by Avi Gesser and Michelle Adler
As public pressure increases on legislators to better protect the personal information that organizations collect, interest has grown in using a property framework, rather than the current privacy model. On October 1, U.S. presidential candidate Andrew Yang became the latest policymaker to advocate for a data security framework that treats personal information as property. Yang released a policy proposal entitled “Data as a Property Right.” The paper starts by listing several common concerns that individuals have about their personal electronic data:
- Companies that collect and aggregate personal data have sold it and used it to target consumers with advertisements
- Some companies haven’t done enough to protect personal data, resulting in breaches that have made private information insecure
- Others have sold it to disreputable companies, allowing them to target consumers with fraudulent services and news
The solution Yang proposes is that data generated by each consumer be owned by them, with certain rights conveyed that will allow consumers to know how their personal data is being used and protected. These proposed rights would include:
- To be informed as to what data will be collected, and how it will be used
- To opt out of data collection or sharing
- To be told if a website has data on you, and what that data is
- To be forgotten; to have all data related to you deleted upon request
- To be informed if ownership of your data changes hands
- To be informed of any data breaches including your information in a timely manner
- To download all data in a standardized format to port to another platform
Yang joins a growing group of tech policy thinkers who believe that the current privacy paradigm for data protection is inadequate, and that treating personal data as property that is owned by the associated individual may be a better framework. Part of the appeal of this approach stems from the impression that property rights have traditionally provided more effective protections than privacy rights in the United States.
But anyone following the recent developments in privacy legislation, especially the California Consumer Protection Act (CCPA), will recognize that most, if not all, of the proposed rights laid out by Yang can be established by statute within the existing privacy framework. One area, however, where the property model does have some appeal is delivering compensation to affected individuals.
Under the current Privacy model, if consumers’ personal information is taken by hackers or sold without their consent, they may not be entitled to any compensation, even if the company failed to take reasonable steps to protect their data, because they may not have not suffered any harm that is recognized by law. For Yang, the property model can solve this problem. He notes that consumers opt in to sharing their personal data for the companies’ benefit and their own convenience – but then they should receive a share of the economic value generated from their personal data. And Yang is not alone.
In March, Senator John Kennedy (R-LA) introduced the “Own Your Own Data Act of 2019″ (PDF: 24.6 KB), which provides that each individual owns and has an exclusive property right in the data that individual generates on the internet. It also requires social media companies to obtain licenses to use this data, and provide readily accessible means for each user to cancel the license agreement immediately. This summer, Senators Mark Warner and Josh Hawley introduced a different form of data-as-property legislation – the “Designing Accounting Safeguards to Help Broaden Oversite and Regulations on Data” (DASHBOARD) Act, which requires large collectors of data to disclose the value of the personal data that they collect, but without requiring any payments. Presumably, one effect of the Act would be to add a level of concreteness to the harm that consumers experience when their data is hacked at a company that didn’t take reasonable measures to protect it, or sold it without their knowledge or consent. In California, Governor Gavin Newsom is considering requiring companies to pay a “data dividend” that would be designed to require companies that sell personal information to share the wealth that is created from that data.
But there are good reasons to think that treating personal data as property may not provide consumers with any real benefit, and that the courts and legislatures are addressing the compensation issue under the current privacy framework for data protection.
First, although there is no doubt that personal data is extremely valuable to many companies in the aggregate, it is not very valuable on a person-by-person basis. Indeed, estimates of the value of an average consumer’s personal information range from $0.0005 to just under $1. Yang and others are not clear as to how the value of personal data will be set. By the service providers? By regulation? If it is to be negotiated between the consumer and the “buyer,” that will create significant friction in many online activities and will quickly devolve to some form of take-it-or-leave-it nominal credits being offered to consumers, which will be of little or no real value.
Second, simply determining who “owns” a particular piece of personal information can be unworkable in practice. As critics of the property model have pointed out, when a teenager is diagnosed with a rare disease, that is newly created personal information that is owned by many persons. Parents, the lab that ran the tests, the doctor who made the diagnosis, the pharmacy that provided the medication, the school, the medical insurer, and perhaps several others will need to have that information in their files. In these situations, moving from a privacy to a property model may create unnecessary roadblocks to sharing information without providing any additional protection or clarity as to the applicable rights and obligations.
Rather than providing compensation, regulatory regimes like the CCPA address the problem of companies selling personal information without consumers’ knowledge or consent, through requirements for plain language notification as to what data is being collected and to whom your personal data is being sold, and for the ability of consumers to opt out from such data sharing.
The CCPA also addresses the compensation deficiencies in the current privacy framework by creating a private right against companies that have experienced a cyber breach, with statutory damages set at a minimum of $100 and a maximum of $750 per consumer whose personal data has been compromised. Moreover, the proposed CCPA regulations (PDF: 941 KB) provide a way to assign a value to personal data, without converting a consumer’s data into a property right. Specifically, under the current draft, when a business provides a financial incentive to consumers to provide their data, the business must give consumers a good-faith estimate of the value of their data.
The courts have also been expanding the definition of harm in cases where personal information has been compromised to include instances where concrete harm is elusive. For example, courts have recently found that stolen sensitive data gave hackers the means to commit fraud or identity theft, and therefore even if plaintiffs could not prove that their particular data had been misused, they suffered harm because of the time they needed to protect themselves from the increased risk of identity theft (e.g., by changing credit cards and monitoring the activity in their accounts).
In short, although there is some superficial appeal to treating personal data as property, it may create more problems than it solves, and policymakers may be able to make more progress on solving thorny data protection issues within the existing privacy framework.
Avi Gesser is a partner and Michelle Adler is an associate at Davis Polk & Wardwell LLP. Josh Banker, a summer associate at Davis Polk & Wardwell LLP, also assisted in preparing this entry.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.