Privacy Harms: An Overview (or, Why We Won't Have Broad U.S. Privacy Regulations Anytime Soon)
Ed note: I wrote this in 2018 and published it to an earlier version of this blog. The content is still relevant, so I'm reposting it here.
tl;dr People have drastically different sensitivities about privacy. Some believe that only those acts that cause some real-world negative consequences, like identity theft, are harmful; others believe that all actions that cause them to feel surveilled, powerless, uneasy, or observed are harmful. Understanding these different perspectives helps explain why Congress’s efforts to pass a sweeping privacy bill have stalled.
From the Wall Street Journal:
Congress set the stage last year to pass a sweeping consumer data-privacy law in 2019, but prospects for legislation are dimming amid sharpening divides among lawmakers over how far the federal government should go in reining in Big Tech.
. . .
“The fact that—even after many hearings last year on the misuse of personal data—not one consensus bill has been introduced is telling,” said Gigi Sohn of the Georgetown Law Institute for Technology and Policy. “Republicans and Democrats seem to still be far apart on the best way to address this problem.”
On one level, the partisan divide is surprising. Republicans have frequently attacked social media and content companies for a perceived liberal bias that mirrors their base in the San Francisco Bay Area.
Understanding why this stalled-out legislative effort isn’t surprising requires a brief foray into people’s differing views of privacy harm.
There are two types of privacy harm: real-world (extrinsic) and feelings (intrinsic).
In his 2010 paper The Boundaries of Privacy Harm, Ryan Calo divides privacy harm into two flavors, extrinsic and intrinsic. [FN1]
Extrinsic harm occurs when a privacy violation causes some real-world effect. A good example is a data breach that results in identity theft or third parties forming a negative opinion about the breached person (which likely happened as a result of the Ashley Madison breach).
Intrinsic harm, on the other hand, is harm individuals experience when being observed. It is often described as the harm of feeling uncomfortable, uneasy or creeped out. A good example is a data breach that doesn’t result in any adverse consequences or the first time you realized that Facebook had a two-hundred-plus-item profile of you.
While the legal scholarship uses the terms “extrinsic” and “intrinsic” harm, for simplicity and lack of pretension, I’ll call them “real-world” and “feelings” harm.
Why does this harm distinction matter? Well . . .
A significant number of people don’t believe that feelings harm matters.
Consider this NY judge’s reaction to a class-action privacy lawsuit. The plaintiffs sued their bank for selling their data, in blatant violation of the bank’s privacy policy, to a data broker:
[T]he “harm” at the heart of this purported class action is that class members were merely offered products and services which they were free to decline. This does not qualify as actual harm.
The complaint does not allege any single instance where a named plaintiff or any class member suffered any actual harm due to the receipt of an unwanted telephone solicitation or a piece of junk mail.
Smith v. Chase Manhattan Bank, 293 A.D.2d 598, 599-00 (N.Y. App. Div. 2002).
Now, someone with a feelings harm view of the world hates this ruling. The bank lied! It told consumers it would use their data to provide the banking services, not sell it to a third party so that people could sell them stuff. That leads to a feeling of powerlessness and unease. It damages her self-esteem. In short, it hurts their feelings. See Daniel Solove, “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy (2007). But, in terms of immediate real-world harm, as the judge in Smith said, there isn’t much.
Real-world harm people aren’t jazzed about regulating internet privacy.
Here, it seems like the Democrats are the party most motivated to pass some significant privacy legislation. From that same WSJ article:
[Many Democrats] are wary of the expanding influence of companies such as Facebook Inc., Alphabet Inc. and Amazon.com Inc., and don’t want a national law that weakens state measures already in place. [FN2]
But the Democrats' attempt to regulate the collection and use of consumer data—which is a feature of the GDPR and the proposed bills we’ve seen so far—is going to encounter resistance from Republican lawmakers who are more reluctant to regulate business and some of whom have real-world harm views.
Here’s the real, immediate pain that businesses are going stress when they lobby against an onerous privacy bill: the burden and cost of compliance (“GDPR compliance is costing companies millions of dollars!”), the uncertainty of performing various activities (“we can’t tell if customer loyalty programs are legal under this new law!”), the unintended consequences of the regulation (“you’re going to kill the online ad industry!”), and, if there’s a private right of action, the litigation that will result (“all you’re going to do is make trial attorneys rich!”).
Meanwhile, the feelings-harm privacy advocates have very little to talk to besides a feeling of a loss of control and the massive amounts of information that big tech companies have. In the minds of many Republicans, this isn’t a close call.
As a result, while I would expect Republican and Democrat lawmakers to agree to regulate the real-world consequences of some privacy/security problems, like data breaches, I don’t anticipate they will pass a comprehensive federal privacy bill anytime soon.
FN1: There’s a third type of harm, social harm, related to these two privacy harms. Social harm is the social effect of privacy harms on individuals, like the harm of people being too scared to push the boundaries of laws or social norms.
FN2: For reasons that aren’t especially clear to me, Democrats seem to be more likely to be feelings harm people or, perhaps that isn’t true, and they are just more eager to regulate things. The Republicans, on the other hand, are much more sympathetic to business interests.