DOCSLIB.ORG

CCPA and GDPR Comparison Chart

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Resource ID: w-016-7418 CCPA and GDPR Comparison Chart LAURA JEHL AND ALAN FRIEL, BAKERHOSTETLER LLP, WITH PRACTICAL LAW DATA PRIVACY ADVISOR Search the Resource ID numbers in blue on Westlaw for more. A Chart comparing some of the key The CCPA grants California resident’s new rights regarding their personal information and imposes various data protection duties requirements of the California Consumer Privacy on certain entities conducting business in California. While it Act (CCPA) and the EU General Data Protection incorporates several GDPR concepts, such as the rights of access, portability, and data deletion, there are several areas where the Regulation (GDPR). CCPA requirements are more specific than those of the GDPR or where the GDPR goes beyond the CCPA requirements. The EU General Data Protection Regulation (Regulation (EU) This Chart provides a high-level comparison of key requirements 2016/679) (GDPR) took effect on May 25, 2018 and replaced the under the CCPA and the GDPR. It is not a comprehensive list of all EU Directive and its member state implementing laws. On June 28, measures required under the CCPA or the GDPR. 2018, California became the first U.S. state with a comprehensive For an overview of the CCPA, see Practice Note, California Privacy consumer privacy law when it enacted the California Consumer and Data Security Law: Overview: General Data Protection and the Privacy Act of 2018 (CCPA), which becomes effective January 1, California Consumer Privacy Act (6-597-4106) and Article, Expert Q&A: 2020, with some exceptions (Cal. Civ. Code §§ 1798.100-1798.199). The California Consumer Privacy Act of 2018 (CCPA) (W-015-6908). Given their comprehensiveness and broad reaches, each law may have significant impact on entities that collect and process For an overview of the GDPR, see Practice Note, Overview of EU personal data. General Data Protection Regulation (W-007-9580). Practical Law Resources CCPA GDPR Comparison and Citations Who is Regulated? Any for-profit entity doing business Data controllers and data The scope and territorial CCPA in California, that meets one of the processors: reach of the GDPR is Cal. Civ. Code § 1798.140(c). following: Established in the EU much broader. Has a gross revenue greater than that process personal Substantially different in Boxes, CCPA Definitions $25 million. data in the context parties regulated. and CCPA Exceptions to Annually buys, receives, sells, or of activities of the Extraterritorial Applications. shares the personal information EU establishment, Practice Note, California of more than 50,000 consumers, regardless of whether Privacy and Data Security households, or devices for the data processing Law: Overview: CCPA Scope commercial purposes. takes place within the EU. (6-597-4106). Derives 50 percent or more of its annual revenues from selling Not established in the GDPR consumers’ personal information. EU that process EU data subjects’ personal Article 3. The law also applies to any entity that data in connection Practice Note, Determining either: with offering goods the Applicability of the Controls or is controlled by a covered or services in the EU, GDPR (W-003-8899). business. or monitoring their behavior. Shares common branding with a covered business, such as a shared name, service mark, or trademark. © 2018 Thomson Reuters. All rights reserved. CCPA and GDPR Comparison Chart Practical Law Resources CCPA GDPR Comparison and Citations Parts of the CCPA apply specifically to: Service providers. Third parties. Who is Protected? Consumers, defined as California Data subjects, defined as Substantially different in CCPA residents that are either: identified or identifiable approach, but similarly Cal. Civ. Code § 1798.140(g) In California for other than a persons to which personal broad in effect. data relates. and Cal. Code Regs. tit. 18, temporary or transitory purpose. Both laws focus on §17014. Domiciled in California but are information that relates currently outside the State for a to an identifiable natural Practice Note, California temporary or transitory purpose. person, however the Privacy and Data Security definitions differ. Law: Overview: CCPA Scope Consumers include: (6-597-4106). Customers of household goods and Both have potential GDPR services. extraterritorial effects that businesses located Employees. Article 4(1). outside the jurisdiction Business-to-Business transactions. must consider. Practice Note, Overview of EU General Data Protection Regulation: Identifiability (W-007-9580). What Information is Personal information that identifies, Personal data is any Substantially similar. CCPA Protected? relates to, describes, is capable of being information relating to an However, the CCPA associated with, or may