Online Privacy and Regulation by Default

My colleague Jim Harper and I have been having a friendly internal argument about Internet privacy regulation that strikes me as having potential implications for other contexts, so I thought I might as well pick it up here in case it's of interest to anyone else. Unsurprisingly, neither of us are particularly sanguine about elaborate regulatory schemes—and I'm sympathetic to the general tenor of his recent post on the topic. But unlike Jim, as I recently wrote here, I can think of two rules that might be appropriate: A notice requirement that says third-party trackers must provide a link to an ordinary-language explanation of what information is being collected, and for what purpose, combined with a clear rule making those stated privacy policies enforceable in court. Jim regards this as paternalistic meddling with online markets; I regard it as establishing the conditions for the smooth functioning of a market. What do those differences come down to?

First, a question of expectations. Jim thinks it's unreasonable for people to expect any privacy in information they "release" publicly—and when he's talking about messages posted to public fora or Facebook pages, that's certainly right. But it's not always right, and as we navigate the Internet our computers can be coaxed into "releasing" information in ways that are far from transparent to the ordinary user. Consider this analogy. You go to the mall to buy some jeans; you're out in public and clearly in plain view of many other people—most of whom, in this day and age, are probably carrying cameras built into their cell phones. You can hardly complain about being observed, and possibly caught on camera, as you make your way to the store. But what about when you make your way to the changing room at The Gap to try on those jeans? If the management has placed an unobtrusive camera behind a mirror to catch shoplifters, can the law require that the store post a sign informing you that you're being taped in a location and context where—even though it's someone else's property—most people would expect privacy? Current U.S. law does, and really it's just one special case of the law laying down default rules to stabilize expectations.  I think Jim sees the reasonable expectation in the online context as "everything is potentially monitored and archived all the time, unless you've explicitly been warned otherwise." Empirically, this is not what most people expect—though they might begin to as a result of a notice requirement.

Now, as Jim well knows, there are many cases in which the law sets defaults to stabilize expectations. Under the common law doctrine of implied warranty, when you go out and buy a toaster, you do not explicitly write out a contract in which it's stipulated that the thing will turn on when you get home and plug it in, that it will toast bread without bursting into flames, and so on. Markets would not function terribly well if you did have to do this constantly. Rather, it's understood that there are some minimal expectations built into the transaction—toasters toast bread!—unless the seller provides explicit notice that this is an "as is" sale. This brings us to a second point of divergence: Like Jim, I think the evolutionary mechanism of the common law is generally the best way to establish these market-structuring defaults. Unlike Jim, I think sometimes it's appropriate to resort to statute instead. This story from Techdirt should suggest why:

It's still not entirely clear what online agreements are actually enforceable and which aren't. We've seen cases go both ways, with a recent ruling even noting that terms that are a hyperlink away, rather than on the agreement page itself, may be enforceable. But the latest case, involving online retailer Overstock went in the other direction. A court found that Overstock's arbitration requirement was unenforceable, because, as "browserwrap," the user was not adequately notified. Eventually, it seems that someone's going to have to make it clear what sorts of online terms are actually enforceable (if any). Until then, we're going to see a lot more lawsuits like this one.

Evolutionary mechanisms are great, but they're also slow, incremental, and in the case of the common law typically parasitic on the parallel evolution of broader social norms and expectations. That makes it an uneasy fit with novel and rapidly changing technological platforms for interaction. The tradeoff is that, while it's slow, the discovery process tends to settle on efficient rules. But sometimes having a clear rule is actually more important—maybe significantly more important—than getting the rule just right. These features seem to me to weigh in favor of allowing Congress, not to say what standards of privacy must look like, but to step in and lay down public default rules that provide a stable basis for informed consumers and sellers to reach their own mutually beneficial agreements.

Finally, there's the question of whether it's constitutionally appropriate for federal legislators, rather than courts, to make that kind of decision. I scruple to say how "the Founders intended" the Constitution to apply to e-commerce, but even on a very narrow reading of the Commerce Clause, this seems to fall safely within the purview of a power to "make regular" commerce between the several states by establishing uniform rules for transactions across a network that pays no heed to state boundaries. A patchwork of divergent standards imposed by judges and state legislators does not strike me as an especially market-friendly response to people's online privacy concerns, but that appears to be the alternative. If there's a way to address those concerns that's both constitutionally appropriate and works by enabling informed choice and contract rather than nannying consumers or micromanaging business practices, then it seems to me that it makes sense for supporters of limited government to point that solution out.