INSUBCONTINENT EXCLUSIVE:
Polina Arsentyeva
Contributor
Share on Twitter
Polina Arsentyeva, a former commercial
litigator, is a data privacy attorney who counsels fintech and startup clients on how to innovate using data in a transparent and
privacy-forward way.
Companies often tout their compliance with industry standards — I&m sure you&ve seen the logos, stamps and
&Privacy Shield Compliant& declarations
As we, and the FTC, were reminded a few months ago, that label does not mean that the criteria was met initially, much less years later when
finally subjected to government review.
Alastair Mactaggart — an activist who helped promote the California Consumer Privacy Act (CCPA)
— has threatened a ballot initiative allowing companies to voluntarily certify compliance with CCPA 2.0 to the still-unformed agency
While that kind of advertising seems like a no-brainer for companies looking to stay competitive in a market that values privacy and
security, is it actually? Business considerations aside, is there a moral obligation to comply with all existing privacy laws, and is a
company unethical for relying on exemptions from such laws?
I reject the notion that compliance with the law and morality are the same thing
— or that one denotes the other
In reality, it a nuanced decision based on cost, client base, risk tolerance and other factors
Moreover, giving voluntary compliance the appearance of additional trust or altruism is actually harmful to consumers because our current
system does not permit effective or timely oversight and the type of remedies available after the fact do not address the actual harms
suffered.
It not unethical to rely on an exemption
Compliance is not tied to morality.
At its heart is a cost analysis, and a nuanced
Privacy laws — as much as legislators want to believe otherwise — are not black and white in their implementation
Not all unregulated data collection is nefarious and not all companies that comply (voluntarily or otherwise) are purely altruistic
While penalties have a financial cost, data collection is a revenue source for many because of the knowledge and insights gained from large
stores of varied data — and other companies& need to access that data.
They balance the cost of building compliant systems and processes
and amending existing agreements with often thousands of service providers with the loss of business of not being able to provide those
services to consumers covered by those laws.
There is also the matter ofapplicable laws
Complying with a law may interfere or lessen the protections offered by the laws you follow that make you exempt in the first place, for
instance, where one law prohibits you from sharing certain information for security purposes and another would require you to disclose it
and make both the data and the person less secure.
Strict compliance also allows companies to rest on their laurels while taking advantage
of a privacy-first reputation
The law is the minimum standard, while ethics are meant to prescribe the maximum
Complying, even with an inapplicable law, is quite literally the least the company can do
It also then puts them in a position to not make additional choices or innovate because they have already done more than what is expected
This is particularly true with technology-based laws, where legislation often lags behind the industry and its capabilities.
Moreover, who
decides what is ethical varies by time, culture and power dynamics
Complying with the strict letter of a law meant to cover everyone does not take into account that companies in different industries use data
Companies are trying to fit into a framework without even answering the question of which framework they should voluntarily comply with
I can hear you now: &That easy! The one with the highest/strongest/strictest standard for collection.& These are all adjectives that get
thrown around when talking about a federal privacy law
However, &highest,& &most,& and &strongest,& are all subjective and do not live in a vacuum, especially if states start coming out with
their own patchwork of privacy laws.
I&m sure there are people that say that Massachusetts — which prohibits a company from providing any
details to an impacted consumer — offers the &most& consumer protection, while there is a camp that believes providing as much detailed
information as possible — like California and its sample template — provides the &most& protection
Who is right? This does not even take into account that data collection can happen across multiple states
In those instances, which law would cover that individual?
Government agencies can&t currently provide sufficient oversight
Slapping a
certification onto your website that you know you don&t meet has been treated as an unfair and deceptive practice by the FTC
However,the FTCgenerally does not have fining authority on a first-time violation
And while it can force companies to compensate consumers, damages can be very difficult to calculate.
Unfortunately, damages for privacy
violations are even harder to prove in court; funds that are obtained go disproportionately to counsel, with each individual receiving a de
minimis payout, if they even make it to court
The Supreme Court has indicated through their holdings in Clapper v
1138 (2013), andSpokeo, Inc
1540 (2016), that damages like the potential of fraud or ramifications form data loss or misuse are too speculative to have standing to
maintain a lawsuit.
This puts the FTC in a weaker negotiating position to get results with as few resources expended as possible,
particularly as the FTC can only do so much — it has limited jurisdiction and no control over banks or nonprofits
To echo Commissioner Noah Phillips, this won&t change without a federal privacy law that sets clear limits on data use and damages and gives
the FTC greater power to enforce these limits in litigation.
Finally, in addition to these legal constraints, the FTC is understaffed in
privacy, with approximately40 full-time staff members dedicated to protecting the privacy of more than 320 million Americans
To adequately police privacy, the FTC needs more lawyers, more investigators, more technologists and state-of-the-art tech tools
Otherwise, it will continue to fund certain investigations at the cost of understaffing others.
Outsourcing oversight to a private company
may not fare any better — for the simple fact that such certification will come at a high price (especially in the beginning), leaving
medium and small-sized businesses at a competitive disadvantage
Further, unlike a company privacy professionals and legal team, a certification firm is more likely to look to compliance with the letter of
the law — putting form over substance — instead of addressing the nuances of any particular business& data use models.
Existing remedies
don&t address consumer harms
Say an agency does come down with an enforcement action, the types of penalty powers that those agencies have
currently do not adequately address the consumer harm
That is largely because compliance with a privacy legislation is not an on-off switch and the current regime is focused more on financial
restitution.
Even where there are prescribed actions to come into compliance with the law, that compliance takes years and does not address
the ramifications of historic non-compliant data use.
Take CNIL formal notice against Vectuary for failing to collect informed, affirmative
Vectuary collected geolocation data from mobile app users to provide marketing services to retailers using a consent management platform
that it developed implementing the IAB (a self-regulating association) Transparency and Consent Framework
This notice warrants particular attention because Vectuary was following an established trade association guideline, and yet its consent was
deemed invalid.
As a result, CNIL put Vectuary on notice to cease processing data this way and to delete data collected during that period
And while this can be counted as a victory because the decision forced the company to rebuild their systems — how many companies would
have the budget to do this, if they didn&t have the resources to comply in the first place? Further, this will take time, so what happens to
their business model in the meantime? Can they continue to be non-compliant, in theory until the agency-set deadline for compliance is met?
Even if the underlying data is deleted — none of the parties they shared the data with or the inferences they built on it were
impacted.
The water is even murkier when you&re examining remedies for false Privacy Shield self-certification
A Privacy Shield logo on a company site essentially says that the company believes that its cross-border data transfers are adequately
secured and the transfers are limited to parties the company believes has responsible data practices
So if a company is found to have falsely made those underlying representations (or failed to comply with another requirement), they would
have to stop conducting those transfers and if that is part of how their services are provided, do they just have to stop providing those
services to their customers immediately?
It seems in practice that choosing not to comply with an otherwise inapplicable law is not a matter
of not caring about your customers or about moral failings, it is quite literally just ¬ how anything works,& nor is there any added
consumer benefit in trying to — and isn&t that what counts in the end — consumers?
Opinions expressed in this article are those of the
author and not of her firm, investors, clients or others.