reasonably identified or identifiable definition also includes Cal. Civ. Code §§ 1798.140(o) be linked, directly or indirectly, with a data subject. information linked at the and 1798.145(c)-(f). particular consumer or household. household or device level. The GDPR prohibits Boxes, Categories of Personal The statutory definition includes a processing of defined Information Under the CCPA list of specific categories of personal special categories of and Information Excluded information. personal data unless a From the CCPA’s Personal lawful justification for Information Definition. Personal information does not include processing applies. certain publicly available government Practice Note, California records. The CCPA also excludes certain Privacy and Data Security personal information covered by other Law: Overview: Personal sector specific legislation from its Information under CCPA coverage scope. (6-597-4106). GDPR Articles 4(1) and 9(1). Practice Note, Overview of EU General Data Protection Regulation: Personal Data and Data Subjects (W-007-9580) and Special Categories of Personal Data (W-007-9580). Anonymous, The CCPA does not restrict a business’s Pseudonymous data is The CCPA and GDPR CCPA Deidentified, ability to collect, use, retain, sell, or considered personal data. pseudonymization Pseudonymous, or disclose a consumer information that is definitions are very similar Cal. Civ. Code §§ 1798.140(a), Aggregated Data deidentified or aggregated. Anonymous data is not and both require technical (h), (o), (r), and 1798.145(a)(5). considered personal data. controls to prevent Practice Note, California However, the CCPA establishes a high reidentification to qualify. bar for claiming data is deidentified or Privacy and Data Security aggregated Law: Overview: Personal Information under CCPA (6-597-4106). 2 © 2018 Thomson Reuters. All rights reserved. CCPA and GDPR Comparison Chart Practical Law Resources CCPA GDPR Comparison and Citations Pseudonymous data may qualify as While the GDPR does The CCPA GDPR personal information under the CCPA not mention deidentified primarily discusses because it remains capable of being data, the CCPA definition pseudonymization in the Article 4(5). associated with a particular consumer is similar to GDPR’s context of using personal Practice Note, Anonymization or household. However, the statute concept of anonymous information collected and Pseudonymization under does not clearly categorize or exclude data. from a consumer for other the GDPR (W-007-4624). pseudonymous data as personal purposes, for research. It information. does not appear to help businesses generally avoid the CCPA’s requirements. At this point, it is unclear how different the position under the GDPR is. Privacy Notice / Businesses must inform consumers Data controllers must Similar disclosure CCPA Information Right about: provide detailed requirements, but information about its differences in the specific Cal. Civ. Code §§ 1798.100(a)- The personal information categories (b), 1798.105(b), 1798.110, collected. personal data collection information required and and data processing the delivery methods. 1798.115, 1798.120(b), 1798.130, The intended use purposes for each activities. The notice and 1798.135. category. must include specific The CCPA notice requirements on personal Practice Note, California Further notice is required to: information depending Privacy and Data Security Law: on whether the data is information disclosed or Collect additional personal Overview: Consumer Rights collected directly from sold to third parties only information categories. covers the 12 months under the CCPA (6-597-4106) the data subject or a third and CCPA Business Use collected personal information preceding the request. party. Obligations (6-597-4106). for unrelated purposes. GDPR The CCPA requires that businesses provide specific information to Articles 13-14. consumers and establishes delivery requirements. Practice Note, Data Subject Rights under the GDPR: Third parties must also give consumers Personal Data Collected explicit notice and an opportunity to Directly from a Data Subject opt out before re-selling personal (W-006-7553) and Personal information that the third party acquired Data Collected from a Third from another business. Party (W-006-7553). Security The CCPA does not directly impose data The GDPR requires Substantially similar CCPA security requirements. However, it does data controllers and in statutory approach establish a right of action for certain data processors to take though reasonable Cal. Civ. Code § 1798.150(a)(1). data breaches that result from violations appropriate technical and security measures Practice Note, California of a business’s duty to implement and organizational measures may vary to some Privacy
Recommended publications
  • Identity Theft Literature Review

    Identity Theft Literature Review

    The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: Document Title: Identity Theft Literature Review Author(s): Graeme R. Newman, Megan M. McNally Document No.: 210459 Date Received: July 2005 Award Number: 2005-TO-008 This report has not been published by the U.S. Department of Justice. To provide better customer service, NCJRS has made this Federally- funded grant final report available electronically in addition to traditional paper copies. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. This document is a research report submitted to the U.S. Department of Justice. This report has not been published by the Department. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. IDENTITY THEFT LITERATURE REVIEW Prepared for presentation and discussion at the National Institute of Justice Focus Group Meeting to develop a research agenda to identify the most effective avenues of research that will impact on prevention, harm reduction and enforcement January 27-28, 2005 Graeme R. Newman School of Criminal Justice, University at Albany Megan M. McNally School of Criminal Justice, Rutgers University, Newark This project was supported by Contract #2005-TO-008 awarded by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice. Points of view in this document are those of the author and do not necessarily represent the official position or policies of the U.S.
  • Electronic Frontier Foundation November 9, 2018

    Electronic Frontier Foundation November 9, 2018

    Before the Department of Commerce National Telecommunications and Information Administration Developing the Administration’s Approach to Consumer Privacy Docket No. 180821780-8780-01 Comments of Electronic Frontier Foundation November 9, 2018 Submitted by: India McKinney Electronic Frontier Foundation 815 Eddy Street San Francisco, CA 94109 USA Telephone: (415) 436-9333 ext. 175 [email protected] For many years, EFF has urged technology companies and legislators to do a better job of protecting the privacy of technology users and other members of the public. We hoped the companies, who have spent the last decade collecting new and increasingly detailed points of information from their customers, would realize the importance of implementing meaningful privacy protections. But this year’s Cambridge Analytica scandal, following on the heels of many others, was the last straw. Corporations are willfully failing to respect the privacy of technology users, and we need new approaches to give them real incentives to do better—and that includes updating our privacy laws. EFF welcomes the opportunity to work with the Department of Commerce in crafting the federal government’s position on consumer privacy. The Request for Comment published in the Federal Register identifies seven main areas of discussion: Transparency, Control, Reasonable Minimization, Security, Access and Correction, Risk Management, and Accountability. These discussion points have been thoroughly analyzed by academics over the past decades, leading to recommendations like the Fair
  • Data Privacy: De-Identification Techniques

    Data Privacy: De-Identification Techniques

    DEVELOPING AND CONNECTING ISSA CYBERSECURITY LEADERS GLOBALLY Data Privacy: De-Identification Techniques By Ulf Mattsson – ISSA member, New York Chapter This article discusses emerging data privacy techniques, standards, and examples of applications implementing different use cases of de-identification techniques. We will discuss different attack scenarios and practical balances between privacy requirements and operational requirements. Abstract The data privacy landscape is changing. There is a need for privacy models in the current landscape of the increas- ing numbers of privacy regulations and privacy breaches. Privacy methods use models and it is important to have a common language when defining privacy rules. This article will discuss practical recommendations to find the right practical balance between compli- ance, security, privacy, and operational requirements for each type of data and business use case. Figure 1 – Forrester’s global map of privacy rights and regulations [4] ensitive data can be exposed to internal users, partners, California Customer Privacy Act (CCPA) is a wake-up call, and attackers. Different data protection techniques can addressing identification of individuals via data inference provide a balance between protection and transparen- through a broader range of PII attributes. CCPA defines Scy to business processes. The requirements are different for personal information as information that identifies, relates systems that are operational, analytical, or test/development to, describes, is reasonably capable of being associated with, as illustrated by some practical examples in this article. or could reasonably be linked, directly or indirectly, with a We will discuss different aspects of various data privacy tech- particular consumer or household such as a real name, alias, niques, including data truthfulness, applicability to different postal address, and unique personal identifier [1].
  • Privacy and Publicity: the Two Facets of Personality Rights

    Privacy and Publicity: the Two Facets of Personality Rights

    Privacy and publicity Privacy and publicity: the two facets of personality rights hyperbole. In this context, personality In this age of endorsements and rights encompass the “right of privacy”, tabloid gossip, famous people which prohibits undue interference in need to protect their rights and a person’s private life. In addition to coverage in the media, reputations. With a growing number images of celebrities adorn anything from of reported personality rights cases, t-shirts, watches and bags to coffee mugs. India must move to develop its This is because once a person becomes legal framework governing the famous, the goods and services that he or commercial exploitation of celebrity she chooses to endorse are perceived to reflect his or her own personal values. By Bisman Kaur and Gunjan Chauhan, A loyal fan base is a captive market for Remfry & Sagar such goods, thereby allowing celebrities to cash in on their efforts in building up Introduction a popular persona. Intellectual property in India is no longer Unfortunately, a large fan base is a niche field of law. Stories detailing also seen by unscrupulous people as an trademark infringement and discussing opportunity to bring out products or the grant of geographical indications services that imply endorsement by an routinely make their way into the daily individual, when in fact there is no such news headlines. From conventional association. In such cases the individual’s categories of protection such as patents, “right of publicity” is called into play. trademarks, designs and copyright, IP laws The right of publicity extends to every have been developed, often by judicial individual, not just those who are famous, innovation, to encompass new roles and but as a practical matter its application areas of protection.
  • Identity Theft Harms Millions of Americans Every Year. Breaches of Personally Identifiable Information (PII) Across the Governme

