For the Balkinization Symposium on Ignacio Cofone, The Privacy Fallacy: Harm and Power in the Information Economy Cambridge University Press (2023).
Nikolas Guggenberger
In her seminal work on boilerplate contracts, Margaret Jane Radin distinguishes between World A and World B to illuminate the fundamental tension between contract theory’s ideals and modern contractual reality. World A embodies the classical paradigm: contracts emerge through meaningful negotiation between informed equals. Here, parties exercise genuine autonomy, carefully reviewing terms before signaling informed consent. This world reflects contract law’s theoretical foundation—voluntary agreements between parties who comprehend and actively shape their obligations. In World A, freedom of contract justifies the enforcement of promises against people’s future selves, as Kaiponanea Matsumura put it.
World B depicts contemporary consumer contracting: dense
boilerplate terms imposed unilaterally, often buried in clickwrap agreements or
fine print. Consent becomes illusory, autonomy a farce. Recognizing boilerplate
as binding contracts, Radin argues, fundamentally undermines contract law’s
moral premises. Sheer ignorance cannot justify the waiver of rights or the creation
of duties. When “consent” means blind subordination, contract law no longer
serves its intended function of facilitating voluntary exchange. Or, as Friedrich
Kessler observed some 80 years ago, modern contracting “enables
enterprisers to legislate by contract ... in a substantially authoritarian
manner without using the appearance of authoritarian forms.”
In his tour de force through privacy law’s systemic shortcomings, The Privacy Fallacy, Ignacio Cofone squarely locates contemporary data management practices in the privacy equivalent of World B, that of meaningless acquiescence to unread privacy policies. And he is right in his assessment. ‘Notice and choice’ is inherently deficient. It indeed provides neither notice nor choice. Worse, it is inept to address informational capitalism’s threats to the common good, from democratic self-governance to social equality. However, Cofone’s critique extends far beyond the current ‘notice and choice’ framework in the US or the privacy equivalent of World B more generally. He launches a fundamental challenge to consent as a regulatory mechanism for informational privacy across sectors and jurisdictions. His “book’s core premise,” he explains in the introduction, “is that rather than grounding privacy law on concepts from contract law, which sets the rules for voluntary agreements, we need to ground it on concepts from tort law, which sets the rules for harms caused to others.” (p. 4)
Cofone’s comprehensive manifesto against consent enriches
privacy discourse with too many interesting observations for me even to attempt
to discuss adequately. So, let me focus on three aspects central to Cofone’s
argument: the nature of consent, the impact of consent requirements (or lack
thereof), and the potential tensions between rejecting consent and endorsing
tort liability.
First, consider Cofone’s conceptualization of data consent.
He identifies consent as “contract-like” (p. 3), “base[d] on … contract law”
(p. 3), steeped in “contractual logic” (p. 5), and defined by a “contractual
paradigm” (pp. 10, 127, 162). The realities of data management based on privacy
policies indeed mirror Radin’s World B, that of boilerplate contracting. However,
reducing data consent to a contractual artifact overshoots. Contracts are based
on mutual promises.
They create duties and bind
our future selves. We trade our future liberty for our current autonomy to
shape that future through contracts. Data consent is better understood as
permission. Although permission also functions as a means
of individual control and is often (especially in the US) tied to a contract,
it conceptually differs. And this difference matters.
Under the GDPR, which Cofone frequently invokes, the data
relationship between the data subject and data processor is decisively
non-contractual. Instead, data consent creates an independent legal
relationship. As Cofone explains (p. 64), the GDPR allows users to withdraw
their consent—freely and at any time. Put differently, consent is not legally
binding for the future under the GDPR. Like in the areas of bodily integrity or
sexual self-determination, consent does its moral magic only at the very
moment. Even if we want to, we cannot bind our future selves. However, the
practically more relevant difference between data consent and contract under
the GDPR results from the different thresholds for consent’s legal validity,
which Cofone analyzes in detail (p. 58, 89-96). None of this sounds very
contractual. Consequently, in Meta v. Bundeskartellamt, the ECJ has expressly
rejected a contractual construction of the data relationship between users and
social media platforms that enables personalized advertising.
