Privacy should be regulated. The important question is
"Who should regulate it?" There are at least three levels at which privacy
could be regulated, each with benefits and drawbacks.
The most obvious place to regulate privacy, if not the
best, is at the governmental level. Governments are in the business of
writing laws and regulations, and people look to governments
to lay down clear rules that prevent harms to the public. When it comes
to privacy, however, governments are subject
to at least two important disabilities.
First, they are not well equipped to find and
enforce rules that accommodate the different levels of privacy that different
consumers may want. Where some consumers may have very strict senses of
privacy, others have significantly fewer reservations about revealing personal
information and receiving the benefits of unvarnished participation in
commercial life. Administrative regulation would not accommodate this wide
range of consumer desires. It would also probably
cut off new uses of information that do not cause harm to the public.
One-size-fits-all
privacy standards would assuredly chill innovation in information-based industries.
These are great engines of progress, diverse, and changing too rapidly
to be captured by even the best thought-out regulation. For this reason, the
United States government has recommended that other governments resist top-down
regulatory controls.
A second disability on government is the First Amendment,
which strictly limits how governments (in the United States, at least)
may control many types and uses of information. It is inconsistent with
the Constitution, and important American values, to prevent information
from being collected, shared, and disseminated.
Another level at which to regulate privacy, one much-ballyhooed
and discussed, is at the industry level. Industries can develop principles
and practices that reflect consensus on the best approach to privacy. In
"industry self-regulation," a network of leading companies may require
their business partners to meet industry standards on privacy.
Self-regulation has
the benefit of flexibility not found in government regulation, and it also
is not constrained by the First Amendment. Self-regulation, however, is
often criticized by those skeptical of business as "letting the fox guard
the chicken coop." It also creates some danger to consumers because rogue
companies that do not follow industry standards may take advantage of a
complacent public.
Finally, there is market or consumer regulation. Consumers
are in the best position to know their desires with respect to privacy,
and they are in the best position to enforce the terms of their desires
through their choices in the marketplace. One of the key advantages of
this form of regulation is that it is already in use and has been operating
with success for years.
There should be no mystery to market regulation. Each
of us participates in it every day by gravitating to offerings that satisfy
us and by avoiding those that do not. In the case of privacy, consumers may
choose whether or not to deal with businesses who promise them a given level
of privacy. Businesses who offer privacy that pleases consumers succeed.
Those who do not offer satisfactory privacy guarantees are ignored, quietly
pushed to the margins of the economy, and put out of business.
Market regulation
is backed up by a number of laws, including the privacy torts which
encompass established societal norms about information use. When a company
violates a privacy promise it has made to consumers, it may have to answer
to fraud and misrepresentation charges, breach of contract claims, or other
legal actions.
One of the strongest criticisms of market regulation is
that consumers are not always offered privacy options when they are invited
to do business. This is not a valid criticism. Consumer choice extends
to deciding whether to deal with a business that does not state a privacy
policy. Though many consumers claim to be very concerned about privacy,
many are cavalier about their personal information when asked to share it.
They are entitled to be very concerned, cavalier, or ignorant. Consumer choices
in the marketplace will accurately reflect their interests, and businesses
will gravitate to the practices that satisfy them.
Links:
Enforced Standards Versus Evolution by General Acceptance:
A Comparative Study of E-Commerce Privacy Disclosure and Practice in The U.S.
and The U.K.; Karim Jamal et al., AEI-Brookings Joint Center on Regulatory
Studies (July 2003)
Want Privacy? Don’t Look To New Laws; Seek Self-Protection, by Duane
D. Freese, Tech Central Station (February 12, 2001)
On Privacy, One Size Doesn’t Fit All by James Glassman, Tech Central
Station (October 23, 2000)
Protecting Your Privacy: Who Should Do It? by Sonia Arrison, Pacific Research Institute (January 18, 2000)
Self-Regulation: Regulatory Fad or Market Forces? by Solveig Singleton, Cato Institute (May 7, 1999)
Comments? comments@privacilla.org
(Subject: HowToRegulate)
[updated 07/26/03]