    Identity Theft Harms Millions of Americans Every Year. Breaches of Personally Identifiable Information (PII) Across the Governme

    Safeguarding & Handling PI1 Each DOE employee and contractor needs to be aware of their responsibility to- b Encrypt personal information sent via email b protect personal information, b Label Privacy Act protected records "OFFICIAL USE ONLY - PRIVACY ACT b avoid unauthorized disclosures, DATA" b ensure that no records are maintained without Identity theft harms millions of Americans every b Do not collect personal information without proper public notice in the Federal Register, and year. Breaches of personally identifiable information proper authority, and only the minimum (PII) across the government have been well b report immediately, whether confirmed or necessary for carrying out the mission of DOE publicized and costly for individuals and Federal suspected, any breach or misuse of PII. agencies. These breaches have prompted the b Do not place Privacy Act protected data on Administration and Congress to take action to unrestricted shared drives, intranets, or the improve the protection of personal information. Internet For more information on Privacy and protecting PII, refer to DOE Order 206. I, Department of Energy b Report any loss or unauthorized disclosure of As Department of Energy employees and Privacy Program, located on the DOE Directives personal data immediately to your supervisor, contractors, you have a responsibility to protect all website: http://directives.doe.gov/ PII. DOE Order 206. I, Department of Energy Privacy program manager, Information System Security Program, defines PI1 as "any information collected or Manager, or Privacy Act Officer Questions should be referred to your supervisor, your local Privacy Act Officer, or the Privacy Office maintained by the Department about an individual, b Lock your computer whenever you leave your including but not limited to, education, financial at (202) 586-5955.
  • Image Is Everything Lowenstein Sandler’S Matthew Savare Gives a Comparative Examination of Publicity Rights in the US and Western Europe

    Image Is Everything Lowenstein Sandler’S Matthew Savare Gives a Comparative Examination of Publicity Rights in the US and Western Europe

    Publicity rights Image is everything Lowenstein Sandler’s Matthew Savare gives a comparative examination of publicity rights in the US and western Europe Comedian Steven Wright once joked, “It’s a small world, but I the person’s identity has “commercial value” versus only 10 years for wouldn’t want to paint it”. Over the last decade, the proliferation those whose identity does not. of digital technologies has not made the world smaller or easier to • Remedies – the remedies available to plaintiffs also vary from state paint, but it has significantly hastened the globalisation of content. This to state. For example, New York’s statute provides for injunctions, transformation, coupled with the developed world’s insatiable fascination compensatory damages, and discretionary punitive damages. Ohio’s with fame, has spurred the hyper commoditisation of celebrity. statute, which offers the most remedies of any state statute, permits Despite the universality of celebrity, the laws governing the injunctions; a choice of either actual damages, “including any commercial exploitation of one’s name, image, and likeness differ profits derived from and attributable to the unauthorised use of an widely between the US and the nations of western Europe. In light individual’s persona for a commercial purpose” or statutory damages of the increased trafficking in celebrity personas between the two between $2,500 and $10,000; punitive damages; treble damages continents, a brief comparative analysis is warranted. if the defendant has “knowledge of the unauthorised use of the persona”; and attorney’s fees. A primer on US right of publicity law Courts have used primarily three methodologies or some The right of publicity is the “inherent right of every human being to combination thereof to value compensatory damages.
  • Leveraging GDPR to Become a Trusted Data Steward

    Leveraging GDPR to Become a Trusted Data Steward

    The Boston Consulting Group (BCG) is a global management consulting firm and the world’s leading advisor on business strategy. We partner with clients from the private, public, and not-for- profit sectors in all regions to identify their highest-value opportunities, address their most critical challenges, and transform their enterprises. Our customized approach combines deep insight into the dynamics of companies and markets with close collaboration at all levels of the client organization. This ensures that our clients achieve sustainable competitive advantage, build more capable organizations, and secure lasting results. Founded in 1963, BCG is a private company with offices in more than 90 cities in 50 countries. For more information, please visit bcg.com. DLA Piper is a global law firm with lawyers located in more than 40 countries throughout the Ameri- cas, Europe, the Middle East, Africa and Asia Pa- cific, positioning us to help clients with their legal needs around the world. We strive to be the leading global business law firm by delivering quality and value to our clients. We achieve this through practical and innovative legal solutions that help our clients succeed. We deliver consistent services across our platform of practices and sectors in all matters we undertake. Our clients range from multinational, Global 1000, and Fortune 500 enterprises to emerging compa- nies developing industry-leading technologies. They include more than half of the Fortune 250 and nearly half of the FTSE 350 or their subsidi- aries. We also advise governments and public sector bodies. Leveraging GDPR to Become a Trusted Data Steward Patrick Van Eecke, Ross McKean, Denise Lebeau-Marianna, Jeanne Dauzier: DLA Piper Elias Baltassis, John Rose, Antoine Gourevitch, Alexander Lawrence: BCG March 2018 AT A GLANCE The European Union’s new General Data Protection Regulation, which aims to streng- then protections for consumers’ data privacy, creates an opportunity for companies to establish themselves as trusted stewards of consumer data.
  • Privacy Online: a Report to Congress

    Privacy Online: a Report to Congress

    PRIVACY ONLINE: A REPORT TO CONGRESS FEDERAL TRADE COMMISSION JUNE 1998 FEDERAL TRADE COMMISSION Robert Pitofsky Chairman Mary L. Azcuenaga Commissioner Sheila F. Anthony Commissioner Mozelle W. Thompson Commissioner Orson Swindle Commissioner BUREAU OF CONSUMER PROTECTION Authors Martha K. Landesberg Division of Credit Practices Toby Milgrom Levin Division of Advertising Practices Caroline G. Curtin Division of Advertising Practices Ori Lev Division of Credit Practices Survey Advisors Manoj Hastak Division of Advertising Practices Louis Silversin Bureau of Economics Don M. Blumenthal Litigation and Customer Support Center Information and Technology Management Office George A. Pascoe Litigation and Customer Support Center Information and Technology Management Office TABLE OF CONTENTS Executive Summary .......................................................... i I. Introduction ........................................................... 1 II. History and Overview .................................................... 2 A. The Federal Trade Commission’s Approach to Online Privacy ................. 2 B. Consumer Privacy Online ............................................. 2 1. Growth of the Online Market ...................................... 2 2. Privacy Concerns ............................................... 3 C. Children’s Privacy Online ............................................. 4 1. Growth in the Number of Children Online ............................ 4 2. Safety and Privacy Concerns ...................................... 4 III. Fair
  • Mass Surveillance

    Mass Surveillance

    Thematic factsheet1 Update: July 2018 MASS SURVEILLANCE The highly complex forms of terrorism require States to take effective measures to defend themselves, including mass monitoring of communications. Unlike “targeted” surveillance (covert collection of conversations, telecommunications and metadata by technical means – “bugging”), “strategic” surveillance (or mass surveillance) does not necessarily start with a suspicion against a particular person or persons. It has a proactive element, aimed at identifying a danger rather than investigating a known threat. Herein lay both the value it can have for security operations, and the risks it can pose for individual rights. Nevertheless, Member States do not have unlimited powers in this area. Mass surveillance of citizens is tolerable under the Convention only if it is strictly necessary for safeguarding democratic institutions. Taking into account considerable potential to infringe fundamental rights to privacy and to freedom of expression enshrined by the Convention, Member States must ensure that the development of surveillance methods resulting in mass data collection is accompanied by the simultaneous development of legal safeguards securing respect for citizens’ human rights. According to the case-law of the European Court of Human Rights, it would be counter to governments’ efforts to keep terrorism at bay if the terrorist threat were substituted with a perceived threat of unfettered executive power intruding into citizens’ private lives. It is of the utmost importance that the domestic legislation authorizing far-reaching surveillance techniques and prerogatives provides for adequate and sufficient safeguards in order to minimize the risks for the freedom of expression and the right to privacy which the “indiscriminate capturing of vast amounts of communications” enables.
  • Much Ado About Newsgathering: Personal Privacy, Law Enforcement, and the Law of Unintended Consequences for Anti-Paparazzi Legislation

    Much Ado About Newsgathering: Personal Privacy, Law Enforcement, and the Law of Unintended Consequences for Anti-Paparazzi Legislation

