The Perils of Parochial Privacy Policies

by on January 11, 2013 · 6 comments

Here’s a thought experiment. Let’s say you believe the Internet economy needs more regulation to guard against potential privacy violations or what you regard as excessive data aggregation. Further, you believe that no amount of self-regulation, social norms, market pressure, education, empowerment, or anything else could possibly substitute for regulation. I know there are a lot of people out there today who feel this way. Regardless of the merits of such claims, here’s my question for you: Do the ends (enhanced privacy protections) justify any means (regulation at any and every level of government)? For example, what would you think about having all 50 states creating their own Privacy Offices or Data Protection Bureaus that issued regulations or recommendations about Internet best practices?

What got me thinking about this was this new blog post by Parker Higgins of EFF, “California Attorney General Releases Mobile Privacy Recommendations.” In the essay, Higgins showers praise on California Attorney General Kamala D. Harris, who just released a document (“Privacy on the Go“) that lays out a long set of privacy “best practices” for mobile app developers. Higgins writes:

EFF applauds this important step forward, and congratulates the California Attorney General on a thorough and clearly written explanation of the importance of mobile privacy and how developers can deliver. It’s true that as technology changes, the specific needs and guidelines for companies will need to adapt. We could well see a time when these principles do not adequately protect the rights and needs of consumers. However, right now these principles represent a huge step forward — going beyond existing law in a way that improves transparency, accountability, and choice for users of mobile devices.

Regardless of the merits of the principles and recommendations contained in that report — and I agree that many of them are quite sensible best practices that industry should be following — I can’t help but wonder whether it is wise for EFF to be cheering on state-based Internet meddling so openly. OK, so I can hear the primary objection: It’s not regulation; it’s just a set of recommendations! Well, yes and no. What AG Harris is doing here is an exercise in soft power or regulatory nudging. It’s a variation of what Tim Wu calls the “agency threats” model of regulating without any formal regulation being promulgated. (Wu enthusiastically endorses such exercises in arbitrary soft power). Or it’s what Randy Picker refers to a “non-law law,” which we are seeing more and more of on this front through the use of “best practice” reports or other agency guidance. And this is happening against the backdrop of a gradual expansion of formal privacy law in the state, such as the the California Online Privacy Protection Act (OPPA). Moreover, the state also has its own Office of Privacy Protection and AG Harris recently announced the creation of a Privacy Enforcement and Protection Unit in the Calif. Department of Justice.  Last year, she also brokered a Joint Statement of Principles that was adopted by the leading operators of mobile application platforms “to help bring mobile apps in compliance with the California Online Privacy Protection Act.”

Thus, when the AG announces a new set of best practices and strongly suggests industry should be following them, there’s an implied “or else!” threat that hangs like a quasi-regulatory Sword of Damocles over the collective necks of everyone in this sector. Regardless of how you feel about such “administrative arm-twisting,” I would hope we could agree that there is some theoretical limit to efficient state-based regulation of a network that is national or global in scope, such as the Internet. And yet that’s the perilous path we’re heading down if more states begin to mimic AG Harris and the state of California.

I can’t help but think that if AG Harris was issuing best practices on almost any other Internet policy issue — online free speech, copyright, cybersecurity, online authentication, etc. — that EFF would be (rightly) screaming bloody murder or at least raising some tough questions about the potentially slippery slope of increased state-based Internet meddling. But because there’s a bit of selective morality at work here — EFF welcomes more privacy regulation but opposes most other forms of information control — they are willing to turn a blind eye to the danger of a parochial patchwork of Internet policies in the privacy context.

Perhaps such nudging ends in California and doesn’t spread more broadly across the U.S.  But that’s a pretty big risk. I hope EFF and others give more thought to what they are sanctioning here. 50 state Internet Bureaus isn’t likely to help the digital economy or serve the long-term interests of consumers.

Further Reading

Previous post:

Next post: