A Framework for Benefit-Cost Analysis in Digital Privacy Debates

Introduction

Policy debates surrounding online child safety and digital privacy share much in common. Both are complicated by thorny definitional disputes and highly subjective valuations of “harm.” Both issues can be subject to intense cultural overreactions, or “technopanics.”¹ It is common to hear demands for technical quick fixes or silver bullet solutions that are simple yet sophisticated.² In both cases, the purpose of regulation is some form of information control.³ Preventing exposure to objectionable content or communications is the primary goal of online safety regulation, whereas preventing the release of personal information is typically the goal of online privacy regulation.⁴ The common response is regulation of business practices or default service settings.⁵ 

Once we recognize that online child safety and digital privacy concerns are linked by many similar factors, we can consider whether common solutions exist. Many of the solutions proposed to enhance online safety and privacy are regulatory in character. But information regulation is not a costless exercise. It entails both economic and social costs.⁶ Measuring those costs is an extraordinarily complicated and contentious matter, since both online child safety and digital privacy are riddled with emotional appeals and highly subjective assertions of harm. 

This Article will make a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policy-makers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.⁷ However, precisely because those benefits and costs re-main so remarkably subjective and contentious, this Article will argue that we should look to employ less restrictive solutions—education and aware-ness efforts, empowerment tools, alternative enforcement mechanisms, etc.—before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient pro-vision of services that consumers desire.⁸ This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well. 

This Article focuses primarily on digital privacy policy and sketches out a framework for applying BCA to proposals aimed at limiting commercial online data collection, aggregation, and use. Information about online users is regularly collected by online operators to tailor advertising to them (so-called “targeted” or “behavioral” advertising), to offer them expanded functionality, or to provide them with additional service options.⁹ Such operators include social networking services, online search and e-mail providers, online advertisers, and other digital content providers. While this produces many benefits for consumers—namely, a broad and growing diversity of online content and services for little or no charge¹⁰—it also raises privacy concerns and results in calls for regulatory limitations on commercial data collection or reuse of personal information.¹¹ 

 This Article does not focus on assertions of privacy rights against government, however. The benefit-cost calculus is clearly different when state actors, as opposed to private actors, are the focus of regulation.¹² Governments have unique powers and responsibilities that qualify them for a different type of scrutiny.¹³ 

To offer a more concrete example of how privacy-related BCA should work in practice, the recent actions of the Obama administration and the Federal Trade Commission (“FTC”) are considered throughout the Article.¹⁴ The Obama administration has been remarkably active on commercial privacy issues over the past three years yet has largely failed to adequately consider the full range of costs associated with increased government activity on this front.¹⁵ It has also failed to conclusively show that any sort of market failure exists as it relates to commercial data collection or targeted online advertising or services. 

At a minimum, this Article will make it clear why independent agencies should be required to carry out BCA of any privacy-related policies they are considering.¹⁶ Currently, many agencies, including the FTC and the Federal Communications Commission (“FCC”), are not required to conduct BCA or have their rulemaking activities approved by the White House Office of Information and Regulatory Affairs (“OIRA”), which oversees federal regulations issued by executive agencies.¹⁷ Regulatory impact analysis is important even if there are problems in defining, quantifying, and monetizing benefits—as is certainly the case for commercial online privacy concerns.¹⁸ 

In Part I, this Article examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. In Part IV, this Article will discuss alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This Article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies, such as education and awareness campaigns, to address consumer concerns about online safety and privacy. 

Continue Reading PDF