Companies often tout their compliance with industry standards — I’m sure you’ve seen the logos, stamps and “Privacy Shield Compliant” declarations. As we, and the FTC, were reminded a few months ago, that label does not mean that the criteria was met initially, much less years later when finally subjected to government review.
Alastair Mactaggart — an activist who helped promote the California Consumer Privacy Act (CCPA) — has threatened a ballot initiative allowing companies to voluntarily certify compliance with CCPA 2.0 to the still-unformed agency. While that kind of advertising seems like a no-brainer for companies looking to stay competitive in a market that values privacy and security, is it actually? Business considerations aside, is there a moral obligation to comply with all existing privacy laws, and is a company unethical for relying on exemptions from such laws?
I reject the notion that compliance with the law and morality are the same thing — or that one denotes the other. In reality, it’s a nuanced decision based on cost, client base, risk tolerance and other factors. Moreover, giving voluntary compliance the appearance of additional trust or altruism is actually harmful to consumers because our current system does not permit effective or timely oversight and the type of remedies available after the fact do not address the actual harms suffered.
It's not unethical to rely on an exemption
Compliance is not tied to morality.
At its heart is a cost analysis, and a nuanced analysis at that. Privacy laws — as much as legislators want to believe otherwise — are not black and white in their implementation. Not all unregulated data collection is nefarious and not all companies that comply (voluntarily or otherwise) are purely altruistic. While penalties have a financial cost, data collection is a revenue source for many because of the knowledge and insights gained from large stores of varied data — and other companies' need to access that data.
They balance the cost of building compliant systems and processes and amending existing agreements with often thousands of service providers with the loss of business of not being able to provide those services to consumers covered by those laws.
There is also the matter of applicable laws. Complying with a law may interfere or lessen the protections offered by the laws you follow that make you exempt in the first place, for instance, where one law prohibits you from sharing certain information for security purposes and another would require you to disclose it and make both the data and the person less secure.
Strict compliance also allows companies to rest on their laurels while taking advantage of a privacy-first reputation. The law is the minimum standard, while ethics are meant to prescribe the maximum. Complying, even with an inapplicable law, is quite literally the least the company can do. It also then puts them in a position to not make additional choices or innovate because they have already done more than what is expected. This is particularly true with technology-based laws, where legislation often lags behind the industry and its capabilities.
Moreover, who decides what is ethical varies by time, culture and power dynamics. Complying with the strict letter of a law meant to cover everyone does not take into account that companies in different industries use data differently. Companies are trying to fit into a framework without even answering the question of which framework they should voluntarily comply with. I can hear you now: “That’s easy! The one with the highest/strongest/strictest standard for collection.” These are all adjectives that get thrown around when talking about a federal privacy law. However, “highest,” “most,” and “strongest,” are all subjective and do not live in a vacuum, especially if states start coming out with their own patchwork of privacy laws.
I’m sure there are people that say that Massachusetts — which prohibits a company from providing any details to an impacted consumer — offers the “most” consumer protection, while there is a camp that believes providing as much detailed information as possible — like California and its sample template — provides the “most” protection. Who is right? This does not even take into account that data collection can happen across multiple states. In those instances, which law would cover that individual?
Government agencies can't currently provide sufficient oversight
Slapping a certification onto your website that you know you don’t meet has been treated as an unfair and deceptive practice by the FTC. However, the FTC generally does not have fining authority on a first-time violation. And while it can force companies to compensate consumers, damages can be very difficult to calculate.
Unfortunately, damages for privacy violations are even harder to prove in court; funds that are obtained go disproportionately to counsel, with each individual receiving a de minimis payout, if they even make it to court. The Supreme Court has indicated through their holdings in Clapper v. Amnesty Intern., USA. 133 S. Ct. 1138 (2013), and Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), that damages like the potential of fraud or ramifications form data loss or misuse are too speculative to have standing to maintain a lawsuit.
This puts the FTC in a weaker negotiating position to get results with as few resources expended as possible, particularly as the FTC can only do so much — it has limited jurisdiction and no control over banks or nonprofits. To echo Commissioner Noah Phillips, this won’t change without a federal privacy law that sets clear limits on data use and damages and gives the FTC greater power to enforce these limits in litigation.
Finally, in addition to these legal constraints, the FTC is understaffed in privacy, with approximately 40 full-time staff members dedicated to protecting the privacy of more than 320 million Americans. To adequately police privacy, the FTC needs more lawyers, more investigators, more technologists and state-of-the-art tech tools. Otherwise, it will continue to fund certain investigations at the cost of understaffing others.
Outsourcing oversight to a private company may not fare any better — for the simple fact that such certification will come at a high price (especially in the beginning), leaving medium and small-sized businesses at a competitive disadvantage. Further, unlike a company’s privacy professionals and legal team, a certification firm is more likely to look to compliance with the letter of the law — putting form over substance — instead of addressing the nuances of any particular business’ data use models.
Existing remedies don't address consumer harms
Say an agency does come down with an enforcement action, the types of penalty powers that those agencies have currently do not adequately address the consumer harm. That is largely because compliance with a privacy legislation is not an on-off switch and the current regime is focused more on financial restitution.
Even where there are prescribed actions to come into compliance with the law, that compliance takes years and does not address the ramifications of historic non-compliant data use.
Take CNIL’s formal notice against Vectuary for failing to collect informed, affirmative consent. Vectuary collected geolocation data from mobile app users to provide marketing services to retailers using a consent management platform that it developed implementing the IAB (a self-regulating association) Transparency and Consent Framework. This notice warrants particular attention because Vectuary was following an established trade association guideline, and yet its consent was deemed invalid.
As a result, CNIL put Vectuary on notice to cease processing data this way and to delete data collected during that period. And while this can be counted as a victory because the decision forced the company to rebuild their systems — how many companies would have the budget to do this, if they didn’t have the resources to comply in the first place? Further, this will take time, so what happens to their business model in the meantime? Can they continue to be non-compliant, in theory until the agency-set deadline for compliance is met? Even if the underlying data is deleted — none of the parties they shared the data with or the inferences they built on it were impacted.
The water is even murkier when you’re examining remedies for false Privacy Shield self-certification. A Privacy Shield logo on a company’s site essentially says that the company believes that its cross-border data transfers are adequately secured and the transfers are limited to parties the company believes has responsible data practices. So if a company is found to have falsely made those underlying representations (or failed to comply with another requirement), they would have to stop conducting those transfers and if that is part of how their services are provided, do they just have to stop providing those services to their customers immediately?
It seems in practice that choosing not to comply with an otherwise inapplicable law is not a matter of not caring about your customers or about moral failings, it is quite literally just “not how anything works,” nor is there any added consumer benefit in trying to — and isn’t that what counts in the end — consumers?
Opinions expressed in this article are those of the author and not of her firm, investors, clients or others.