California recently implemented a consumer privacy act aimed at giving consumers a choice about companies selling their personal data. The law is not just a matter of concern for Californians; because it is an economic powerhouse, the state has considerable influence. My home state of Maine, which has far less influence than California, has a similar law. As would be suspected, such laws are philosophically interesting.
One general concern involves the matter of scope: should such privacy laws be handled by the states or the federal government? One compelling reason for having the federal government handle such privacy concerns is that state boundaries are essentially non-existent when it comes to data and privacy concerns. After all, people around the country routinely make purchases online and use online services across state boundaries. There is also the consistency argument: it is easier for business and consumers to have one law to deal with rather than fifty. There are some reasons to oppose a federal law, such as concerns that lobbyists would craft the federal law to the advantage of certain companies and to the detriment of consumers. There is also the argument based on the idea that states are best positioned to look out for their citizens, which has some appeal. In general, I do favor having a federal standard—if only to make things easier for everyone, especially small businesses that would face the challenge of trying to sort through up to fifty different sets of rules for privacy.
While privacy seems to be intuitively good, it is worth briefly considering reasons why such privacy protection is good. One approach, which should appeal to the fans of private property, is to build an argument based on the Lockean notion that people own the product of their labor. In this case, the labor would be the creation and providing of information. While a person can sell the product of this labor, to take it from them by fraud or force would be theft and thus consent would be needed.
An analogy can also be drawn to the creation of any product, such as this essay. Once I have created it, it is mine to do with as I wish (within certain boundaries). But if someone else takes this essay and sells it without my permission, they have engaged in what is obviously theft. While personal data is obviously not identical to an intentionally created product like an essay, program or vase, the analogy certainly seems reasonable.
The matter can also be looked at the other way, by raising the obvious question of what would entitle the company or other entity collecting personal data to sell it without permission. One could argue that they put effort into collecting it, but media and software pirates could make the same argument. The burden of proof is on those who would claim those collecting the data have the right to sell it without permission; this is because such behavior would intuitively seem to be data piracy.
As should be evident, I favor laws protecting consumer privacy in this manner, largely because I also favor laws protecting creators from having their work stolen. I am, however, fine with consumers freely choosing to use their data as currency and exchanging it for goods and services—provided that the exchange does not result from force or fraud. Such informed exchanges would, I think, be better for consumers and companies in the long run. Some companies will, of course, want to be able to steal from consumers—but theft is hardly a just business model.
One problematic aspect of California’s law is that government is exempt from the law. In many cases it makes sense that the state can require people to provide personal data. For example, someone applying for a driver’s license needs to provide private data for obvious reasons. The real concern is that the exemption allows the government to sell personal data without the permission of citizens. The California DMV currently sells the data it collects to third parties. Looked at with a suspicious eye, the law does not so much protect personal data as give the government a significant advantage over the private sector. While some consumers will still allow companies to sell their data or be willing to trade data for goods and services, the state does not give people a choice: if you want a driver’s license, then your data will be sold by the state. This presumably also applies to some other data collected by the state.
While the state might not collect as broad a range of consumer data as private companies, the state exemption effectively nullifies some of the law: some data that you might refuse to let a company sell because you want to keep it private could end up being sold by the state, thus negating the supposed protection of the law.
It could be countered that this is acceptable because the state is doing it and the money will be state revenue used for the good of the people. The obvious reply is that this does nothing to address privacy concerns—someone who does not want their data out there is not worried about who is making money from their loss of privacy, they are worried about the loss of privacy. As such, people should have the same right to refuse to allow the state to sell their data, otherwise the law is unfair to businesses and its ability to protect privacy is weakened significantly.