    MUCH ADO ABOUT NEWSGATHERING: PERSONAL PRIVACY, LAW ENFORCEMENT, AND THE LAW OF UNINTENDED CONSEQUENCES FOR ANTI-PAPARAZZI LEGISLATION ANDREW D. MORTONt Experience should teach us to be most on our guard to protect liberty when the Government's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dan- gers to liberty lurk in insidiousI encroachment by men of zeal, well-meaning but without understanding. INTRODUCTION: BALANCING THE INDIVIDUAL RIGHT TO PRIVACY WITH LEGITIMATE LAW ENFORCEMENT SURVEILLANCE Horror, not humor, brought actors Michael J. Fox and Paul Reiser to testify before a hearing of the United States House Judiciary Committee last summer.2 Fox described the "mercenary tactics of tabloid photographers" who turned his wedding into a "nightmare" as helicopters recklessly jock- eyed for position above the ceremony, then "fired away with high-powered cameras" on the couple's honeymoon suite.3 When Reiser's son was born prematurely, disguised journalists infiltrated the hospital with hidden cam- eras to steal a photo of the infant, and after returning home, the child was photographed in the privacy of the family's backyard by "resourceful" jour- t B.A. 1991, M.P.P. Candidate 2000, University of Maryland; J.D. Candidate 2000, Uni- versity of Pennsylvania. This Comment is dedicated to the memory of Alan Rubinstein- gifted attorney, and the father-in-law I have known only through the many whose lives he touched. I am deeply indebted to Ed Pease, Diana Schacht, the staff and members of the U.S.
  • Privacy and the Limits of Law

    Privacy and the Limits of Law

    The Yale Law Journal Volume 89, Number 3, January 1980 Privacy and the Limits of Law Ruth Gavisont Anyone who studies the law of privacy today may well feel a sense of uneasiness. On one hand, there are popular demands for increased protection of privacy, discussions of new threats to privacy, and an intensified interest in the relationship between privacy and other values, such as liberty, autonomy, and mental health.' These demands have generated a variety of legal responses. Most states recognize a cause of action for invasions of privacy.2 The Supreme Court has declared a constitutional right to privacy, a right broad enough to protect abortion and the use of contraceptives. 3 Congress enacted the Privacy Act of 19744 after long hearings and debate. These activities 5 t Visiting Associate Professor of Law, Yale Law School. This Article develops some of the themes of my doctoral thesis, Privacy and Its Legal Protection, written under the supervision of Professor H.L.A. Hart. Much of the inspiration of this piece is still his. I am grateful to Bruce Ackerman, Bob Cover, Owen Fiss, George Fletcher, Harry Frank- furt, Jack Getman, Tony Kronman, Arthur Leff, Michael Moore, and Barbara Underwood, who read previous drafts and made many useful comments. I. The best general treatment of privacy is still A. WEsTIN, PRIVACY AND FREEDOm (1967). For treatment of a variety of privacy aspects, see NoMos XIII, PRIVACY (R. Pen- nock & J. Chapman eds. 1971) (Yearbook of the American Society for Political and Legal Philosophy) [hereinafter cited as Nomos]. 2. W. PROSSER, THE LAW OF TORTS 804 (4th ed.
  • Is the Market for Digital Privacy a Failure?1

    Is the Market for Digital Privacy a Failure?1

    Is the Market for Digital Privacy a Failure?1 Caleb S. Fuller2 Abstract Why do many digital firms rely on collecting consumer information–a practice that survey evidence shows is widely disliked? Why don’t they, instead, charge a fee that would protect privacy? This paper empirically adjudicates between two competing hypotheses. The first holds that firms pursue this strategy because consumers are ill-informed and thus susceptible to exploitation. The second holds that this strategy reasonably approximates consumer preferences. By means of survey, I test a.) the extent of information asymmetry in digital markets, b.) consumers’ valuation of privacy, and c.) whether government failure contributes to consumer mistrust of information collection. My results indicate that a.) the extent of information asymmetry is minimal, b.) there is significant divergence between “notional” and “real” demand for privacy and c.) that government contributes to consumer distrust of information collection by private firms. Significantly, almost 82% of Google users are unwilling to pay anything for increased digital privacy. JEL-Classification: D23, K29, Z18 Keywords: privacy paradox, digital privacy, survey, market failure 1 I wish to thank Alessandro Acquisti, Peter Leeson, Chris Coyne, Peter Boettke, David Lucas, Noah Gould, and Nicholas Freiling for helpful suggestions. All errors are my own. I am also indebted to the Mercatus Center for providing funding for the survey conducted by Haven Insights LLC. 2 Assistant professor of economics, Grove City College, Email: 1 INTRODUCTION Google’s motto is “Don’t Be Evil.” But the fact that the company surreptitiously collects the information of over one billion individuals annually leads some to question whether the firm’s business model runs afoul of its dictum (Hoofnagle 2009).