[First published in the blog of the Berkeley Technology Law Journal, on June 22, 2016]
Contemporary consumer privacy law in the United States is largely based on the Fair Information Practice Principles (FIPPs). These FIPPs are conceptually challenged by the “Internet of Things,” the digital ecosystem where sensors embedded in everyday physical objects – from watches and shoes to refrigerators and roads – communicate with each other over the Internet. If consumer privacy law is to survive in the twenty-first century, many believe that either this conflict must be resolved or an entirely new approach to consumer privacy must be devised.
The FIPPs refer to principles that govern the manner in which personal data may be collected, used, accessed, secured, and disclosed. There is no single and uniform set of principles that applies to all situations. For instance, the Department of Homeland Security prescribes a set of eight principles to be followed by its constituent agencies but the Federal Trade Commission (FTC) has only articulated a set of four core principles for consumers seeking a good or service over the Internet.
There is overwhelming evidence that the notice and choice model has failed because consumers rarely read privacy policies or exercise actual choice. The principles of purpose limitation and data minimization, which the FIPPs do not explicitly mention, are baked into the notice and choice model. The purpose limitation principle calls for personal data to be used commercially only in accordance with clearly specified purposes to which consumers must consent before their data is collected. The data minimization principle calls for collecting the smallest possible amounts of data necessary for achieving the specified purposes. But as Internet-enabled devices multiply and interconnect, ever larger datasets are created that negate the data minimization principle, and new uses for personal data are found which contradict the purpose limitation principle.
The Internet of Things
The multiplicity of Internet-enabled devices is creating the Internet of Things. Its interconnectivity is facilitating the collection of vast amounts of data which is then analyzed to, amongst other things, determine consumer behavior. The Internet of Things offers significant benefits to consumers while posing serious risks. The FTC has identified significant risks the Internet of Things poses to security and privacy. A major privacy risk relates to the sheer volume of granular data that is generated, much of which will be very private.
On the other hand, the interconnection of devices provides consumers with more potentially useful information. For instance, in a system with interconnected cars and roadway infrastructure, the near-simultaneous sharing of information regarding traffic and road conditions can help avoid accidents, save fuel, and increase efficiency.
The Conflict Between FIPPs and the Internet of Things
The data protection principles discussed above – notice, choice, data minimization, and data security – conflict with the Internet of Things. The pre-existing tensions in the notice and choice model are compounded in the Internet of Things where numerous devices routinely collect unprecedentedly large amounts of personal data of consumers. If each instance of data collection were preceded by a notice forcing consumers into potentially hundreds or thousands of active choices, the notice and choice model would rapidly collapse. To add a further layer of complication, in a highly interconnected network, the sensor-embedded object that uses personal data may be several degrees removed from the consumer, making it difficult to seek consent as large volumes of data are fluidly shared across the network.
Cybersecurity expert Bruce Schneier has described the Internet of Things as “wildly insecure.” The traditional computer security problem of unauthorized access and misuse of personal data is amplified in the Internet of Things because of the proliferation of poorly secured devices. Because devices are interconnected, a security vulnerability that permits unauthorized access into one device compromises all other connected devices. When such hacking occurs while driving a car, for instance, the threat of death or injury is greater.
Since it is premised on expansive data collection and big datasets, the Internet of Things may make the principle of data minimization redundant. Technology manufacturers argue that because the exact consumer benefits of the Internet of Things will only be known once large datasets are assembled and analyzed, it is currently impossible to predict future data uses. It follows that it is not possible to minimize data collection to fit an unknown future use of data. Additionally, like big data, the Internet of Things may suffer from the problem of poor data quality.
The Harm-Based Approach
The failures of the market-based, notice and choice approach have prompted the advocacy of the harm-based approach to consumer privacy. Samuel Warren and Louis Brandeis first advanced the notion that privacy invasions harm individuals in their celebrated 1890 article on the right to privacy.
In contemporary data privacy, there are different theories of privacy harms. One such theory classifies data practices that impinge upon privacy on the basis of how “problematic” they are. Another theory proposes the creation of a privacy harm test on the basis of subjective expectations and objective violations of privacy. Still another theory updates William Prosser’s fourfold classification of privacy torts, which was made before the age of computers, to the twenty-first century.
According to Daniel Solove, there are three types of privacy-related harms. These arise from data breaches, loss of privacy resulting in identity theft and similar injuries, and data privacy violations that incur the expenditure of personal time and money. However, absent a showing of “visceral and vested” harm, courts have been reluctant to enforce remedies for privacy invasions in pursuance of the harm-based approach.
The harm-based approach shifts the focus of consumer privacy law from companies and the market to individuals by protecting them from specific harms such as physical insecurity, economic injury, and the distress caused by unwanted privacy intrusions. The Do Not Call registry is perhaps the most successful application of the harm-based approach to consumer privacy. Looking ahead, the harm-based approach may offer the most coherent basis to intelligently regulate the Internet of Things.