The Future of Data Privacy

Story Stream
recent articles

The state of Virginia just passed a data privacy law. The law applies to all entities that do business in Virginia that control or process personal data of at least 100,000 residents or that earn at least 50 percent of gross revenue from the sale of personal data and control or process data of at least 25,000 residents. Among other things, it gives consumers the right to opt out of having their data used for targeted advertising and requires firms to gain affirmative consent to process “sensitive data concerning a consumer” as defined in the text of the bill. Virginia is the second state to regulate data privacy at the state level, following California which passed similar legislation in 2018.

State regulation of data privacy could lead to inconsistent standards that according to Jennifer Huddleston might “splinter the internet” and raise costs. It would be better to have more uniform federal regulation of privacy, but care must be taken to make sure that the regulation is not too strict.

Heavy-handed regulation of privacy, such as the European Union’s General Data Privacy Regulation (GDPR), discourages the mutually beneficial exchange of information that has facilitated the growth of online markets. It makes it harder for internet platform companies to use the data they collect about users to earn advertising revenue that covers the cost of providing users with information and services that they value. In the process, it makes it more difficult for smaller startup firms to compete with giants like Google, Amazon, and Facebook.

Survey evidence suggests that most Americans do not like the way marketers gather and process data about them. But few people are willing to stop using search engines, social media and other digital platforms that track them and use their data.

Privacy proponents contend that the Virginia law does not do enough to protect privacy, because firms can still collect personal data from users unless they opt out. It allows businesses to charge higher prices or provide lower quality services to those who opt out of having their data collected and used for targeted advertising, “creating two classes of Virginians” according to the Consumer Federation of America.

Most kinds of privacy regulation give significant advantages to large incumbent firms. Such firms can afford lawyers to find ways to comply with new regulations and exploit loopholes so they can continue to collect enough to data to be profitable. Stricter privacy rules would likely discourage innovation and reduce competition in online markets. For example, a rule requiring users to opt-in to share their data would favor firms with a large existing customer base, since those firms have accumulated enough goodwill with many users to persuade them to continue providing their data. But smaller firms and startups trying to compete with firms like Facebook or Google by providing free services would have a difficult time getting enough customers to opt-in to data collection so that they could cover the costs of providing those services.

One of the most important purposes of the internet is the collection, processing and sharing of information. According to Ben Thompson of Stratechery, “The default state of the internet is the endless propagation and collection of data.” This personalized data collected about users has made it possible for firms producing niche products to succeed by selling to customers all over the world with nothing in common, except for a shared desire to purchase specific products. The result is a greater variety of goods and services tailored to individual preferences instead of the lowest common denominator products that could be sold to a mass market in the era before the internet.

Although Federal government policy towards privacy needs to be reformed to provide greater certainty about what constitutes a privacy violation, the existing approach of relying on the Federal Trade Commission to enforce privacy rules has some advantages over increased regulation at the state level or new federal regulation similar to Europe’s General Data Protection Regulation (GDPR). The GDPR takes a highly prescriptive approach, spelling out in advance what is and is not permissible, discouraging innovative approaches to protect privacy. The FTC focuses on identifying violations and assessing fines after violations occur rather than examining data activities that are possible sources of privacy violations and prohibiting those activities in advance. To effectively enforce privacy policy, however, the FTC needs more resources, including personnel whose time is devoted to that effort.

Part of any strategy for improving privacy is to empower consumers so they can learn how their personal data is being collected and used and gain more control over it. Those who collect data should have a transparency obligation, so they are accountable to consumers for what they do with their data. Rather than strict regulation that only big tech companies can afford to comply with, it’s important to give those firms that want to provide services (in exchange for data) an opportunity to earn the trust of their users. This will facilitate competition so the digital economy can continue to grow and provide innovative goods and services.

Tracy C. Miller is a senior policy research editor with the Mercatus Center at George Mason University. He is the author of a forthcoming Mercatus Center working paper on “Evaluating Arguments for Antitrust Action Against Tech Companies.”

Show comments Hide Comments