INTRODUCTION I. NORMATIVE CONSIDERATIONS: THE CHALLENGE OF DEFINING PRIVACY A. Privacy and "the Pursuit of Happiness". B. On the Problem of "Creepiness" as the Standard of Privacy Harm C. Increasing Tensions Between Privacy Rights and Online Free Speech II. ENFORCEMENT COMPLICATIONS: CONTROLLING INFORMATION FLOWS A. Media and Technological Convergence B. Decentralized, Distributed Networking C. Unprecedented Scale of Networked Communications D. Explosion of the Overall Volume of Information E. User-Generated Content and Self-Revelation of Data F. Synthesis: Information Wants to Be Free (Even When We Don't Want It to Be) G. Corollary: "Silver-Bullet" Solutions Won't Work III. CONSTRUCTIVE SOLUTIONS A. Education, Awareness and Digital Literacy B. Empowerment and Self-Regulation C. On "Simplified" Privacy Policies and Enhanced Notice D. Increased Section 5 Enforcement, Targeted Statutes, and the Common Law CONCLUSION INTRODUCTION
Online privacy has become one of the most contentious information policy debates of recent times. (1) Many academics, activist organizations, and average consumers are clamoring for greater privacy protections as they realize it is easier than ever for personal information to be widely shared--whether intended or not. (2) "Targeted" or "behavioral" online advertising and data collection practices are under particularly intense scrutiny. (3) Policymakers at all levels--state, federal, and international--are responding to these concerns with an array of proposals, many of which aim to expand regulation of the Internet, social networking sites, online advertising and marketing services, data aggregators, and other information technology services. (4)
This Article--which focuses not on privacy rights against the government, but against private actors--cuts against the grain of much modern privacy scholarship by suggesting that expanded regulation is not the most constructive way to go about ensuring greater online privacy. The inherent subjectivity of privacy as a personal and societal value is one reason why expanded regulation is not sensible. Privacy has long been a thorny philosophical and jurisprudential matter; few can agree on its contours or can cite firm constitutional grounding for the rights or restrictions they articulate. (5) Part I discusses some of the normative considerations raised by the debate on privacy right and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States.
This Article does not dwell on that widely acknowledged controversy. Instead, a different complication is introduced here: Legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Part II considers the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.
Because it will be exceedingly difficult to devise a fixed legal standard for privacy that will be satisfactory for a diverse citizenry (not all of whom value privacy equally), and because it will be increasingly difficult to enforce that standard even if it can be determined, alternative approaches to privacy protection should be considered. This approach is particularly appropriate here in the United States, which, relative to Europe, places greater significance on both free speech rights and the importance of online commerce and innovation. (6)
This conclusion does not mean that privacy is unimportant or that society is entirely powerless to address it through legal or regulatory means. It does, however, mean that individuals who are highly sensitive about their online privacy will likely need to devise new strategies to shield it as the law will not likely play as great a role due to both normative and practical constraints.
The best way to protect personal privacy in the United States, therefore, is to build on the approach now widely utilized to deal with online child safety concerns, where the role of law has been constrained by similar factors. A so-called "3-E" solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression. (7) That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the "3-E" approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society. (8) This same framework can guide online privacy decisions--both at the individual household level and the public policy level. (9)
This Article also discusses the recent actions of the Federal Trade Commission (FTC), which has been increasingly active on privacy issues in recent years. (10) Specifically, in two major recent privacy reports (11) and public statements by agency officials, (12) the FTC has been pushing for industry adoption of a "Do Not Track" mechanism, a browser-based tool that "tells advertisers and other third parties not to follow you around the Internet." (13) Legislative proposals to mandate the creation of "Eraser Buttons" to help users delete their past web histories will also be examined.
The battle over Do Not Track has proven particularly contentious, and its future remains unclear. (14) The struggle over whether to adopt Do Not Track results from both the complex definitional issues pertaining to what constitutes online "tracking," as well as business-related concerns about how Do Not Track might undermine online sites and services that depend upon advertising and data collection to survive. (15)
This Article will argue that, from a practical enforcement perspective, schemes like Do Not Track and the Eraser Button might have some value at the margin, but neither should be considered a silver-bullet solution to privacy concerns. Only a layered approach built on the "3-E" model can strike a reasonable balance between information sharing, online commerce, and personal privacy in an information marketplace characterized by rapid technological change and constantly evolving social norms. (16)
NORMATWE CONSIDERATIONS: THE CHALLENGE OF DEFINING PRIVACY
Privacy and "the Pursuit of Happiness"
Do Americans have a right to privacy, and, if so, what does that right entail? The debate over this question has raged for decades and remains contentious. (17) Most people believe they have some privacy rights, even if those rights remain difficult to define and find limited grounding in the plain language of the Constitution. Professor Daniel J. Solove has noted that privacy has long been a "conceptual jungle" and a "concept in disarray." (18) "[T]he attempt to locate the 'essential' or 'core" characteristics of privacy has led to failure," he says. (19) "Privacy has really ceased to be helpful as a term to guide policy in the United States," argues Professor Woodrow Hartzog, "because privacy means so many different things to so many different people." (20) For these reasons, some scholars, most notably Professor Helen Nissenbaum, have argued that privacy must be thought of in a highly context-specific fashion. (21)
Of course, privacy has always been a highly subjective philosophical concept. (22) It is also a constantly morphing notion that evolves as societal attitudes adjust to new cultural and technological realities. (23) For these reasons, America may never be able to achieve a coherent fixed definition of the term or determine when it constitutes a formal right outside of some narrow contexts.
Even if agreement over the scope of privacy rights proves elusive, however, everyone would likely agree that citizens have the right to pursue privacy. In this sense, we might think about the pursuit of privacy the same way we think about the pursuit of happiness. Recall the memorable line from America's Declaration of Independence: "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." (24) Consider the importance of that qualifying phrase--"and the pursuit of"--before the mention of the normative value of happiness. America's Founders obviously felt happiness was an important value, but they did not elevate it to a formal positive right alongside life, liberty, physical property, or even freedom of speech.
This framework provides a useful way of thinking about privacy. Even if we cannot agree whether we have a right to privacy, or what the scope of any particular privacy right should be, the right to pursue it should be as uncontroversial as the right to pursue happiness. In fact, pursing privacy is probably an important element of achieving happiness for most citizens. (25) Almost everyone needs some time and space to be free with their own thoughts or to control personal information or secrets that they value. But that does not make it any easier to define the nature of privacy as a formal legal right, or any easier to enforce it, even if a satisfactory conception of privacy could be crafted to suit every context.
The most stable and widely accepted privacy rights in the...