California. Hawaii. Maryland. Massachusetts. New Mexico. New Jersey. New York. North Dakota. Rhode Island. Washington. The last time I checked, each of these states had introduced draft “privacy legislation” to address the rights of consumers online. While Washington State has introduced a GDPR-style proposal, most states have put forth copycat legislation along the lines of the California Consumer Privacy Act. In addition to the draft state laws, there have also been a number of calls for comprehensive federal legislation. Yet, despite this deluge of draft “privacy” proposals, we are still not having a meaningful conversation about our privacy in an increasingly digital world.
While these measures represent a positive expression of consumer sentiment and political will, they do not approximate meaningful privacy protections for individuals because they only address data privacy. The difference between privacy and data privacy is not a question of semantics. To varying degrees, the proposals listed above address our rights in relation to data that we have shared “online,” requiring things like enhanced transparency in privacy policies, better notice and consent, improved access rights, and robust data security measures to protect your data that’s been collected by companies. These proposals are fundamentally about data — how it’s collected and shared, and how it is treated and protected once it’s been collected or shared — in the context of our known commercial or contractual relationships with digital intermediaries.
While important, it’s naive to think that we can contain digital invasions of our privacy by merely regulating these commercial relationships. We already know that companies, like Facebook, track users as well as nonusers who are not registered with the platform, that advertisers build shadow and inferred profiles on individuals who have never shared any data directly, that individuals are targeted for their membership, or perceived membership, in a certain population or group, and that negative inferences can be drawn in the absence of the individual’s participation or not. Demystifying privacy policies, enhancing notice and consent, and providing access to and transparency in the data we’ve shared are irrelevant and impotent measures when we are exploited outside of our contractual or commercial relationships.
The reality is that we are being tracked, targeted, stalked, and harassed by commercial actors via digital means, whether or not we have direct contractual relationships with them. Advertisers are routinely targeting and profiling “audience segments” on the basis of gender or race — for example, junk food ads are disproportionately targeted at black and Hispanic youth. Our location data, biological markers, and other personal information is now captured not just by our digital devices — including smartwatches, mobile devices, fitness trackers with a lack of transparency about their design or motives — but also through cameras, beacons, facial recognition technologies, and other digital tools that we did not purchase or acquire. For these reasons, the real privacy invasions in the digital space cannot be contained with data privacy laws. And they cannot be contained by a myopic focus on our data.
In general, we do not tolerate tracking, targeting, profiling, and stalking in the real world. When we do, we expect these measures to be subject to significant limitations and procedural hurdles imposed by law. For example, racial profiling and targeting, when conducted by law enforcement, are subject to constitutional challenges on equal protection grounds and freedom from unreasonable search and seizure per the Fourth amendment. In Grady v. North Carolina, the Supreme Court held that North Carolina’s satellite-based, ankle bracelet monitoring program effectuated a “search” within the meaning of the Fourth amendment because it was “plainly designed to obtain information” and “does so by physically intruding on a subject’s body.”
The legal constructs of privacy are rooted in civil, political, and human rights that are aimed at promoting individual autonomy by limiting intrusions and interferences with our persons, families, bodies, homes, and certain personal effects. Real privacy preserves a space around the individual to think, feel, and act for him or herself. Real privacy cannot be negotiated through commercial terms and contracts. While I welcome the conversations motivated by the various draft data privacy proposals on the table, we need to have a much bigger conversation about privacy in relation to our increasingly digital lives. If we don’t, our data may end up having more privacy protections than we do.