Computers, Privacy & the Constitution

Strides and Missteps Toward Consumer Anonymity

-- By KatiaBogomolova - 16 Mar 2021

Introduction/Overview - Anonymity or Privacy?

"We didn't build the net with anonymity built in. That was a mistake." -Eben Moglen at re:publica, Berlin, May 2, 2012.

In the current system, digital anonymity sounds like an oxymoron. Accessing the Web from nearly anywhere in the United States pre-supposes -- despite constitutional guarantees of privacy and protection against searches -- near total exposure. From technologies overtly aimed at removing individual privacy to more covert or removed data mining operations (through social networking sites and the like), a consumer's identity, once digitized, attaches to them immutably. In our ever more digitized society, it becomes increasingly difficult for consumers to say no to surveillance. However, existing and expanding public pressure may force corporate America to make room for privacy, albeit not full anonymity online. This paper explores the present legislation and corporate projects that seek to enhance online consumer protections online, as well as where we can go from here.

Existing and upcoming laws in the modern digital landscape

When the California Consumer Privacy Act (CCPA) was enacted in 2018, it generated a mixed response. The CCPA gives consumers greater control over the information that businesses may collect about them, as well as how this information may be used. Among others, the Act gave the consumer the right to know what information the business is collecting, using and sharing, to delete collected personal information (with exceptions), to opt-out of the sale of this information to a third party, and to non-discrimination for exercising a right under this Act. To some, the CCPA marked a significant stride in the direction of greater privacy; an important one since the 2006 creation of The Payment Card Industry Security Standards Council (PCI SSC). Others, however, had their doubts. Business periodicals and bloggers, alike, mused about the potential drawbacks of the CCPA, from driving up compliance costs enough to drive small and mid-size companies out of business, to potential unconstitutionality by way of the Commerce Clause. A third group of critics opined that the Act did not go far enough, but possessed the redeeming quality of potential to catalyze other states into advancing their own consumer privacy protections.

Group three was correct. In February of this year, the Virginia Senate unanimously passed the Virginia Consumer Data Protection Act (VCDPA). As of March, both Florida and New York are considering similar legislation aimed at regulating data collection from consumers. California doubled down on its commitment to safeguard privacy by passing a new law to expand CCPA protections —— the California Privacy Rights Act (CPRA). Both the CPRA and VCDPA will be effective as of January 1, 2023. Although similar in intent and scope, the Virginia law differs from that of California, aligning more closely with the European Union’s General Data Protection Regulation (GDPR) in a few key ways. Notably, it does not stipulate a revenue threshold for VCDPA compliance. The Virginia Act also requires businesses to conduct data protection assessments and formulate data processing agreements to govern their consumer operations. There are, of course, tradeoffs between the protections offered by these two acts —— Virginia's provides on-paper protection within the scope of contract law, but leaves enforcement entirely up to the state Attorney General without providing consumers a private right of action (in a departure from the CCPA).

It is clear, however, that the existence of this legislation has accelerate the push toward greater privacy protections around the country. The proposed New York bill combines the most protective elements of both the Virginia and California options, placing a fiduciary obligation on businesses that collect and use consumers' personal data. A fiduciary obligation necessarily would increase the legal standard that is applied to claims. According to NYPA §1102(1), the business has a duty to act in the best interest of the owner of its collected data, regardless of the effect on its own business operations. The bill also provides for a private right of action (per CA) and applies to business entities without a minimal revenue threshold (per VA).

Applying precedent to look forward and increase online privacy.

Perhaps future systems of protection can draw inspiration from SCOTUS's varied definitions of a "search" under the Fourth Amendment. By application, Riley v. California perhaps made a dent in the unrestricted access to "private" information on the Web. The Court held that in an arrest, information found to be in the "cloud," i.e. accessible via phone but not inherently on it, cannot be considered "on the arrestee's person." To this end, the government is forbidden from surveilling such information stored in the cloud (unless the government's interests are so compelling that a search would be reasonable). This decision relates to consumer privacy in a few ways: 1) The government, like for-profit corporations, is a self-interested entity where data collection is concerned. Efforts to curtail corporate access to private consumer data should be, at the least, matched by legislated protections against government usage of private information. 2) The limit set by Riley to the government's access to information in the cloud is already generating a ripple effect of enhanced privacy protections (such as new considerations for school administrators accessing students' phones, among other things). States can learn from some of these instances in legislative effective consumer protections.

Also, the Court found in United States v. Jones and Carpenter v. United States that the use of GPS or cell phone signal triangulation to track a suspect without a warrant is unconstitutional. It follows that the government, as an entity, cannot constitutionally keep tabs on a suspect's geographic location at all times may constitute a violation. Although applied differently in a civil context, as government surveillance of a suspect's location may result in a deprivation of liberty, states can look to the implications of this privacy violation to encode tangible protections against private actors committing the same. Perhaps, as more specific cases arise, the Court may set the parameters of constitutional violation more clearly, as they pertain to private businesses' use of consumer information.

What are businesses and consumers doing? What else can be done?

Corporations, often motivated by intensive public opinion, are themselves looking for ways to enhance privacy — or at the least, "privacy theatre" (the staging of privacy in some kind of space). For example, the cybersecurity department at Lowe's recently hired a specialized, chief privacy officer to work with the company's general counsel. With her oversight, the cybersecurity team's goal is to lock down corporate users with access to customer data, reducing this access significantly. Such action was compelled by the public and the state government of California, alike. The existence of the CCPA (and upcoming legislation) accelerated this process.

Furthermore, a study by McKinsey? & Company revealed that consumers are exercising greater care in providing information to companies. Often, this extra caution may impede the revenue-generating business models on which companies have consistently relied. Advertising revenue, in particular, falls when businesses can no longer target consumers based on a wealth personal data. According to the study, individuals today feel most comfortable providing information to healthcare and financial services providers, but no industry has surpassed a trust rating of 50 percent; "Only about 10 percent of consumer respondents said that they trust consumer-packaged-goods or media and entertainment companies." As McKinsey? is a consultancy firm, it is incentivized to help businesses maneuver these trust issues and challenges for profit. However, the proliferation of new privacy laws around the country seems to suggest escalating public pressure to curtail excessive data collection and manipulation.

Individuals are also trying to better arm themselves against privacy violations. The use of VPNs and systems such as FreedomBox? are aiding in this endeavor. At the least, there is greater awareness of data misuse, which is likely to inspire more universal security.

Conclusion

Although it isn't perfect, new legislation and regulation can strengthen privacy protections enough to bring the concept of true digital privacy closer on the horizon. As consumers grow increasingly wary of data misuse by private companies, California is paving the way for state legislators to (slowly) respond to their constituents' concerns.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r5 - 19 May 2021 - 23:45:56 - KatiaBogomolova
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM