a 3.5 percent decrease in lending and reduced aggregate welfare.  

As the Chilean example suggests, some might benefit from a GDPR-like privacy regime. But as Daniel Castro, my co-panelist pointed out, strong privacy laws haven’t done much to sway public opinion. As he wrote with Alan McQuinn ,

The biannual Eurobarometer survey, which interviews 100 individuals from each EU country on a variety of topics, has been tracking European trust in the Internet since 2009. Interestingly, European trust in the Internet remained flat from 2009 through 2017, despite the European Union strengthening its ePrivacy regulations in 2009 (implementation of which occurred over the subsequent few years) and significantly changing its privacy rules, such as the court decision that established the right to be forgotten in 2014. Similarly, European trust in social networks, which the Eurobarometer started measuring in 2014, has also remained flat, albeit low

In other words, it doesn’t seem as though strong regulations have done anything to make people feel as though they are getting a better deal with Internet companies.   

One of my top concerns with the GDPR that wasn’t really discussed relates to the consent requirement in the law. Now, people must affirmatively say that data processors can use their data. As I explained at the American Action Forum ,

Affirmative consent is also known as an opt-in privacy regime. Opt-in is frequently described as giving consumers more privacy protection, but opt-out regimes give an individual the same option to exit data processing without the added burdens. Indeed, most of the large companies already provide a method of opting out of certain data processing and collection. Setting the default by regulation simply biases consumer choices in a particular direction.

Overall, I think I think there was general agreement among the panelists that the US should not adopt the GDPR. But, both Amie Stepanovich of Access Now and Justin Brookman of Consumer’s Union were generally in favor of implementing a couple of the fundamental elements of the GDPR, assuming they were adopted to the US legal system. Indeed, Access Now released a paper on exactly this topic. 

The big question is whether the GDPR or something similar is a set of optimal rules. For countless reasons, I’m skeptical they will really improve consumer experience without imposing substantial costs. 

For more on this topic, check out:

• Explaining The EU’s General Data Protection Regulation by Will Rinehart & Allison Edwards
• Why Stronger Privacy Regulations Do Not Spur Increased Internet Use by Alan McQuinn and Daniel Castro

Privacy is an essentially contested concept . It evades a clear definition and when it is defined , scholars do so inconsistently. So, what are we to do now with this fractured term? Ryan Hagemann suggests a bottom up approach. Instead of beginning from definitions, we should be building a folksonomy of privacy harms :

By recognizing those areas in which we have an interest in privacy, we can better formalize an understanding of when and how it should be prioritized in relation to other values. By differentiating the harms that can materialize when it is violated by government as opposed to private actors, we can more appropriately understand the costs and benefits in different situations.

Hagemann aims to route around definitional problems by exploring the spaces where our interests intersect with the concept of privacy, in our relations to government, to private firms, and to other people. It is a subtle but important shift in outlook that is worth exploring.

Hagemann’s colleague Will Wilkinson laid out the benefits of this kind of philosophical exercise, which comes to me via Paul Crider . Wilkinson traces it back to very beginnings of liberal thought, which takes a bit to wind up:

Thomas Reid, the Scottish Enlightenment philosopher, pointed out that there are two ways to construct an account of what it means to really know something, rather than just believing it to be true. The first way is to develop an abstract theory of knowledge—a general criterion that separates the wheat of knowledge from the chaff of mere opinion—and then see which of our opinions qualify as true knowledge. Reid noted that this method tends to lead to skepticism, because it’s hard, if not impossible, to definitively show that any of our opinions check off all the boxes these sort of general criteria tend to set out.

That’s why Descartes ends up in a pickle and Hume leaves us in a haze of uncertainty. It’s all a big mistake, Reid said, because the belief that I have hands, for example, is on much firmer ground than any abstract notions about the nature of true knowledge that I might dream up. If my theory implies that I don’t really know that I have hands, that’s a reason to reject the theory, not a reason to be skeptical about the existence of my appendages.

According to Reid, a better way to come up with a theory of knowledge is to make a list of the things we’re very sure that we really know. Then, we see if we can devise a coherent theory that explains how we know them.

The 20th century philosopher Roderick Chisholm called these two ways of theorizing about knowledge “methodism”—start with a general theory, apply it, and see what, if anything, counts as knowledge according to the theory—and “particularism”—start with an inventory of things that we’re sure we know and then build a theory of knowledge on top of it.

Hagemann is right to build privacy on the particularism of Wilkinson, Reid and Chisholm. Given the changing nature of technology, we should take a regular “inventory of things that we’re sure we know” about privacy and then build theories on top of it.

Indeed, privacy scholarship finds its genesis in this method. While many have gotten hung up on the rights talk in the “Right to Privacy”, Warren and Brandeis actually aim “to consider whether the existing law affords a principle which can properly be invoked to protect the privacy of the individual; and, if it does, what the nature and extent of such protection is.” The article looks to previous law to construct a principle for “recent inventions and business methods.” This is particularism applied to privacy.

