Lauren E. Willis, Why Not Privacy by Default?
Comment by: Michael Geist
Workshop draft abstract:
We live in a Track-Me world. Firms collect reams of personal data about all of us, for marketing, pricing, and other purposes. Most people do not like this. Policymakers have proposed that people be given choices about whether, by whom, and for what purposes their personal information is collected and used. Firms claim that consumers already can opt out of the Track-Me default, but that choice turns out to be illusory. Consumers who attempt to exercise this choice find their efforts stymied by the limited range of options firms actually give them and technology that bypasses consumer attempts at self-determination. Even if firms were to provide consumers with the option to opt out of tracking completely and to respect that choice, opting out would likely remain so cumbersome as to be impossible for the average consumer.
In response, some have suggested switching the default rule, such that firms (or some firms) would not be permitted to collect (or collect in some manners) and/or use (or use for some purposes) personal data (or some types of personal data) unless consumers opt out of a “Do-Not-Track” default. Faced with this penalty default, firms ostensibly would be forced to clearly explain to consumers how to opt out of the default and to justify to consumers why they should opt into a Track-Me position. Consumers could then, the reasoning goes, freely exercise informed choice in selecting whether to be tracked.
Industry vigorously opposes a Do-Not-Track default, arguing that Track-Me is the better position for most consumers and that the positive externalities created by tracking justify keeping that as the default, if not unwaivable, position. Some privacy advocates oppose both Track-Me and Do-Not-Track defaults on the grounds that the negative externalities created by tracking justify refusing to allow any consumers to consent to tracking at all.
Here I caution against the use of a Do-Not-Track default on different grounds. Lessons from the experience of consumer-protective defaults in other realms counsel that a Do-Not-Track default is likely to be slippery. The very same transaction barriers and decisionmaking biases that can lead consumers to stick with defaults in some situations can be manipulated by firms to induce consumers to opt out of a Do-Not-Track default. Rather than forcing firms to clearly inform consumers of their options and allowing consumers to exercise informed choice, a Do-Not-Track default will provide firms with opportunities to confuse many consumers into opting out. Once a consumer opts out of a default position, courts, commentators, and the consumer herself are more likely to blame the consumer for any adverse consequences that might befall her. The few sophisticated consumers who are able to effectively control whether they are tracked will benefit, but at the expense of the majority who will lack effective self-determination in this realm. A Do-Not-Track default might be a necessary policy way station en route to a scheme of privacy-protective mandates for political reasons, but it also might defuse the political will to implement such a scheme without meaningfully changing the lack of choice inherent in today’s Track-Me world.
I use “track” to mean all forms of personal data collection and use beyond those that are reasonably expected for the immediate transaction at hand. So, for example, a consumer who provides her address to her bank expects it to be used for the purposes of mailing her information about her accounts, but does not expect it to be used to decide whether or at what price to offer her auto insurance.