I keep getting asked about Cambridge Analytica and Facebook. And no one seems to like my response – I’m frankly amazed that this all took so long to blow up. How long? How about since 1973. That’s when the U.S. Department of Health, Education, and Welfare first articulated the Fair Information Practice Principles (FIPPs or FIPs) in its report Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems. The FIPPs went on to become bedrock global privacy principles, and central to them are the principles of notice and consent.
As the FTC later explained in Privacy Online: A Report to Congress:
The most fundamental principle is notice. Consumers should be given notice of an entity’s
information practices before any personal information is collected from them….
The second widely-accepted core principle of fair information practice is consumer choice
or consent. At its simplest, choice means giving consumers options as to how any personal
information collected from them may be used….
These mechanisms – notice and consent – are what make a self-governing privacy system work. If someone (such as Facebook) is going to obtain and use our personal data, they should first give us notice of how they will use it (such as provide or sell it to others), and then we make a choice – we either consent and provide our data, or we don’t. The government may enforce these representations and choices under fair trade practices laws, such as FTC Act Section 5, but the rules themselves are made in the marketplace.
There has to be some source of governance. The alternative to self-governance through notice and consent is governance by government, with legislators and regulators making the rules for how our data is handled. There’s quite a bit of that in the EU and elsewhere, but in the United States, outside of specific sectors such as healthcare (HIPAA), education (FERPA), and financial services (GLBA & FCRA), there’s little such regulation here. In the U.S. we’ve made a policy decision to largely self-govern the privacy of personal data.