Years ago, when I worked on Capitol Hill, a colleague invited me to attend a meeting with some university professors who had a new idea for regulation of the telecommunications sector.
“Bits,” they said. “All regulation should center on bits.”
With convergence on IP-based communications, the regulatory silos dominating telecommunications would soon be more than anachronistic. Indeed, they would be a burden on the telecom sector. Bits were the fundamental unit of measure for the coming telecommunications era, and regulation should be formed around that reality.
My colleague and I looked at each other, amused.
Figuring out the substance is 5% of the problem. The other 95% is pulling together a sufficient coalition and muting opposition to your reform. More than a decade after this meeting and with “convergence” a rather old and obvious idea, the telecom regulatory regime is unchanged.
Like these professors did with telecom, many people can imagine legislative solutions to problems in the privacy era. I often don’t agree that their solutions are good, but nonetheless the capacity to imagine a suitable regulation is only 5% of the problem. Whether a good idea can be reduced to legislative language, passed in the same form, and implemented in its original spirit—all these are reasons to be wary of the legislative enterprise. What happens if something goes wrong?
Take the example of the privacy notices that the Gramm-Leach-Bliley Act requires financial institution to send to consumers each year. At the time it passed, I argued that it was an anti-marketing law much more than a privacy law. I haven’t seen anyone argue that financial privacy has flourished since it passed. I have also expressed doubts about notice and its utility for consumers many times, including in this long post, part of an abandoned debate with Cato colleague Julian Sanchez.
But putting aside these substantive issues, I don’t think anybody believed when Gramm-Leach-Bliley passed that consumers should get annual privacy notices from financial services providers that don’t share information in the ways the law was meant to affect.
But it did require those notices, and after the law passed in late 1999, those privacy notices started to go out:
“It’s 2000, and we don’t share information about you.”
“It’s 2001, and we’re still not sharing information about you.”
“It’s 2002—still not sharing information.”
“It’s 2003—we continue to not share information about you.”
“Hey, friend, here in 2004, we’re not sharing information about you!”
And so on, and so on, and so on—meaningless notices that could only confuse consumers.
So I was amused to see yesterday—more than ten years later—that the House of Representatives passed H.R. 3506, the “Eliminate Privacy Notice Confusion Act.” If would allow financial services providers that don’t share personal information in ways relevant to the GLB Act to stop sending those meaningless notices every year.
It took Congress ten years to correct a simple, obvious mistake—something nobody intended to put into the law. How many years would it take to correct privacy law on which opinion was divided?
Online privacy is more difficult and changing than financial privacy. The weakness of artificial “privacy notice” to affect consumer awareness and behavior is starting to dawn on people. But even if we did know the right answers, I would be wary of writing them into law.
A dynamic market needs a nimble legislature overseeing it. There’s just no such thing. Prefer the market.