Privacy on the books and on the ground.

• Author: Bamberger, Kenneth A.

INTRODUCTION I. REEVALUATING THE DOMINANT CRITIQUE OF U.S. PRIVACY POLICY ON THE BOOKS A. The Dominant Discourse 1. The touchstone for measurement: comprehensive FIPPs-based regulation and enforcement 2. The prevailing critique of U.S. privacy statutes B. Cracks in the Dominant Critique: Indications from Privacy on the Ground 1. External indications of a sea change: the rise of the chief privacy officer II. INVESTIGATING PRIVACY ON THE GROUND: EMPIRICAL EVIDENCE FROM CPO INTERVIEWS A. The Limited Import of the "Rules-Compliance" Approach to Privacy 1. The role of legal rules 2. The shortcomings of rules for privacy decisionmaking B. The Articulation of an Alternative Framing of Privacy 1. Company law 2. Privacy measured by "consumer expectations" 3. Implications of a "consumer expectations "framing: from compliance to risk management C. External Influences on Privacy's Conception 1. Legal developments a. The Federal Trade Commission b. Data breach notification statutes. c. Legal changes and the court of public opinion 2. The role of professionalization in filling in ambiguous definitions of privacy III. CONTEXTUALIZING THE INTERVIEWS: AN ACCOUNT OF PRIVACY ON THE GROUND A. The Roots of a Consumer-Focused Language of Privacy B. The U.S.-EU Divergence: The Timing of Institutionalization C. Regulatory Developments and the Consumer-Oriented Privacy Frame. 1. The Federal Trade Commission and the consumer-protection discourse a. Jurisdictional entrepreneurship b. Developing a consumer expectations metric i. Nonenforcement regulatory tools ii. Bringing investigation and enforcement powers to bear 2. State data breach notification laws and the harnessing of market reputation D. The Turn to Professionals IV. THE IMPLICATIONS FOR POLICY DEBATES A. Implications for the Substantive Debate over Privacy Regulation B. Implications for Debates over Regulatory Form 1. Background debates over regulatory specificity and ambiguity 2. Ambiguity in the privacy sphere CONCLUSIONS: PRIVACY UNDER THE MICROSCOPE INTRODUCTION

Scholars and advocates charge that U.S. law fails to protect privacy adequately. The dominant critique denounces the existing patchwork of privacy statutes as weak, incomplete, and fractured. It decries the absence of an agency dedicated to data protection and the consequent lack of clear guidance, oversight, and enforcement. And it argues that the U.S. privacy framework fails to provide across-the-board procedures that empower individuals to control the use and dissemination of their personal information.

Such critiques present a largely accurate description of the privacy law "on the books." But the debate has strangely ignored privacy "on the ground." Indeed, since 1994, no one has conducted a sustained inquiry into how corporations actually manage privacy and what motivates them.

That year, management scholar H. Jeff Smith released a landmark study of corporate privacy practices, (1) and his conclusions were grim. In the seven corporations studied, the privacy arena was marked by systemic inattention and lack of resources. Policies in important areas were nonexistent, and those that existed were not followed in practice. (2) Executive neglect signaled to employees that privacy was not a strategic corporate issue. Privacy decisions were left to midlevel managers who lacked substantive expertise, played "particularly subservient roles in most privacy discussions," (3) and responded piecemeal to issues as they arose. Privacy considerations were particularly absent in decisions about technological or business developments; in the words of one midlevel manager: "The top executives rarely ask for [privacy] policy implications of ... new uses of information. If anybody worries about that, it's my [midlevel] colleagues and myself. And we don't usually know the right answer, we just try something." (4)

Smith attributed these failures to "ambiguity" regarding the legal meaning of privacy and the requirements governing its protection in the context of corporate data management. (5) In the face of this ambiguity, corporate executives avoided action unless external parties demanded specific new policies and practices. This tendency was exacerbated because privacy was viewed as a goal in tension with core operational aims--an organizational phenomenon made worse by the inherent secrecy around corporate data management.