The same holds for various US privacy regimes, albeit to a
lesser extent. The non-discrimination provision in California’s Consumer
Privacy Act necessarily presumes a data relationship distinct from the consumer
contract and not governed by contractual imperatives. HIPAA restricts the conditioning
of services on data usage authorizations, suggesting that there is more than
just a contract. Similar to the GDPR, HIPAA allows
individuals to revoke authorizations freely, albeit with exceptions. Whatever
one might think of the effectiveness of data consent, characterizing it as
contractual remains a stretch.
Second, Cofone is correct when he laments the current
privacy framework’s inadequacy. To date, control is an illusion for all the
reasons Cofone provides. That, however, speaks more to the current framework’s
lax consent requirements than it does to the capacity of consent as a regulatory
tool to prevent privacy harm. Actual, meaningful consent requirements, which
World A is built on, would be radical—much more so than any liability regime
for privacy harms. The reason is simple: World A-type consent does not scale.
If we wanted to, we could require that platform
representatives sit down with every user and explain the privacy risks
associated with personalized advertising before serving an ad. After all, we require
anesthesiologists to go through the potential side effects of anesthesia before
surgery. What may sound absurd on its face goes to show that meaningful consent
is possible. It is incompatible with informational capitalism’s dominant
business model of data extraction for behavioral manipulation.
For evidence of the impact of consent requirements, consider
Illinois and Texas. Because of relatively strict consent requirements in
biometric privacy laws (but far short of what is required in the medical
context), companies have pulled several applications from the market and paid
billions of dollars in fines. The consent requirements effectively
work as data usage limitations. And it is well plausible that Meta v.
Bundeskartellamt will end personalized advertising as we know it in Europe.
All that is to say, requiring real consent is possible. It would not manifest
as control but as a data usage limitation for many, if not most, practical
purposes. And, for better or worse, it would be radical.
Third, Cofone advocates for a dual regulatory approach to
replace consent-based governance: (1) ex-ante prohibitions to reduce privacy
risks and (2) robust liability rules when harms occur. “Ideally,” he asserts,
“data protection law would abandon consent provisions, make data protection
rights independent of individual control, shift from procedural mandates into
substantive ones, and expand systemic provisions” while establishing a
complementary civil liability regime (p. 89). With a blend of theory, doctrine,
and colorful examples, Cofone excellently illustrates the loopholes in today’s torts
regime and convincingly argues for an expansion of tort liability.
Nevertheless, I see some tension between the unabashed
rejection of consent and the endorsement of tort law expansion. Cofone preempts
invocations of consent as a justification for privacy harm by pointing at
product liability. We also cannot “accept the risk that [our] car engine may
combust” when purchasing a new vehicle, he argues (p. 88). However, the
difference between product liability for cars and data lies in the type of
harm. For injuries from vehicles, we can safely assume that no one wants to
express their identity by having their arm dismembered. For privacy harm, this question
is more complicated. It requires an inquiry into the individual’s expressive
preferences.
In many cases, this inquiry will be straightforward. For
example, no one wants their information hacked. This is why cybersecurity, as
Cofone points out, is a low-hanging fruit for tort liability. For the same
reason, it comes as little surprise that the FTC first managed to maneuver
beyond consent and toward substantive fairness in this domain. Concerning the
sharing or usage of intimate photos or information about our sexual identity, however,
I remain unsure how we can assess harm without reverting to individuals’
expressed preferences (i.e., consent). Thus, at least in some cases, consent
will necessarily continue to feature prominently, albeit implicitly.
Cofone’s The Privacy Fallacy is an essential read for anyone
grappling with the complexities of privacy law in the digital age. It
challenges entrenched assumptions, proposing bold shifts that could redefine
how we regulate data and protect individuals from harm. By blending rigorous
theoretical analysis with practical legal insights, Cofone not only critiques
the current reliance on consent but also charts a compelling path forward. The
book’s comparative perspective, enriched by examples and thoughtful engagement
with existing frameworks worldwide, makes it a standout contribution to privacy
discourse.
Nikolas Guggenberger is Assistant Professor, University of Houston Law Center. You can reach him by e-mail at nguggenb@central.uh.edu.