California recently implemented a consumer privacy act aimed at giving consumers a choice about companies selling their personal data. The law is not just a matter of concern for Californians; because it is an economic powerhouse, the state has considerable influence. My home state of Maine, which has far less influence than California, has a similar law. As would be suspected, such laws are philosophically interesting.
One general concern involves the matter of scope: should such privacy laws be handled by the states or the federal government? One compelling reason for having the federal government handle such privacy concerns is that state boundaries are essentially non-existent when it comes to data and privacy concerns. After all, people around the country routinely make purchases online and use online services across state boundaries. There is also the consistency argument: it is easier for business and consumers to have one law to deal with rather than fifty. There are some reasons to oppose a federal law, such as concerns that lobbyists would craft the federal law to the advantage of certain companies and to the detriment of consumers. There is also the argument based on the idea that states are best positioned to look out for their citizens, which has some appeal. In general, I do favor having a federal standard—if only to make things easier for everyone, especially small businesses that would face the challenge of trying to sort through up to fifty different sets of rules for privacy.
While privacy seems to be intuitively good, it is worth briefly considering reasons why such privacy protection is good. One approach, which should appeal to the fans of private property, is to build an argument based on the Lockean notion that people own the product of their labor. In this case, the labor would be the creation and providing of information. While a person can sell the product of this labor, to take it from them by fraud or force would be theft and thus consent would be needed.
An analogy can also be drawn to the creation of any product, such as this essay. Once I have created it, it is mine to do with as I wish (within certain boundaries). But if someone else takes this essay and sells it without my permission, they have engaged in what is obviously theft. While personal data is obviously not identical to an intentionally created product like an essay, program or vase, the analogy certainly seems reasonable.
The matter can also be looked at the other way, by raising the obvious question of what would entitle the company or other entity collecting personal data to sell it without permission. One could argue that they put effort into collecting it, but media and software pirates could make the same argument. The burden of proof is on those who would claim those collecting the data have the right to sell it without permission; this is because such behavior would intuitively seem to be data piracy.
As should be evident, I favor laws protecting consumer privacy in this manner, largely because I also favor laws protecting creators from having their work stolen. I am, however, fine with consumers freely choosing to use their data as currency and exchanging it for goods and services—provided that the exchange does not result from force or fraud. Such informed exchanges would, I think, be better for consumers and companies in the long run. Some companies will, of course, want to be able to steal from consumers—but theft is hardly a just business model.
One problematic aspect of California’s law is that government is exempt from the law. In many cases it makes sense that the state can require people to provide personal data. For example, someone applying for a driver’s license needs to provide private data for obvious reasons. The real concern is that the exemption allows the government to sell personal data without the permission of citizens. The California DMV currently sells the data it collects to third parties. Looked at with a suspicious eye, the law does not so much protect personal data as give the government a significant advantage over the private sector. While some consumers will still allow companies to sell their data or be willing to trade data for goods and services, the state does not give people a choice: if you want a driver’s license, then your data will be sold by the state. This presumably also applies to some other data collected by the state.
While the state might not collect as broad a range of consumer data as private companies, the state exemption effectively nullifies some of the law: some data that you might refuse to let a company sell because you want to keep it private could end up being sold by the state, thus negating the supposed protection of the law.
It could be countered that this is acceptable because the state is doing it and the money will be state revenue used for the good of the people. The obvious reply is that this does nothing to address privacy concerns—someone who does not want their data out there is not worried about who is making money from their loss of privacy, they are worried about the loss of privacy. As such, people should have the same right to refuse to allow the state to sell their data, otherwise the law is unfair to businesses and its ability to protect privacy is weakened significantly.
I agree with every point you make above.
However, thinking about this as an ethical question, it leaves several areas uncovered.
The California law is a Consumer Privacy Act. leginfo-legislature-ca-gov is down at the moment, so I can’t dig into the specifics as I would like, but in general terms I see that the law is framed in terms of the rights of the “consumer”, and the obligations of “business”.
Who counts as a “consumer”, and who as a “business”? You mention the government, but it’s not the only entity exempted. Is a political campaign a business? How about a church? A charity? An ideological movement? A club?
What of the more general question of the privacy of a person, in respect to other people?
While PII (Personal Identifying/Identified Information) can be considered a form of intellectual property, invoking the legal frameworks established, I don’t feel that is the only, or even the most important, aspect of privacy.
What justifies the government using its coercive power to prevent people from collecting or disseminating information about you?
I would find more on this subject interesting.
The site is back up.
“(c) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”
That’s pretty limited. For-profit, $25M+ annual revenue, AND derives 50 percent or more of its annual revenues from selling consumers’ personal information.
I would hope for a more comprehensive law in future.