Trade-Offs and Choices in Privacy Policy

On Tuesday, the American Action Forum hosted a congressional briefing titled “Approaches to Regulating Technology—From Privacy to AI.” Mercatus scholar Jennifer Huddleston joined Neil Chilson, senior fellow at the Charles Koch Institute, and Ryan Hagemann,  senior fellow at the Niskanen Center, on a panel dedicated to digital privacy issues. Rob Pegoraro, editor at Yahoo Finance, moderated the discussion.

Huddleston began by tackling the most fundamental question about technological privacy: what, exactly, does “privacy” mean?

Privacy, Huddleston observed, is different for everyone. What some find creepy (e.g., web advertisements that target you based on very specific, personalized knowledge of your needs and desires) others find useful. Therefore, she concluded, “if you try to regulate creepiness instead of regulating harm, you’re going to face more significant trade-offs” as a result. A one-size-fits-all approach to data privacy won’t be tailored to the many different preferences that exist in the United States.

As the panel discussed, other countries have already pursued more strict privacy regulations. The European Union’s General Data Protection Regulation (GDPR) institutes a much stricter privacy regime than exists in the United States. Huddleston noted that this heavy-handed regulation of privacy “has led companies to back out of the [European] market.”

While Huddleston thought the EU’s trade-off was detrimental, she said that the debate over digital privacy “isn’t just a question of what trade-offs we make, it’s about who gets to make those trade-offs.” She argued that the heart of the debate isn’t primarily about how much companies should be allowed to monitor their customers’ internet activity—it’s about whether the customers will be allowed to choose what degree of privacy protections they have.

While that debate rages on, states aren’t waiting for the federal government to take action. Huddleston remarked that it was “interesting that states are acting on this [issue] at all,” but that state efforts could end up balkanizing the internet. She argued that “federal preemption is necessary” to ensure that states don’t end up creating a patchwork of privacy regulations that would be too onerous for many companies to comply with. After all, she remarked, data regulation doesn’t just affect big internet companies like Facebook or Google. It involves smaller companies and entrepreneurs that might not be able to afford breaking into a new state market with a different set of regulations.

Huddleston pointed to the Federal Trade Commission (FTC) as a national regulator that could protect consumers while still ensuring the internet was free and open. She lauded the FTC’s “focus on consumer welfare,” pursuing cases where definite harm existed, rather than attempting to mandate how data-reliant companies ran their business beforehand. This ex post enforcement allows for permissionless innovation while still protecting the consumer.

In some cases, though, Huddleston granted that policymakers might have an interest in more heavily regulating data collection. She identified child data protection laws as an important “example of carve-outs for particularly vulnerable groups.”

Looking forward to the future, Huddleston thought that many questions remain unanswered. “What’s the role for soft law? Will a federal privacy law actually target privacy, or will it become a behemoth? Will we just end up with a patchwork?” Data is important for everyone, and the next steps in privacy regulation will matter for all Americans.