Today, the California Privacy Protection Agency (CPPA) published a large advertisement in the San Francisco Chronicle encouraging people to exercise their privacy rights. “The ball is in your court,” the ad declared. (H/T Paul Schwartz)
While I admire the CPPA’s effort to educate, the notion that the ball is in the individuals’ court is not a good one. This puts the on individuals to protect their privacy when they are ill-equipped to do so and then leads to blaming them when they fail to do so.
I wrote an article last year about how privacy laws rely too much on rights, which are not an effective way to bring data collection and use under control: The Limitations of Privacy Rights, 98 Notre Dame Law Review 975 (2023).
Individual privacy rights are often at the heart of information privacy and data protection laws. Unfortunately, rights are often asked to do far more work than they are capable of doing. Rights can only give individuals a small amount of power. Ultimately, rights are at most capable of being a supporting actor, a small component of a much larger architecture.
I advance three reasons why rights cannot serve as the bulwark of privacy protection.
- Rights put too much onus on individuals when many privacy problems are systematic.
- Individuals lack the time and expertise to make difficult decisions about privacy, and rights cannot practically be exercised at scale with the number of organizations than process people’s data.
- Privacy cannot be protected by focusing solely on the atomistic individual. The personal data of many people is interrelated, and people’s decisions about their own data have implications for the privacy of other people.
The main goal of providing privacy rights aims to provide individuals with control over their personal data. But this turns into a series of endless chores that are too onerous and difficult to do – and often rather pointless. When individuals fail to exercise their rights, then they are blamed for not caring about privacy.
As I wrote: “Rights can’t empower individuals enough to equalize the power imbalance between individuals and the organizations that collect and use their data. Effective privacy protection involves not just facilitating individual control but also bringing the collection, processing, and transfer of personal data under control.”
Ultimately, for protecting privacy, the ball is not “in your court.” It’s the responsibility of the companies that gather, use, and transfer your personal information. It’s the responsibility of the law to hold these companies accountable.
For more elaboration on these points, see my article: The Limitations of Privacy Rights, 98 Notre Dame L. Rev. 975 (2023). It is available free as a download here.
* * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 150 courses. He is also the co-organizer of the Privacy + Security Forum events for privacy professionals.
Professor Solove’s Newsletter (free)
Sign up for Professor Solove’s Newsletter about his writings, whiteboards, cartoons, trainings, events, and more.
Pre-Order Prof. Solove’s forthcoming book,
ON PRIVACY AND TECHNOLOGY
