Response to Solove & Hoofnagle
As I mentioned previously [link to http://www.emergentchaos.com/archives/001017.html no longer works], Daniel Solove and Chris Hoofnagle have written a paper on “A Model Privacy Regime.” This post makes a lot more sense if you’ve read their paper. I’ve read through it, and think that it’s pretty good. My responses to specific sections are below. First I’d like to comment on the free speech critique of data protection law.
A number of smart people (for example, Jim Harper writing on Politech) critique the drag on innovation that such a regime entails. I’m very sympathetic to this critique. I’d like to suggest that the regime only kicks in when there is government issued, certified, or verified data involved. That is, if you want my (government issued) social security number [link to http://www.emergentchaos.com/archives/001043.html no longer works] to link records, or my drivers license to certify my name, or you check against a list of voters, then you’re taking advantage of the threats of penalties the government applies. It becomes harder for me to protect my anonymity. If, like supermarket discount cards, I can use any name I want, then I see no need for generalized privacy law. Such a balance would encourage companies to offer deposits as an alternative to credit. (I’ve written about why this is good business practice [link to http://www.emergentchaos.com/archives/000750.html no longer works] in the past.)
That said, onto specific responses to their model law:
- Universal Notice: Why require only informing the FTC? If you’re putting me at risk by storing information about me, why shouldn’t you notify me directly? Yes, this would impose a startup cost on new information brokerages. Today, those costs are borne by victims of ID theft. Let’s assign those costs where they belong.
- Meaningful Informed Consent: I like this. Let’s be specific, and say that informed consent requires knowing what data is going to whom. Again, notification to effected individuals, not just the FTC.
- One Stop Stopping: Others have criticized the one step opt-out, but I’d suggest that the right mechanism is to never sell, share, or transfer personal data without associated privacy information.
- I have no comment on individual credit management.
- Access and Accuracy: Current rights of access are not very effective at getting credit reports fixed, as Bennett discusses in Congressional testimony. Companies who trumpet how much data they can store ought to store where the data comes from, so that they can remove false statements that come from ID theft.
- Secure Identification: This is a hard problem.
- Disclosure: Actually, the first incident came to light because of reporting by David Colker and Joseph Menn regarding criminal prosecutions, not 1386, which was passed after that incident.
- Social Security Numbers: As I suggest above, make the data protection regime kick in whenever a business chooses to use an SSN.
- Public records: There is a clear tension here, which the authors admit to.
- Background checks: I have very mixed feelings about background checks. On the one hand, there are people whose references I wish had been more forthcoming. Clearly, laws that require disclosure of who said what in a reference check are acting as a drag on a much needed part of the hiring process. (About a month ago, I was at dinner with friends, and failures of that process, and venting about it, and the lawsuits that have followed, took up half the dinner.) On the other, many of these checks are full of bad data. I’d like to see economics kick in here, and perhaps one way to do that would be to tax background checks at some high rate, with proceeds going to those unfairly denied jobs based on botched checks.