You may have noticed consent pop-ups on most websites, particularly for the collection of your cookies (not the type you eat). Most of these messages are a result of the California Consumer Privacy Act (CCPA) that went into effect on Jan. 1, 2020 with the supposed intent of “giving Californians more control over their personal information.”
Don’t be fooled. These laws do not functionally require consumers to critically engage with their decision making before signing up; instead, they are asked to consent to data collection or cookies, without understanding what it would actually entail. Accordingly, only 6 percent of Americans say they actually understand what companies do with the data collected about them, and 81 percent say they have little or no control over the data that companies collect about them.
With the commodification of data over the past decade, centralization of big data in the hands of companies that hold information about consumer behavior, movement, and basic personal facts already presents privacy risks. When citizens consent to data collection, they make their personal information vulnerable to misuse and third party sales.
What they typically miss, though, is the fact that private companies are not the only entity collecting their data: the government does as well. Examining the ramifications of data privacy laws as well as government access to citizens’ personal information is crucial to understanding how data is being and will be used in the future.
Government Access to Personal Data Undercuts Consumer Consent
When data about human behavior is centralized into easily identifiable databases, companies are not the only entities interested in accessing and utilizing the power of this information. Government agents also want to harness the power of data.
The Supreme Court rule, known as the third-party doctrine, has dominated Fourth Amendment jurisprudence for over forty years. This doctrine holds that an individual loses a reasonable expectation of privacy in information turned over to a third-party, even in circumstances where confidentiality exists, like information held by banking institutions.
Due to the ubiquitous use of technology in society, however, the Court has begun to recognize a growing societal expectation of privacy in consumer data. In 2018, the Court held that individuals have a reasonable expectation of privacy in cell-site location information (CSLI), requiring government agents to obtain a warrant before accessing this data. The surveillance capabilities of cell phone location data were a consideration for the Court, and remain a contentious element of disputes over the growing use of law enforcement practices.
Despite legal rulings expanding recognition of individual privacy, public entities such as police are moving in the opposite direction. The government sees the value of accessing consumer databases containing digital data collected and stored in the private marketplace. The investigatory power of various data points tracking individual behavior has led to novel criminal investigative techniques, including reverse warrants.
Unlike traditional warrants that seek information related to specific suspects already implicated in criminal activity, reserve warrants search for a suspect by combing through data relevant to the underlying crime, not the criminal. Technology companies, like Google and Facebook, are among the most common recipients of these search requests.
Federal judges are grappling with the constitutionality of reverse warrants, with some rejecting them as constitutionally void. In addition, the application of reverse warrants is not limited to location information. Indeed, the first lawsuit challenging the constitutionality of reverse warrants requesting Google keyword searches was filed earlier this year.
Even more concerning is the way the government surveils citizens via social media platforms. As the US Supreme Court said, “social media allows users to gain access to information and communicate” on any subject, and that “foreclosing access to social media altogether thus prevents users from engaging in the legitimate exercise of First Amendment rights.” Yet federal agencies such as the DHS, FBI, State Department, USPS, IRS, SSA, and many more all use social media monitoring. Lack of government transparency and room for individual action indicate the government’s revealed preference, which is that consumer privacy is not a priority.
Current Laws Further Enforce the Privacy Problem
Despite the U.S. already having the Federal 1974 Privacy Act, new data privacy policies have begun sprouting across states, with California’s CCPA leading the way. These regulations do little in shaping consumers’ understanding of risks associated with data collection. Unsurprisingly, Pew Research Center’s Nov 2019 study found that “among all U.S. adults, only 8 percent say they understand privacy policies a great deal.”
Mainstream conceptions of privacy tend to be static. They cannot be altered unless individuals are immediately and tangibly impacted by, for instance, an employer firing them due to a political thought the individual posted publicly. In contrast to real world conversations, self-disclosure on the Internet is replicable, scalable, searchable, and shareable, and thus poses risks to those who operate without awareness of potential privacy violations.
Although the extent to which the information is shared was unknown in the past, concerning real-world application of this has come to light in recent years. For example, through “an analysis of app data signals correlated to [his] mobile device,” Catholic priest Monsignor Jeffrey Burrill was outed in July 2021 for using Grindr “on a near daily basis” for years.
It is concerning, therefore, that such a large portion of adults default to government intervention as a means of solving data privacy issues. Excessive government control in this context makes it very difficult for individuals to maintain privacy over their personal information. This leads to dangers of information misuse, and gatekeeping methods for obtaining privacy quickly and easily.
These privacy laws require closer inspection and improved revisions. Sending a consent notice isn’t going to functionally change how consumers understand privacy laws or alter how they behave. The already-porous boundary between government and private companies violates consumer privacy, and new laws such as the Utah Consumer Privacy Act will not change this dynamic.
No real incentive exists for the government to prioritize consumer privacy, so these laws typically provide political gain, rather than benefit the broader public. Using consumer data as a political football, to attempt to initiate different “Privacy Acts” that aren’t going to do anything for consumers to begin with, is an inefficient use of resources.
Furthermore, data privacy laws focus on regulatory frameworks that exacerbate the already-entangled relationship between corporations and state actors, because the government is empowered with enforcement authority over companies. The law manipulates firm behavior through regulation, as laws giving the government the power of enforcement over companies for consumer data privacy violations inevitably alter firm behavior. To avoid high cost non-compliance fines, firms now have an incentive to tailor business practices to the government rather than the public. Overall, large tech companies’ possession of databases that governments want reinforces this circular relationship.
Privacy laws do nothing to prevent the government from accessing information collected in the private sphere. Instead, businesses will be burdened with additional layers of red tape while government agents enjoy easy access to the databases they want to tap. In the end, the government wins and existing corporate powerhouses still benefit, but citizens, as usual, are left in the dust.