The current regulatory approach for protecting privacy involves what I refer to as the “privacy self-management model” -- the law provides people with a set of rights to enable them to decide for themselves about how to weigh the costs and benefits of the collection, use, or disclosure of their information. People’s consent legitimizes nearly any form of collection, use, and disclosure of personal data.
Although the privacy self-management model is certainly a laudable and necessary component of any regulatory regime, I contend in this essay that it is being asked to do work beyond its capabilities. Privacy self-management does not provide meaningful control. Empirical and social science research has undermined key assumptions about how people make decisions regarding their data, assumptions that underpin and legitimize the privacy self-management model.
Moreover, even if individuals were well-informed and rational, they still cannot appropriately self-manage their privacy due to a series of problems. For example, the problem of scale involves the fact that there are too many companies collecting and using data for a person to be able to manage privacy with every one. The problem of aggregation involves the fact that privacy harms often consist of an aggregation of disparate pieces of data, and there is no way for people to assess whether revealing any piece of information will sometime later on, when combined with other data, reveal something sensitive or cause harm. The essay also discusses a number of other problems.
In order to advance, privacy law and policy must confront a complex and confounding paradox with consent. Consent to collection, use, and disclosure of personal data is often not meaningful, and the most apparent solution – paternalistic measures – even more directly denies people the freedom to make consensual choices about their data. No matter which direction the law takes, consent will be limited, and a way out of this dilemma remains elusive.