Laws regulating the collection, use, and disclosure of personal data are (mostly) constitutional, and critics who suggest otherwise are wrong. Since the New Deal, American law has rested on the wise judgment that, by and large, commercial regulation should be made on the basis of economic and social policy, rather than blunt constitutional rules. This has become one of the basic principles of American constitutional law. Although some observers have suggested that the United States Supreme Court's recent decision in Sorrell v. IMS Health Inc. changes this state of affairs, such readings are incorrect. Sorrell involved a challenge to a poorly drafted Vermont law that discriminated on the basis of both content and viewpoint. Such a law would have been unconstitutional if it had regulated even unprotected speech. As the Sorrell Court made clear, the real problem with the Vermont law at issue was that it did not regulate enough, unlike the "more coherent policy" of the undoubtedly constitutional federal Health Insurance Portability and Accountability Act of 1996.
Data privacy law should thus rarely be thought of as implicating serious constitutional difficulties, and this is a good thing. As we move into the digital age, in which more and more of our society is affected or constituted by data flows, we face a similar threat. If "data" were somehow "speech," virtually every economic law would become clouded by constitutional doubt. Economic or commercial policy affecting data flows--which is to say all economic or social policy--would become almost impossible. This might be a valid policy choice, but it is not one that the First Amendment commands. Any radical suggestions to the contrary are unsupported by our constitutional law. In a democratic society, the basic contours of information policy must ultimately be up to the people and their policy-making representatives, and not to unelected judges. We should decide policy on that basis, rather than on odd readings of the First Amendment.
Introduction I. Two Kinds of Privacy Rights II. The Data Broker Case III. What Sorrell Means IV. The Silliness of "Data=Speech" V. Rejecting Digital Lochner Conclusion: The Right to Be Forgotten and Information Policy INTRODUCTION
Privacy and free speech are siblings with a long and complicated relationship. Both have a common parent in Justice Louis Brandeis, and for over a century they have developed together. Like siblings, they have sometimes bickered, but as they have matured they have often gone their own ways. Privacy and free speech can each mean many things, so we should not be surprised that this is the case. (1)
Although both privacy and free speech are products of earlier centuries, we now live in an age of personal information. Such personal information drives the economy and can be used to influence policy, our elections, (2) our identities, (3) and even our moods. (4) This is the case whether we call it "personal information" or the currently fashionable buzzword "big data." Whatever we call it, information is power. That power is neither inherently good nor inherently bad; it is merely a social reality that we have to live with. (5)
Democratic societies usually regulate complex social realities. We have laws dealing with industrialization and pollution, with market capitalism and fraud, and with social equality and racism. Although social norms and practices remain important, complex social realities are also typically a subject for law and legal regulation. Nevertheless, sometimes we decide that democratic regulation is too dangerous, even for complex social problems. Thus, most democratic societies deny themselves the power to police the field of public debate or the marital choices of consenting adults. In the United States--in sharp contrast to the rest of the world--issues of campaign finance and market power, (6) hate speech and equality, (7) and, increasingly, gun possession and violence (8) seem to be entering this category of "too dangerous to regulate." We lawyers typically call such laws "unconstitutional," finding that they violate some provision of the Constitution, such as the First, Second, or Fourteenth Amendments.
My goal in this Article is to explain why regulation of the commercial trade in personal data will be consistent with the First Amendment, at least most of the time. Blanket assertions that regulation of personal information flows threatens freedom of expression misunderstand either the nature of data privacy law, the nature of First Amendment rights, or both. A few kinds of privacy rights certainly run into conflict with the First Amendment, most notably the old Warren and Brandeis argument for a tort by which the rich and famous could keep unflattering and embarrassing truths about themselves out of the newspapers. (9) But privacy can mean many things, and most of these things are fully consistent with the American commitments to the broad rights of freedom of speech and press. Our laws use the term "privacy" to refer to the many laws regulating personal data, including consumer credit and video rental information and information given to doctors and lawyers. Despite calls from industry groups and a few isolated academics that these laws somehow menace free public debate, the vast majority of information privacy law is constitutional under ordinary settled understandings of the First Amendment. (10) Policymakers can thus make information policy on the merits rather than being distracted by spurious free speech claims.
Throughout the world, democratic societies regulate personal data using laws that embody the "Fair Information Practices" or FIPs. The FIPs are a set of principles that regulate the relationships between business and government entities that collect, use, and disclose personal information about "data subjects," and which were developed by the United States government in the 1970s. (11) Over the past decade, some--but not all--industry groups and a handful of scholars have argued that the FIPs somehow offend the First Amendment. (12) This is an argument seemingly strengthened by the Supreme Court's 2011 decision in Sorrell v. IMS Health Inc., which struck down a Vermont law preventing drug company representatives--but no one else--from using data-based marketing to speak to physicians. (13)
Before Sorrell, there was a settled understanding that general commercial regulation of the huge data trade was not censorship. On the contrary, it was seen as part of the ordinary business of commercial regulation that fills thousands of pages of the United States Code and the Code of Federal Regulations. Nothing in the Sorrell opinion should lead policymakers to conclude that this settled understanding has changed. The poorly drafted Vermont law in Sorrell discriminated against particular kinds of protected speech (in-person advertising) and particular kinds of protected speakers (advertisers but not their opponents). (14) Such content- and viewpoint-based discrimination would doom even unprotected speech under well-settled First Amendment law. As the Court made clear, the real problem with the Vermont law at issue was that it did not regulate enough, unlike the "more coherent policy" of the undoubtedly constitutional federal Health Insurance Portability and Accountability Act of 1996. (15)
Notwithstanding the Court's clarity on this point, a few observers have suggested that data flows are somehow "speech" protected by the First Amendment. But the "data is speech" argument makes no sense from a First Amendment perspective. People do things with words every day that are clearly "speech": from blogging and singing in the shower, to insider trading, sexually harassing coworkers, verbally abusing children, and even hiring assassins. Well-settled First Amendment doctrine allows us to separate out which of these activities cannot be regulated (the first two) from those which can (the rest). (16) First Amendment lawyers do not ask whether something is "speech," because almost everything is expressive in some way. Instead, they ask which kinds of government regulation are particularly threatening to longstanding First Amendment values. The question is not the "speechiness" of the human activity being regulated, but the purpose and effect of the government regulation. When we look at the regulation of commercial data flows from this basic, unobjectionable premise of First Amendment law, we see that such regulations will rarely be problematic. Commercial regulation--of sexual harassment, unfair trade practices, and commercial data flows based on the FIPs--is thus rarely threatening to First Amendment values, properly understood by their settled meaning.
A more fundamental reason supports this conclusion as well. During the New Deal, American society decided that, by and large, commercial regulation should be made on the basis of economic and social policy rather than blunt constitutional rules. (17) This has become one of the basic principles of American constitutional law. As we move into the digital age, in which data flows affect or even constitute more and more of our society, we face a similar threat. If "data" were somehow "speech," and this had First Amendment consequences, constitutional doubt would cloud virtually every form of economic regulation we have. Economic or commercial policy affecting data flows, which is to say all economic or social policy, would become almost impossible. This might turn out to be a valid policy choice, but it is not one that the First Amendment as we have understood it until now commands. Any radical suggestions to the contrary are unsupported by our constitutional law. Indeed, they are an attempt to make radical changes to the basic contours of that law.
Privacy law is thus (mostly) constitutional. And when we are talking about the regulation of commercial data flows, it is entirely constitutional, except for a few poorly drafted outliers, such...