In an August op-ed for The Hill, McGill University Assistant Professor of Law Ignacio Cofone echoed some of the same concerns as our Privacy for America coalition that the existing notice and consent model of privacy regulation fails to properly serve consumers and prevent harm.
“Privacy law has a problem," he wrote. "It ignores privacy harm. While new and proposed regulations such as the CCPA can help consumers in meaningful ways, they suffer from significant deficiencies in their ability to meaningfully protect people’s privacy by ignoring harm, deficiencies that are in dire need of revisiting. Fixing them requires giving harmed individuals the spotlight; it requires rethinking the prohibition of activities that do not cause harm and stop ignoring those that do by granting the right to sue.”
A lot of privacy laws and regulation, like the European Union General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), “largely measure harm through regulated conduct: It does not matter whether a victim was harmed, but whether someone behaved in a way forbidden by the regulation. This approach avoids the seemingly difficult task of identifying privacy harm. But victims in this paradigm fade into the background: Companies are sanctioned for processing people’s personal information without authorization, independently of whether anyone was harmed. When someone is harmed, she can complain to her local data protection authority, but whether and how they investigate is their prerogative. This sometimes leads to over-patrolling individuals when they do not produce harm, and to leaving victims that did suffer harm without recourse.”
While we differ with Professor Cofone on private litigation as an important solution, we agree with him that new privacy laws need to focus on privacy harms – identifying them clearly so that companies can avoid them and providing effective means for punishing harms to consumers.