Only a handful of court cases that are actually reviewed in the article, the most important of which is Marian Manola v. Stevens & Myers . Marian Manola was a classically trained comic opera prima donna that had a string of altercations with her company where Stevens was the manager. About a year before the case, the New York Times carried a story describing a dispute between Manola and another actor in the McCaull Opera Company. She refused to go on stage after the actor pushed her on stage and Benjamin Stevens, apparently “ignored her until she returned to her duty.” About a year later, Stevens set up the photographer Myers in a box, as a stunt to boost sales. Manola sued the both of them. Today, the case would be cited in the right to publicity literature.

Still, Warren and Brandeis were trying to survey the land of privacy harms and then build a principle on top of it.

Be it either particularism or methodism, these ways of constructing knowledge frame the moral ground, creating a field where privacy advocates and privacy scholars can converse. What unites these two groups, then, is their common rhetoric about the contours of  privacy harms. And so, what constitutes a harm is still the central question in privacy policy.

On Friday, the Supreme Court ruled on Carpenter v. United States, a case involving the cell-site location information. In the 5 to 4 decision, the Court declared that “The Government’s acquisition of Carpenter’s cell-site records was a Fourth Amendment search.” What follows below is a roundup of reactions and comments to the decision. 

Ashkhen Kazaryan, Legal Fellow at TechFreedom, had this to say about the ruling:

This ruling recognizes the immensely sensitive nature of cell phone location data, and rightly requires a showing of probable cause before law enforcement can obtain location information from mobile carriers. Our country’s Founders would have expected no lesser safeguards to apply to non-stop surveillance. Indeed, the American Revolution was first instigated over surveillance that was far less invasive.

Ryan Radia at Competitive Enterprise Institute commended the decision:

Although the court’s opinion was narrowly crafted to address the particular facts in this case, its decision underscores the court’s willingness to apply rigorous scrutiny to governmental surveillance involving new technologies. In the United States, the Constitution protects people from unreasonable searches and seizures, and Fourth Amendment protection should apply to private information held on or collected through our personal devices.

Curt Levy, president of Committee for Justice, penned an op-ed in Fox News:

Rapid technological change inevitably outpaces the glacial evolution of the law and the Carpenter case is a perfect example. The location data in question was obtained under the Stored Communications Act (SCA), which did not require prosecutors to meet the “probable cause” standard of a warrant.

So Timothy Carpenter turned to the Constitution. But the Justice Department argued that the Fourth Amendment didn’t apply because of the Supreme Court’s Third-Party Doctrine. That doctrine holds that no search or seizure occurs when the government obtains data that the accused has voluntarily conveyed to a third party – in this case, one’s wireless provider.

The Third-Party Doctrine made some sense when it was invented 40 years ago. However, when applied to today’s modern technology, the doctrine results in a gaping hole in the Fourth Amendment…

The good news is that the Supreme Court took a big step towards repairing that hole Friday. In an opinion by Chief Justice John Roberts, the court acknowledged that Fourth Amendment doctrines must evolve to account for “seismic shifts in digital technology.”

Orin Kerr runs through nine questions you might have on the decision over at the Volokh Conspiracy:

(9) Does This Reasoning Apply Just For Physical Location Tracking, Or Does It Apply More Broadly?

That’s the big question. On one hand, the reasoning of the opinion is largely about tracking a person’s physical location. The opinion takes as a given that you have a reasonable expectation of privacy in the “whole” of your “physical movements.” The Court has never held that, so it’s sort of an unusual thing to just assume! But the Court seems to be getting it mostly from Justice Alito’s Jones concurrence, and the idea, as Alito wrote in Jones, that “society’s expectation has been that law enforcement agents and others would not— and indeed, in the main, simply could not—secretly monitor and catalogue every single movement of an individual’s car for a very long period.” …

On the other hand, there’s lots of language in the opinion that cuts the other way. Although the Court “decides no more than the case before us,” it also recasts a lot of doctrine in ways that could be used to argue for lots of other changes. Its use of equilibrium-adjustment will open the door to lots of new arguments about other records that are also protected. For example, what is the scope of this reasonable expectation of privacy in the “whole” of physical movements? Why is there? The Jones concurrences were really light on that, and Carpenter doesn’t do much beyond citing them for it: What is this doctrine and where did it come from? (And what other reasonable expectations of privacy in things do people have that we didn’t know about, and what will violate them?)

Cato’s Ilya Shapiro and Julian Sanchez comment on the Supreme Court’s decision in this Cato Daily podcast.

Columbia Law Professor Eben Moglen of the Software Freedom Law Center also opined on the decision:

The decision in Carpenter v. United States is a groundbreaking change in the application of the Fourth Amendment in digital society. By stating that the pervasive geographic location data assembled by cellular providers is not insulated from the warrant requirement even though it is information collected by third parties, the Court has fundamentally changed the principles underlying the application of the Amendment before today. The Court has stated that its present decision is narrow and factual, but a flood of further cases will seek to widen the meaning of today’s opinion.

