Is Your Personal Data Your Property?
Attorneys and lawmakers across the country are considering this very question: When a company collects data from your browsing of the web or using a mobile phone, do you “own” any of that information? Are there any limitations on how the data-gathering company can utilize this data?
Every day Americans generate an enormous amount of digital information. We generate data when we browse the Internet, check social media and send text messages. Our smart phones generate data with virtually every function and, notably, by tracking our movements. Data is created when we make purchases with credit cards or mobile payment apps. In going about the routine of our daily tasks, we create a digital trail of breadcrumbs that provides information as to what we like, where we go and who we socialize with.
The data we create holds tremendous value in the aggregate. Until recently, technology companies have collected and commoditized our personal data to sell to third parties with virtually no constraints. Data purchasers desire this information for a variety of reasons. The most obvious, but not exclusive, objective is to target marketing for products and services to the most viable consumers.
Technology companies that profit from selling data have argued that by collecting and organizing this information, they are promoting a social good by connecting individuals with the products and services consumers are most likely to want. However, in recent years, data breach scandals have caused the public to scrutinize the practice of data harvesting and to consider whether its benefits are outweighed by the dangers to individual privacy.
The California Consumer Privacy Act of 2018 (CCPA) was the first law to introduce rigorous data security protections for California citizens. The most fundamental of these new privacy rights include:
- The right to know about the personal information a business collects about them and how it issued and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Source to summary of CCPA: https://oag.ca.gov/privacy/ccpa
In enacting the CCPA, California lawmakers recognized the power disparity between consumers and the businesses that collect and distribute sensitive data. Most Americans are effectively compelled to generate data to manage the necessities of modern life, i.e., communicating with a mobile device, making electronic purchases and working in a job requiring computer use. By taking these actions that generate data, we shouldn’t be presumed to have consented to the collection of that sensitive data by an unknown third party. As more companies retain our personally identifying information, Americans become more vulnerable to identity theft, harassment, exposure of sensitive personal history, financial fraud and other schemes. Therefore, the risks associated with data-harvesting, while profitable for the data compilers and purchasers, are imposed on the individual without meaningful compensation for the deterioration of privacy.
Many states, including Ohio, are now passing comprehensive privacy legislation that reflects California’s current framework -- and with good reason. If data brokers intend to profit from the harvesting of our personally identifying information, we should retain, at minimum, the “right to know” what information a company has about us, the “right to delete” that data, and, ideally, a remedy if that information is misappropriated.