BEYOND REQUEST-AND-RESPOND: WHY DATA ACCESS WILL BE INSUFFICIENT TO TAME BIG TECH

The California Consumer Privacy Act (CCPA) is the first-of-its-kind law in the United States providing Californians (and effectively citizens nationwide) with comprehensive protection of their online data. The CCPA provides consumers with four meaningful rights: (1) a right to access the data companies collect from and about them; (2) a right to have said data deleted; (3) a right to know which categories of third parties these companies are sharing their data with or selling their data to; and, (4) a right to opt out of such sales. This Note focuses specifically on the first right, the right of data access.

While the CCPA’s shift from sectoral to comprehensive breadth represents a strong break from past regulatory practice in this field, the law’s focus on empowering citizens and consumers through information is a far more familiar move. This Note connects this right to data access to the federal Freedom of Information Act (FOIA) and argues that the problems of current corporate data practices dwarf the CCPA’s individual request-and-respond right to data access. This Note uses past FOIA practice to identify the likely shortcomings in a request-and-respond data access regime. These shortcomings include an overreliance on individuals that does not facilitate broader transparency aims, past failures of targeted transparency in the consumer protection space, and a failure to learn the lessons of past privacy practice. Instead, this Note considers alternative solutions before recommending ex ante measures like a Pigouvian tax modeled off the environmental pollution space.

The full text of this Note can be found by clicking the PDF link to the left.

* JD/MBA Candidate 2020, Columbia University. The author would like to thank David Pozen for his critical guidance and support through all stages of drafting, Vickie Baranetsky for her helpful comments, and Alex Alben, Rick Arney, and Bruce Sewell for their time. The author also thanks Columbia Law Review’s staff for their invaluable assistance through the publication process, my parents and sisters for their encouragement, and Na’ama for her unwavering love and support through this and all of life’s adventures.

Introduction

In March 2018, the New York Times revealed that Cambridge Analytica, a political data firm tied to President Donald Trump’s 2016 presidential campaign, had accessed private information on more than fifty million Facebook users, including their identities, friend networks, likes, and locational data. 1 Kevin Granville, Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens, N.Y. Times (Mar. 19, 2018), https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html (on file with the Columbia Law Review). It was not immediately obvious whether this access constituted a hack, a breach, or a leak. 2 See Matthew Rosenberg, Nicholas Confessore & Carole Cadwalladr, How Trump Consultants Exploited the Facebook Data of Millions, N.Y. Times (Mar. 17, 2018), https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html (on file with the Columbia Law Review) (describing the incident alternatively as a leak and a breach). But what became clear was that data and privacy issues had resonated in the public consciousness in an unprecedented manner. 3 See “Data” and “Privacy”, Google Trends, https://trends.google.com/trends/explore?date=2006-10-01%202018-10-28&geo=US&q=data%20AND%20privacy (on file with the Columbia Law Review) (last visited Jan. 27, 2020) (demonstrating a significant spike (and peak) in interest in Google searches for “data” and “privacy” soon after news of the Cambridge Analytica scandal broke in March).

The Cambridge Analytica scandal came on the heels of a string of high-profile corporate and governmental data breaches over the last five years, including those of Under Armour, 4 Dave Lee, MyFitnessPal Breach Affects Millions of Under Armour Users, BBC (Mar. 29, 2018), https://www.bbc.com/news/technology-43592470 [https://perma.cc/VA45-TDLS]. Equifax, 5 Alfred Ng & Steven Musil, Equifax Data Breach May Affect Nearly Half the U.S. Population, CNET (Sept. 7, 2017), https://www.cnet.com/news/equifax-data-leak-hits-nearly-half-of-the-us-population [https://perma.cc/Y4SQ-6lQH?type-image] (detailing the 2017 breach that affected as much as half the U.S. population). Uber, 6 Dara Khosrowshahi, 2016 Data Security Incident, Uber (Nov. 21, 2017), https://www.uber.com/newsroom/2016-data-incident [https://perma.cc/K33V-8J3L] (describing a previously unreported 2016 incident that allowed hackers to access the personal information of fifty-seven million users worldwide). Ashley Madison, 7 Robert Hackett, What to Know About the Ashley Madison Hack, Fortune (Aug. 26, 2015), http://fortune.com/2015/08/26/ashley-madison-hack (on file with the Columbia Law Review) (describing a hack of thirty-two million members of an extramarital affairs dating website). the U.S. Office of Personnel Management, 8 Julie Hirschfield Davis, Hacking of Government Computers Exposed 21.5 Million People, N.Y. Times (July 9, 2015), https://www.nytimes.com/2015/07/10/us/office-of-personnel-management-hackers-got-data-of-millions.html (on file with the Columbia Law Review) (describing the scope of the hack of the government’s security clearance office, including compromised addresses, financial information, foreign contacts, and personal health data). and Home Depot. 9 Jeff John Roberts, Home Depot to Pay Banks $25 Million in Data Breach Settlement, Fortune (Mar. 9, 2017), http://fortune.com/2017/03/09/home-depot-data-breach-banks (on file with the Columbia Law Review) (describing the theft of over fifty million customers’ email or credit card information). But unlike the steady drip-drip of another corporate data breach, Cambridge Analytica arrived as a true watershed moment, helping spark more significant discussions about the misuse of consumer data. 10 See Facebook Data Breach Is “Turning Point” for Online Privacy, Says Matt Hancock, BBC (Mar. 22, 2018), https://www.bbc.com/news/uk-politics-43504436 [https://perma.cc/X5ZP-L8KW] (quoting the United Kingdom’s Culture Secretary as finding Facebook’s actions to be “totally unacceptable” and a “turning point”); Why the Cambridge Analytica Scandal Is a Watershed Moment for Social Media, Knowledge@Wharton (Mar. 22, 2018), http://knowledge.wharton.upenn.edu/article/fallout-cambridge-analytica [https://perma.cc/QL2D-FMYZ].