The advocates of regulation pay lip service to the importance of advertising in funding online content and services but don’t seem to understand that this quid pro quo is a fragile one:  Tipping the balance, even slightly, could have major consequences for continued online creativity and innovation.

Who is this handsome young man and why does he have “Mr. Yogato Stamped Me!!!” on his forehead? More importantly, why does he look so darn happy?

Flashback: Earlier this week, my partner Michael (pictured) and I visited Mr. Yogato, a frozen yogurt shop in Washington’s Dupont Circle neighborhood which describes itself as “the FUNNEST yogurt experience you’ll ever have.”

Apart from serving exceptionally tasty frozen yogurt and letting customers play a vintage Nintendo, Mr. Yogato is famous for the eight “Rules of Yogato,” which offer discounts if users achieve certain feats, including:

• Answering devilishly difficult trivia (10% off—or extra if you fail)
• Reciting the Stirling battlefield speech from Braveheart in a great Scottish accent (20% off)

But the best discount, which Michael does every time (unless I’m there to help identify, say, countries that end in ‘L’), is offered for wearing the Yogato stamp on your forehead. Being stamped is, of course, almost as much fun as singing along to “Mr. Roboto” if you’re lucky enough to hear that played while you’re in the shop (10% off).  But the real fun is in engaging passersby on the street about the icy-sweet joys of Yogato. It’s also, of course, probably the most effective advertising Mr. Yogato could ever want.

So, the next time you hear Adam Thierer and I talk about the benefits of advertising, especially online, just remember that while there is no free lunch (nor free frozen yogurt), there is discounted frozen yogurt.  It’s a simple, obvious quid pro quo:  10% off in exchange for spreading the Gospel of Yogato.

The most obvious example of a  quid pro quos is the use of discount cards in grocery stores: Users receive discounts in exchange for having their purchases tracked, which allows advertisers to target advertising to them and the grocery store to better manage its inventory. Online, Microsoft’s Live search engine (now Bing) pioneered the use of rewarding users with “cashback” for purchases made through the search engine.

But the more significant quid pro quo online is indirect: users receive “free” content and services in exchange for seeing advertising and sharing data about their browsing habits, which makes advertising significantly better targeted, more effective for advertisers and therefore more profitable for online content publishers and service providers. As Adam and I noted in response to the FTC’s recently-released self-regulatory guidelines for “behavioral advertising” (now likely to be superseded by pre-emptive “privacy” legislation):

The advocates of regulation pay lip service to the importance of advertising in funding online content and services but don’t seem to understand that this quid pro quo is a fragile one: Tipping the balance, even slightly, could have major consequences for continued online creativity and innovation. [FTC] Commission Harbour talks about companies competing on privacy as a “non-price dimension”-and that is clearly a positive thing. In traditional economics, there are three primary variables that are considered when discussing industry competition and efforts to regulate market structures: price, quantity, and quality. But in the context of the Internet, where digital economics have relentlessly driven prices down to zero, and where advertising support has become the only viable business model for most providers of content and services, the price variable has largely been removed from the picture. This means-unless industry could somehow find a way to make pay-per-use, pay-per-view, or subscription-based models work in the future-that regulation of online advertising would have its most dramatic impact on the quantity and quality of content and services provided. Depending on how regulation is structured, therefore, it is possible that new privacy mandates would severely curtail the overall quantity of content and services offered-and greatly limit the ability of new providers to enter the market with innovative offerings. Alternatively, or perhaps additionally, companies would change the character of their offerings and water-down sophisticated services that cater to consumer demand; in other words, the quality of service would deteriorate. Bottom line: Something must give because there is no free lunch. Regulation is a giant game of economic whack-a-mole: Attempting to control one of the primary variables of price, quantity, or quality inevitably results in non-optimal adjustments in the other two variables. The absence of price as a variable in this context means there is one less variable for the government to control in the first place. Simply stated, stifling the evolution of the online advertising marketplace will likely result in fewer free online services and less content, less high-quality online services and content, or some combination of both…. Apart from a hardcore fringe who embrace the Marxist dogma that advertising is inherently deceptive and wasteful, most participants in this debate at least pay lip service to the economic importance of online advertising. One might therefore be lulled into a false sense of complacency that “sensible” regulation (or government-led co-regulation) would surely avoid crippling this dynamo. This widespread assumption calls to mind the famous quip of Chris Patten, last British Governor of Hong Kong, who paraphrased those who dismissed his concerns about the potentially negative effects of a Chinese take-over of the British colony in 1997, as follows: “It is unimaginable that the Chinese would kill such a goose.” To this, Patten responded, “Yet we wouldn’t need the metaphor of golden eggs and geese if history weren’t full of dead geese.” The dangers of regulation to the health of the Internet are real, but the ease with which government could disrupt the economic motor of the Internet (advertising) is not widely understood-and therein lies the true danger in this debate.

I think Mr. Yogato would understand this. Let’s hope Chairman Boucher and the folks on the Hill who seem to be so adamant about regulation do, too.