These findings led Smith to conclude that remedying the problem of corporate inattention to privacy concerns required a "systemic fix," (6) reflecting an ongoing credible threat of either consumer backlash or government scrutiny. More concretely, he argued, the primary objective of regulatory intervention must be "the reduction of ambiguity in the U.S. privacy domain." (7) In light of these objectives--comprehensive, credible and unambiguous external mandates--Smith advocated a suite of reforms reflecting elements of the European approach to privacy protection. (8) He called for the adoption of a uniform set of principles and a framework of more individualized industry codes, based on "Fair Information Practices" Principles (FIPPs). This approach emphasizes vindication of individual rights through mechanisms like notice and consent in decisions about the use of personal information and the creation of a dedicated government board to assist in their implementation. (9) These steps, he concluded, would be necessary to force corporations to devote effective attention to privacy, as had happened with environmental protection. (10)

Smith's concerns have been echoed loudly for fifteen years. While they differ in detail, reform proposals generally concur that increasing the corporate attention and resources devoted to privacy and improving substantive privacy outcomes requires a model of protection adopted throughout Europe: omnibus FIPPs-based privacy principles in law or binding codes, interpreted and monitored by the kind of independent privacy agency for which Smith called.

Yet in their constancy, these proposals to reform "privacy on the books" have largely failed to take account of a more recent sea change in corporate practices "on the ground"--and have thus ignored a curious paradox for normative assessment.

Between 1995 and 2010, corporate privacy management in the United States has undergone a profound transformation. Thousands of companies have created "chief privacy officer" positions, a development often accompanied by prominent publicity campaigns. A professional association of privacy professionals boasts over 6500 members and offers information-privacy training and certification. A robust privacy law practice has arisen to service the growing group of professionals and assist them in assessing and managing privacy. PricewaterhouseCoopers and others conduct privacy audits across multiple sectors. Privacy seal and certification programs have developed.

Hence the paradox. In contrast to the lack of managerial "time and attention" devoted to privacy concerns documented fifteen years ago, corporate practice has promoted direct privacy leadership managing large and well-resourced staffs. Yet these changes cannot be attributed to the prescription born of the dominant critique. U.S. privacy regulations remain fragmented and ambiguous, having failed to shed their siloed and sectoral emphasis. U.S. privacy regulation has largely eschewed a commitment to robust FIPPs. Congress has declined to follow the European model of a dedicated privacy administrator.

This Article, presenting the initial findings of the first empirical research into corporate privacy practices in fifteen years, seeks to address this paradox. It draws on semistructured qualitative interviews with chief privacy officers (CPOs) (11) identified as industry leaders by their peers, government officials, and journalists to consider the following: If corporate attention to privacy seems to have flourished despite the failure to achieve what many believed were policy prerequisites, what has prompted the change? What was the role played by law, as opposed to other forces? And how do firms understand the meaning of privacy, despite external prompts that might seem as, or more, ambiguous as those identified by Jeff Smith fifteen years ago?

As described in Part II, although the leading CPOs we interviewed worked at heterogeneous firms, their responses evidenced considerable coherence on several points. First, they consistently reflected a profound shift in the definition of privacy and its treatment. Each of the corporate privacy leaders defined information privacy as more than "informational self-determination" protected by formal notice and consent, introducing a substantive notion of privacy rooted in consumer expectations. They understood the meaning of "privacy" to depend on the beliefs and assumptions of consumers as to the appropriate treatment of individual information and personal identity--expectations that evolve constantly and change by context. The success of privacy protection, then, would be measured not by the vindication of notice and consent rights, but in the actual prevention of substantive harms, such as preventing data breaches, or treating information in a way that protects the "trust" of those whose information is at stake. The identification of privacy with consumer expectations as reflected in malleable context-dependent norms, moreover, has moved privacy from a compliance-oriented activity to a risk-assessment process, requiring firms to embed privacy in decisions about product design and market entry, as well as policy development.

Second, the interviews uniformly pointed to the importance of law in this definitional shift. While individual U.S. sectoral statutes and the EU Data Protection directive were credited in some instances for firms' initial commitment of resources and personnel, and for the establishment of a regulatory floor, the path these professionals would take was influenced by two other...