Daniel Solove Deconstructs the Privacy Paradox

By TAP Staff Blogger

Posted on February 25, 2020


I argue that the value of privacy cannot be determined empirically by examining individual valuations of privacy and cannot be reduced to a monetary figure based on specific transactions. Privacy’s value is as a constitutive element in society, not a bartered good in the marketplace. - Daniel Solove in “The Myth of the Privacy Paradox”


The phrase “privacy paradox” refers to an apparent inconsistency between people’s stated beliefs about privacy and the actions they take that impact their privacy. George Washington University privacy law expert Daniel Solove explains it this way:


The “privacy paradox” is the phenomenon where people say that they value privacy highly, yet in their behavior relinquish their personal data for very little in exchange or fail to use measures to protect their privacy.


In his recent article, “The Myth of the Privacy Paradox,” Professor Solove deconstructs the privacy paradox and the arguments made about it. Further, he examines the policy and regulation implications of the privacy paradox. Finally, Professor Solove provides recommendations for shifting the focus of privacy regulation away from relying on individuals to self-manage and toward regulating the way information is used, maintained, and transferred.


Below are a few excerpts from “The Myth of the Privacy Paradox.” The full article is available for download at SSRN.


Debunking the Privacy Paradox


The privacy paradox is a myth. Attitudes and behavior only appear to be in conflict; they actually involve different things. The behavior in the privacy paradox involves people making decisions about risk in very specific contexts. In contrast, people’s attitudes about their privacy concerns or how much they value privacy are much more general in nature. The behavior valuation argument generalizes from people’s risk decisions involving specific personal data in specific contexts to reach broader conclusions about how people value their own privacy. This generalization is a leap in logic; it does not follow from the behavior in the studies. Moreover, the behavior valuation argument often views people’s sharing data with organizations as conflicting with their concerns about privacy. But as I have argued in previous works, “privacy” involves a plurality of different things that extend far beyond just keeping data secret. A person does not surrender all privacy when sharing data with others. Many privacy protections remain in place. The inconsistency in attitudes and behavior turns out to be just a myopic misunderstanding of privacy.


Implications for Policy and Regulation


Although I contend that the privacy paradox isn’t a paradox, this doesn’t mean that the behavior exhibited in the studies should be ignored or dismissed as irrelevant to privacy regulation. People’s behavior generally demonstrates that they are failing to protect their own privacy and are readily sharing their personal data. What conclusions about privacy regulation should follow from people’s privacy behavior?


Much privacy regulation attempts to protect privacy by giving people more privacy self-management, which often occurs in the form of granting people more individual rights regarding their personal data, such as a right to opt out of data sharing, a right to notice, a right to delete, and so on.


Providing privacy rights isn’t a bad thing. But if the goal of privacy regulation is to protect people from harms that may arise from collecting, maintaining, using, or disclosing their personal data, then the regulation is failing.


The reason for people’s failure to manage privacy effectively, I argue, is based on the futility of what I call “privacy self-management.” Privacy self-management involves the various decisions people must make about their privacy and the tasks people are given the choice to do regarding their privacy, such as reading privacy policies, opting out, changing privacy settings, and so on. Managing one’s privacy is a vast, complex, and never-ending project that does not scale; it becomes virtually impossible to do comprehensively. The best people can do is manage their privacy haphazardly. People can’t learn enough about privacy risks to make informed decisions about their privacy. People will never gain sufficient knowledge of the ways in which personal data will be combined, aggregated, and analyzed over the years by thousands of organizations. Resignation is a rational response to the impossibility of privacy self-management.


Regulating the Architecture of the Personal Data Economy


There is a role for privacy regulation that goes beyond relying heavily on privacy self-management. A significant amount of privacy protection can be accomplished beyond merely affording people with notices, rights, and choices. Highly effective privacy regulation focuses on the architecture of the personal data economy -- data collection, use, storage, and transfer.


For example, one component of this architecture involves regulating the transfer of personal data to third parties. Organizations enter into contracts when transferring and receiving personal data to or from other organizations. For mid-size to large organizations, these contracts can number in the hundreds or thousands. The extent to which these contracts protect personal data matters significantly. This vast colony of contracts remains largely unseen by consumers, who are not involved in the drafting or negotiation of them. Privacy regulation can regulate the terms of these contracts.


Privacy regulation can also address the design of products or services by preventing designs that could lead to consumer harm or establishing processes for designers to use to better evaluate the risks new technologies pose.


Additionally, regulation can establish boundaries for data collection and use by preventing them when beyond people’s likely expectations or when unfair or potentially harmful. Regulation can ensure for effective data security and can restrict design that is insecure or that creates unwarranted privacy risks.


The purpose of this Article isn’t to set forth a detailed recipe for privacy regulation; it is just to point out that there are approaches that go beyond more privacy self-management.


Read the full article: “The Myth of the Privacy Paradox,” by Daniel Solove.