Operationalizing Consumer Privacy Rights

Justin Hendrix was kind enough to publish today an article that I wrote entitled “Let’s Make Privacy Easy” on his site Tech Policy Press. He also interviewed me on his great podcast The Sunday Show that aired this past Sunday, and the transcript of the interview can be found here. Tech Policy Press was a great resource for me during the writing of my book Containing Big Tech (which is officially available tomorrow!) and in the Acknowledgements section of my book I explicitly shouted out Justin and various Tech Policy Press contributors including Dr. Jennifer King (whom I am pleased will join me on August 28th on a LinkedIn Live that I am hosting entitled “The State of US Privacy & AI Regulation”). So, it was certainly a thrill to be interviewed by Justin and be able to be a contributing author to his amazing website, having used it as a “go-to” resource for my book.

In my contributed article “Let’s Make Privacy Easy” I drew upon my blog writings over the years on how we need to focus on the privacy and cybersecurity “user experience” (UX) from a consumer perspective. For example, years ago I called out in a blog post for consumer-facing portals here in California for both data breach notification, do not tracking for data brokers, etc. I wrote that particular blog post right after Prop 24 had just passed and felt that the California Privacy Rights Act (CPRA) should not be the end of privacy legislation here in California but a great framework to build upon, and that we should build a User Interface on top of it so people can fully enjoy the rights given to them by this law. Building upon CPRA is further bolstered by the fact that privacy is an inalienable right here in California. In fact, Prop 24 referenced this constitutional right to privacy in its findings and declarations:

“In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. Voters acted in response to the accelerating encroachment on personal freedom and security caused by increased data collection and usage in contemporary society. The amendment established a legal and enforceable constitutional right of privacy for every Californian.”

My three suggestions in this most recent Tech Policy Press article involve an opt-out preference signal (e.g., Global Privacy Control), a global deletion mechanism for data brokers (e.g., as encompassed by the DELETE Act, a bipartisan federal proposal, and California Senate Bill 362 (SB 362) aka the California Delete Act), and cracking down on the use of dark patterns. Check out the full article for more details.

Interestingly, this parallels some of the thinking of the California Privacy Protection Agency regarding “operationalizing” consumer privacy rights. In the staff recommendation supporting SB 362, they wrote

“In staff’s view, this bill is consistent with the Agency’s mission to protect Californians’ consumer privacy. Similar to the CCPA’s existing requirement for businesses to process opt-out preference signals as a valid request to opt out of the sale and sharing of consumer personal information, it seeks to make it easier for consumers to operationalize their privacy rights. Since there are hundreds of data brokers on the data broker registry, it is difficult, if not impossible, for consumers to delete their data with each business one-by-one. This bill will help address that problem by enabling consumers to exercise their deletion rights with respect to these businesses in a single step.”

This dovetails with what the California Assembly Privacy Committee staff analysis wrote about SB 362:

“In sum, it hardly matters that one has deletion rights if, as a practical matter, no one can exercise them”

So, I think the big challenge we have with respect to privacy is how to “make it easier for consumers to operationalize their privacy rights.” Or, as I write in the Tech Policy Press article, “But what good is giving consumers privacy rights if they can’t easily exercise them?”  And, as I conclude in the article,

“… consumers overwhelmingly want control over their privacy, and policymakers and regulators should make fulfilling that need just as easy as installing an app or liking a social media post.”

I do explore this in more detail in my book Containing Big Tech, namely, we need to always think about the consumer user experience when doing tech policy.