The power of surveillance capitalists to know us, nudge us, and exploit us continues to expand with alacrity despite Europe’s General Data Protection Regulation (GDPR) and state privacy regulations within the United States. Likewise, consequential and concrete privacy harms (such as sexual privacy violations) and, at first glance, more ethereal but also troublesome privacy losses (such as data breaches) remain under-compensated or under-redressed. Why? And what can be done about it? Ignacio Cofone’s incredible new book, The Privacy Fallacy: Harm and Power in the Information Economy, answers those two questions with a healthy dose of realism about the stakes, the need for substantive command-and-control regulation of the information economy, and the imperative of compensatory liability.
In this beautiful and accessible book Cofone explains that, to date, efforts to rein in data exploitation and redress privacy harms have fallen short because of a few underlying fallacies about how information ecosystems work. One of those misconceptions is law’s failure to understand that many egregious privacy harms, such as online sexual harassment, don’t occur because of just one or two bad actors. Rather, the very existence of data ecosystems makes those harms possible in the first instance and then magnifies them. Glossing over the role of the ecosystem (and the companies that create that ecosystem) in perpetuating these privacy harms means that law-reform efforts targeted toward the initial privacy violator under-deter such conduct and stymie efforts to, in effect, put the cat back in the bag. To address the systematic nature of privacy harms, Cofone boldly—but rightly—suggests that modified private causes of action need to be created through statute or tort law to target the myriad corporations that enable such privacy violations. Importantly, Cofone also explains why class actions are an important part of the solution in order to provide for more efficient and comprehensive liability.
A second fallacy is the belief that procedural justice efforts to amplify users’ control over their data through notice and/or consent regimes will somehow mitigate data losses. Drawing from behavioral economics, Cofone shows how such approaches—embodied in laws like the GDPR—will never be more than a band-aid that lends a false sense of security to users, while allowing surveillance capitalists to harvest information at will. He rightly explains that individuals who “consent” to privacy-invading policies aren’t necessarily apathetic about privacy; rather because of the daunting and incomprehensible nature of privacy notices, unforeseeable risk, and manipulative design choices, they are cajoled into surrendering their privacy. To overcome this fallacy, Cofone grabs the bull by the horns and makes a persuasive case for command-and-control regulation. That is, Cofone explains why simply holding surveillance capitalists to the weak promises contained in the privacy notices/policies won’t ever be sufficient because users don’t have the bandwidth to meaningfully police the content of those polices through notice/choice. As such, the government needs to do the policing for them—needs to dictate the substantive contours of privacy protections, rather than leaving it to the consumers and the market, which will always favor powerful tech companies.
In terms of the substance of those privacy regulations, Cofone also explains why some of the existing privacy regulations have fallen short over time: they focus on a particular technology (video rentals, cookies, etc.) rather than “the underlying relationship intermediated by the technology (surveillance).” As such, Cofone advocates the implementation of rigorous but flexible standards for digital privacy protection that can adapt as technology evolves, helping to prevent law from always playing catch-up to tech.
Make no mistake, Cofone’s proposals for substantive privacy regulation of and remedial causes of action against information capitalists are big. And difficult. They will require significant political will and capital to implement. But to the extent that society values privacy and individual freedom as our lives continue to become digitally mediated, then lawyers, politicians, and voters will need to put their resources behind meaningful substantive privacy laws and meaningful compensatory regimes that target the corporate information ecosystems themselves. In a nutshell, piecemeal procedural interventions and remedies against individual privacy violators are simply not going to cut it. Refreshingly, Cofone’s book gets real about these problems while offering real solutions—if we have the courage to implement them.