The scandal also significantly accelerated reformers’ efforts to pass sweeping consumer data privacy laws. 11 See Nicholas Confessore, The Unlikely Activists Who Took On Silicon Valley—And Won, N.Y. Times Mag. (Aug. 14, 2018), https://www.nytimes.com/2018/08/14/magazine/facebook-google-privacy-data.html (on file with the Columbia Law Review) [hereinafter Confessore, Unlikely Activists] (“[I]t was suddenly easy to get people to sign their ballot petition. ‘After the Cambridge Analytica scandal, all we had to say was “data privacy.”’”). In June 2018, California’s legislature unanimously passed the California Consumer Privacy Act (CCPA). 12 Gilad Edelman, California’s Privacy Law Goes into Effect Today. Now What?, WIRED (Jan. 1, 2020), https://www.wired.com/story/ccpa-guide-california-privacy-law-takes-effect [https://perma.cc/PB9W-8QUP]. The law provides Californians with a right to access the data companies collect on them, 13 Cal. Civ. Code § 1798.100 (2018). This right includes not only the categories of data collected but also the specific pieces. Id. a right to have said data deleted, 14 Id. § 1798.105. a right to know which categories of third parties these companies are sharing data with or selling data to, 15 Id. § 1798.110(a)(4). and a right to opt out of such sales. 16 Id. § 1798.120. The rights are enforceable by a private right of action by consumers if a company fails to take reasonable safeguards before a data breach, 17 Id. § 1798.150. If a violation is proven, consumers are entitled to the greater of between $100 and $750 per “incident” or actual damages. Id. § 1798.150(a)(1)(A). and a public right of action by the state Attorney General for any violation. 18 Id. § 1798.155(b)–(c). But civil penalties in the amount of $2,500 per infraction or $7,500 per intentional violation are assessed only when a company fails to cure an alleged violation thirty days after notification by the state. Id. § 1798.155(b).
The CCPA applies to for-profit entities collecting Californians’ data that either have upwards of twenty-five million dollars in gross revenue, traffic in the personal information of more than 50,000 Californians, or derive at least half of their annual revenue from selling Californians’ personal information. Id. § 1798.140(c)(1)(A)–(C), (g). The law went into effect on January 1, 2020. Id. § 1798.198(a). The law represents a seismic shift from sector-specific regulation (such as financial or personal health information) to a comprehensive data privacy regime. 19 Lothar Determann, Analysis: The California Consumer Privacy Act of 2018, Int’l Ass’n of Privacy Prof’ls (July 2, 2018), https://iapp.org/news/a/analysis-the-california-consumer-privacy-act-of-2018 [https://perma.cc/9ALV-9C6B].
Historically, the “most sensitive data—such as financial, medical, health, electronic communications, and children’s information—are protected by nearly two dozen federal sector-specific laws and numerous state laws.” Sidley Austin LLP, Essentially Equivalent: A Comparison of the Legal Orders for Privacy and Data Protection in the European Union and United States 7 (2016), https://www.sidley.com/-/media/publications/essentially-equivalent—final.pdf [https://perma.cc/RF9E-483B]. Instead of comprehensive data privacy regulation, this sectoral approach allowed for data outside of the specified sectors to be protected only “through the general enforcement authority of the FTC, state Attorneys General, and other federal and state regulators.” Id.

Though the CCPA grants Californians many rights with respect to their data, this Note focuses more narrowly on the right of consumer data access. Specifically, this Note argues that the CCPA’s individual request-and-respond approach to data access is fundamentally mismatched to the problems posed by current corporate data practices. 20 In general, request-and-respond provisions obligate a company to provide a consumer with the personal data it has collected when a consumer so requests. See infra section I.C (describing these provisions’ operation in greater detail). This Note’s critique of the CCPA’s request-and-respond provision is inspired by the half century legacy of the federal Freedom of Information Act (FOIA), which contains an analogous individual right and shares similar transparency roots. Using an understanding of both FOIA’s operative provision and how it has worked in practice, this Note argues that an individualistic, request-and-respond model of private data disclosure will fail to achieve the progressive aims of privacy advocates and tech reformers. This Note concludes by suggesting that an alternative model of prophylactic, command-and-control regulation will better stem harmful data collection, retention, analysis, and sales.

In Part I, this Note reviews the advent of request-and-respond data access provisions, contextualizes these provisions by providing a primer on what makes data personal and why consumers care, and identifies the connection between the CCPA’s specific provision and FOIA’s. Part II lays out a substantive critique of how past FOIA practice informs future shortcomings in a request-and-respond data access regime. The Note concludes in Part III by considering and rejecting a tailored affirmative disclosure solution before settling on prophylactic, command-and-control directives as the proper means to regulate the booming consumer personal data industry.