America is grappling with a compelling question during the coronavirus pandemic: should we allow Big Tech and the government to use our smartphones to track our movements, body temperature, and activities to slow the infection rate?
As explained by the wonderful documentary Terms and Conditions May Apply, history provides some guidance here. Twenty years ago, a little-known web-based toy company called Toysmart.com filed bankruptcy. Toysmart proposed to sell its customer list as part of its bankruptcy process. This request implicated serious privacy concerns as Toysmart had promised its customers that it would never sell or disclose their information. Understandably, however, Toysmart’s creditors viewed the customer list as a valuable asset that should be sold to satisfy their claims.
After much public outcry (including an enforcement action by the Federal Trade Commission against Toysmart), Toysmart was allowed to sell its customer list. This resulted in tremendous outrage among privacy advocates, and spurred Congress into action. Congress immediately proposed a comprehensive online privacy bill called “The Online Privacy Protection Act of 2001.” This bill would have made it illegal for a website to “collect, use, or disclose personal information concerning” individuals in violation of rules to be set by the Federal Trade Commission. It would have also required websites to keep personal information confidential and secure.
But, before this bill could pass, something tragic happened: 9/11. Congress quickly realized that having private companies such as websites gathering lots of information about users might be a critically important tool in the newly-formed fight against terrorism. Unsurprisingly, the privacy bill went nowhere and instead Congress passed the Patriot Act, which expanded the government’s ability to obtain data in the war against terrorism.
This policy shift had three enormous impacts. First, it paved the way for social media and tech companies to create platforms based on gathering, using, and selling consumer information virtually free of regulation. Had the 2001 privacy act passed, those business models might have been unworkable due to the forthcoming FTC restrictions. Would Facebook have even been able to exist in its current form with such strong privacy regulation? Likely not.
Second, Americans showed that they were mostly comfortable trading certain liberties for safety (or at least in appearance). Desperate times understandably called for desperate measures. However, as the last twenty years have shown, perhaps it was not such a great idea from a privacy perspective to allow Big Tech and other data-driven companies to have the virtually unrestrained ability to gather, manipulate, use, sell, and monetize our personal data.
Third, we now see some serious consequences of this policy shift. It’s one thing to allow Big Tech and the government to access the movies we like, sports teams we follow, and friends we have on Facebook. But, now that the coronavirus pandemic is here, public health advocates seek to use Big Tech’s tools to access our current body temperature, movements, places we’ve visited, and people we sat next to on the subway or at Subway. Sure, these advocates correctly note that people could opt-out of these tools, but how soon before we see signs in restaurants saying “Green Status Customers Only?”
The pandemic requires a coordinated and strong response by government and society. Whether this response should include a wholesale trading of the privacy rights we held dear before the pandemic (such as our movements, health status, contacts, body temperature, etc.) is an open and serious question. We should pause and think before granting Big Tech and the government access to these highly personal data points. It is impossible and too early to tell whether granting this level of access to our personal data will be effective or what long term impact it will have on our privacy rights. One thing for sure, however, is that once this genie is out of the bottle, there is no going back. If you would like further information, please contact PLDO Partner Brian J. Lamoureux at 401-824-5155 or email [email protected].
Disclaimer: This blog post is for informational purposes only. This blog is not legal advice and you should not use or rely on it as such. By reading this blog or our website, no attorney-client relationship is created. We do not provide legal advice to anyone except clients of the firm who have formally engaged us in writing to do so. This blog post may be considered attorney advertising in certain jurisdictions. The jurisdictions in which we practice license lawyers in the general practice of law, but do not license or certify any lawyer as an expert or specialist in any field of practice.