EPIC Report on Privacy Self-Regulation
Chris Hoofnagle of EPIC has written an interesting report entitled “Privacy Self Regulation: A Decade of Disappointment.” Not surprisingly, given EPIC’s general stance (and the title of the report), Hoofnagle concludes that industry self-regulation of online privacy has failed. Therefore, Hoofnagle calls for greater online privacy regulation by the FTC.
However, comments like this one from page 5 catch my attention: “Ten years later, online collection of information is more pervasive, more invasive, and just as unaccountable as ever—and increasingly, the public is anesthetized to it.”
Privacy advocates must acknowledge consumers’ general malaise in protecting their privacy (as Hoofnagle does in the report). But what explains this lackadaisical attitude? Is it because protecting privacy is too hard? Because consumers cannot accurately calculate the cost/benefit of their choices? Because consumers lack meaningful alternatives in the marketplace?
There’s another possible explanation of consumer “anesthetization” about online privacy issues. Perhaps consumers do not care about privacy as much as privacy advocates do. Many consumers have complex and possibly inconsistent attitudes towards “privacy,” often simultaneously saying they want privacy but responding to benefits available only through disclosures and other technologies or techniques that EPIC would label intrusive. How can we balance consumers’ duality?
I am becoming increasingly skeptical of the Fair Information Practices, which privacy advocates have lauded for decades. While survey evidence often shows that consumers say they like the practices, there is also some compelling social science—including, most importantly, behavioral studies—suggesting that the practices do not necessarily reflect what consumers value or care about. At minimum, I think we should be careful assuming that privacy regulations built on the Fair Information Practices truly improve social welfare. I hope to get to this topic in a future paper.