Once again, legislators are touting their opt-in consent bills as the revolutionary solution to all our privacy woes. Once again, they could not be more wrong. At a time when even our toasters are online, opt-in consent is a horse in a self-driving car world.
State Rep. David Santiago, R-Fla., announced in September 2019 that he is introducing a privacy bill that calls for opt-in consent because the “basic framework should always start with the opt-in option. All too often, and somewhere in small print, consumers may not realize the automatic default is to use your information as these companies and governments see fit unless you opt-out. It should always be the other way around. They should not be able to use your information unless they have your express consent by opting-in.”
And he’s not alone. The proposed federal Consent Act, which aimed to change the current regime of opt-out to opt-in, would prohibit companies from barring services if consent was not received. The California Consumer Privacy Act allows a business to provide a different service or charge a different price in exchange for an opt-in collection of data if that difference is related to the value the data provides to the business, which — spoiler alert — is always.
Bill drafters and the privacy advocates who support them assume that opt-in consent is inherently better for consumers without asking the right questions. Instead, taking into account consumer expectations and experience, they should be asking:
- What is the benefit?
- Who is benefitted?
- Is privacy enhanced?
Opt-in consent is worse for consumers for three reasons. First, it stifles innovation and competition, as smaller businesses and start-ups, which are more likely to innovate, receive fewer and less diverse datasets, leading to fewer choices for consumers in the market. Second, it disincentivizes companies from creating additional privacy controls because of the presumed additional protections of opt-in. Third, it lets legislators off the hook for finding interesting and meaningful solutions to our privacy problems without addressing the real issues of lack of accountability of data use and collection.
Opt-in consent does not benefit consumers or enhance consumer control
The supposed advantages of opt-in are that it allows consumers to make informed decisions and gives them greater control over who gets their information and when. Make no mistake, both opt-out and opt-in require the same amount of disclosure on the collection and use upfront. The consumer is not any more informed or empowered by the distinction, and the prohibitions on collection can occur at the same time. But there is a real difference in the consequences for businesses and consumers alike.
Consumers and businesses are harmed when innovation is stifled
Opt-in does not provide greater privacy to consumers, and in an increasingly digital economy, it harms smaller or start-up businesses. The biggest draw of having a singular data privacy law is to provide a level-playing field so that all companies — and consumers — can work against the same expectations and requirements. Larger companies are then more likely to enhance their privacy controls and design products in a way that differentiates them from the privacy practices of their competitors because they are more likely to have the resources to go beyond mere compliance.
Having a law hinge on default opt-in consent for data collection defeats that purpose in many ways. Smaller businesses and start-ups innovate faster and find new solutions because they are able to take on more risks and expand resources on those ideas than established larger brands are. However, those smaller shops are already strapped for resources and data, even though they need to rely on it to product test and innovate the most. Having access to smaller pools of data or not being able to collect any without prior opt-in would put them at an even greater disadvantage to larger companies that are going to have their historic data stores grandfathered in. This means the majority of innovation will have to come from larger companies, resulting in less competition in the industry and less choice for consumers. The sheer number of available products and content will change because smaller businesses will not be able to undertake the cost of compliance the same way that a larger institution can with an opt-in law that otherwise treats all businesses the same, lessening competition and limiting consumers in their ability to choose.
Further, provisions in bills — like the Consent Act — that tie opt-ins to payments or additional benefits may have the unintended result of skewing the type of data fed into AI algorithms because, as was pointed out during the U.S. Senate Committee on Banking, Housing, and Urban Affairs’ Oct. 24 hearing on data ownership, those with lower income may be more likely to take advantage of those cost-savings or payments. With artificial intelligence being increasingly involved in processes determining employment, loan eligibility, parole decisions based on recidivism statistics and facial recognition in law enforcement, homogeny in data sources can only hurt those most vulnerable in society toward discrimination already and potentially create a new class division of those who can buy additional privacy protections or benefits compared to those who cannot.
Consumers are harmed when the buck is passed
Opt-in laws also have the undesirable effect of passing the responsibility for data sharing and use on to consumers instead of forcing accountability onto the company to enhance its practices or designs to keep that user and their data safe. For example, in 2017, WikiLeaks revealed that Samsung TVs could be turned into a listening device. As a result, Samsung provided complicated instructions on virus scanning that begged the question of why such scans weren’t automated by the company.
This was clearly a huge privacy flaw in the design, but an opt-in privacy law would not have changed the outcome. A person who did not want or need to connect to streaming services through the television would not purchase a smart TV. They have, in their purchase, already opted in to the use. Asking them beforehand, even with the disclosure of the vulnerabilities, does not make the product more secure because the user has no meaningful choice. They either keep this TV or buy another smart TV that has the same features and vulnerabilities. Because there is no competitive advantage (or regulatory mandate) to changing your data source, there is no incentive in creating a more safe product. In other words, had this feature been opt-in instead of -out, how would that knowledge protect consumers, particularly if the industry designs the product in a similar manner across the board? Opt-in will become even less connected to meaningful choice as traditional network channels and companies move the availability of their content to streaming platforms.
Opt-in consent stifles innovation in privacy law
As with Samsung, the same is true for Amazon’s Alexa, where by default, Alexa can listen to the conversations in your home. Amazon confirmed to CNN that it hires people to listen to what customers say to Alexa in order to improve the software. If prior to using Alexa you had to specifically sign something to opt in, even with this disclosed possibility, would you give up all the perks of the device, i.e., the reason you bought it in the first place, in order to do so?
Studies show that consumers will (and often must) give companies their data if they get a benefit in return. This, combined with opt-out rates that typically hover around 1-2% of overall traffic, indicates that when given the choice, consumers will provide information to utilize the most enhanced version of the product. As such, adding opt-in to a privacy law and calling it a day isn’t addressing the actual root of the problem.
That is what privacy legislation should be focused on: finding different and meaningful ways to hold companies accountable for how they can use the data that consumers have shown they will willingly provide, taking into account that not all companies or industries are created equal in the kind of limitations and controls needed for use and reuse. Facebook is not Amazon is not JP Morgan, and they shouldn’t be treated the same.
But that, in essence, is what happens with an opt-in law.
Once the company discloses its purpose, and you agree, it can meet those purposes — including its self-selected broad definition of the service, as evidenced by Facebook this past year — without any limitations. The risks of that data “misuse” are not the same for all companies. If Facebook misuses information, it can skew public opinion and election results. While it has its dangers, the risk of Amazon’s misuse of your purchasing history for recommendations has less severe consequences. The same is true for an already highly regulated entity, like a bank — and its necessary data uses.
I’m not saying that default opt-out should be a stanchion of any privacy law. However, both the practical reality of how we do business now and where we want to go is not furthered and may actually be harmed by any regime that holds up opt-in as a cure-all to all our privacy concerns. We can do better.
Opinions expressed in this article are those of the author and not of her firm, investors, clients or others.