The Promise and Shortcomings of Privacy Multistakeholder Policymaking: A Case Study

With formal privacy policymaking processes mired in discord, governments and regulators in the United States and Europe have turned to the private sector seeking assistance and solutions. Multistakeholder-driven self-regulation and co-regulation have been pursued in a variety of contexts ranging from online privacy and transparency for mobile applications to protection of transborder data flows. This article focuses on one such process, the World Wide Web Consortium (W3C) discussion of a Do Not Track (DNT) standard, as a case study. It critically analyzes the procedural pitfalls, which hampered the quest to reach a compromise solution acceptable by groups with diametrically opposed interests, including industry players, government regulators, and privacy advocates. It is based on a series of interviews that the Authors conducted with participants in the process, including leading industry, civil society, and the government players. Proponents of multistakeholder processes, including the U.S. government, suggests that this mode of policymaking benefits from important advantages, including an opportunity to coopt industry experts, move swiftly to conclusion, and garner industry support. The reality, however, is that the W3C process featured few of these benefits. It was protracted, rife with hardball rhetoric and combat tactics, based on inconsistent factual claims, and under constant threat of becoming practically irrelevant due to lack of industry buy-in. Perhaps this should not be surprising. The way DNT has been framed—as a veritable “on/off” switch for an entire industry—inevitably raised the stakes for a common accord. Indeed, DNT crystalizes a deep ideological divide about right and wrong in online behavior, with one side arguing that merely collecting users’ information is wrong, and the other side claiming a right—in fact a business imperative—to use such information for multiple goals. Add to that a healthy portion of competitive maneuvering within the industry, and you get a combustive mix

Pro Se Patrons in the Law Library: The Case for Privacy in the Digital Age

Maintaining privacy and confidentiality of library patron records is especially difficult in a digital world, but is increasingly critical given the large amount of information that is and can be collected. Privacy is especially important in a law library with respect to pro se patrons because they are entitled to two layers of protection: general library protections (statutorily and ethically) and a work product privilege protection for those who are either actively in or in anticipation of litigation. In this digital era, libraries are not taking a holistic view of records and need to be mindful of how personal information is stored on computers and can be vulnerable to hacking. Law librarians should reexamine and revise their policies and practices to better affirm the values of the profession and provide an improved, more confidential service to patron

The Future of Facial Recognition Is Not Fully Known: Developing Privacy and Security Regulatory Mechanisms for Facial Recognition in the Retail Sector

In recent years, advances in facial recognition technology have resulted in a rapid expansion in the prevalence of private sector biometric technologies. Facial recognition, while providing new potentials for safety and security and personalized marketing by retailers implicates complicated questions about the nature of consumer privacy and surveillance where a “collection imperative” incentivize corporate actors to accumulate increasingly massive reservoirs of consumer data. However, the law has not yet fully developed to address the unique risks to consumers through the use of this technology. This Note examines existing regulatory mechanisms, finding that consumer sensitivities and the opaque nature of the technology have resulted in over- and underinclusive regulatory regimes. This Note proposes that the broad implications of biometric privacy harms justify more extensive privacy regulation than a narrow focus on data security and self-regulation. It suggests that regulation predicated on consumer data self-management is inefficient in controlling the flow of information generated by facial recognition. This Note finds that a regulatory approach based in collaborative governance may be better suited for regulating complex systems that create hard-to-calculate risks, change too quickly for traditional regulatory approaches, and involve technical and industry expertise that regulators and legislators are unlikely to have

Better Late than Never: How the Online Advertising Industry’s Response to Proposed Privacy Legislation Eliminates the Need for Regulation

Although Julie Matlin liked the shoes she saw on Zappos.com, she ultimately left the site without purchasing them. However, it was not the last time she would see that pair of shoes. For the next several days, the shoes followed Ms. Matlin to numerous other websites. “It was as if Zappos had unleashed a persistent salesmen who wouldn’t take no for an answer.” Understandably, Ms. Matlin found this “online stalking” disturbing, but she was more troubled when ads for her online dieting service started following her as well. She stated, “They are still following me around, and it makes me feel fat.

Commodifying Consumer Data in the Era of the Internet of Things

Internet of Things (“IoT”) products generate a wealth of data about consumers that was never before widely and easily accessible to companies. Examples include biometric and health-related data, such as fingerprint patterns, heart rates, and calories burned. This Article explores the connection between the types of data generated by the IoT and the financial frameworks of Article 9 of the Uniform Commercial Code and the Bankruptcy Code. It critiques these regimes, which enable the commodification of consumer data, as well as laws aimed at protecting consumer data, such as the Bankruptcy Abuse Prevention and Consumer Protection Act, various state biometric data statutes, and the Health Insurance Portability and Accountability Act. This Article contends that in addition to privacy policies, financial frameworks can also play a critical role in facilitating the transfer and disclosure of consumer data in a manner that is opaque and potentially harmful to consumers. Furthermore, existing privacy frameworks that rely heavily on a notice and choice model and the provisions of a company’s privacy policy to determine the level of protection given to consumers, and which may not always apply to IoT companies, do not effectively safeguard consumers in the IoT setting. This Article proposes several solutions to engender movement away from an overreliance on the notice and choice model and the terms of privacy policies, and to reduce the various moments of data disclosure authorized by financial frameworks. It also offers ways to preserve the value of IoT data as a source of financing for companies while simultaneously protecting the privacy of consumers