This is the third article in a three-part series exploring Europe’s Right to be Forgotten in the context of an American Right to Dispute Personally Identifiable Information directly with private entities, such as consumer reporting agencies or search engines. It reaches the conclusion that based on the magnitude of consumer-specific data in the possession of such private entities, the debate has shifted from the inherent fairness of generating temporary “snapshots” of creditworthiness or moral character to the fundamental control of one’s identity in light of the “commoditization of the individual.”
* * *
The Commoditization of the Individual: Who Legally Controls Information Equating to One’s Identity?
Data, particularly consumer data, has been officially labeled “the new oil.” This metaphor characterizes the observation or notation of one’s personally identifiable information (PII), such as one’s biometrics, DNA, geolocation history, Internet browsing history, or character, as a commodity, and commodities may be “exploited.” In one sense, the exploitation of a commodity involves the process by which a raw material is processed to serve a more valuable purpose. In another sense, such an exploitation may infer the receipt of an unfair benefit at the expense of another. The Digital Age is set to experience the production of more than 163 zettabytes (i.e., one-trillion gigabytes) of data per year by 2025, much of which will be consumer-specific. Andrew Cave, What Will We Do When The World's Data Hits 163 Zetabytes in 2025?, Forbes.com (Apr. 13, 2017). How will such massive quantities of consumer data be used? The FTC has found that within large companies known as data brokers, individual profiles have been created on nearly every U.S. consumer for the purpose of discriminating between them. Edith Ramirez, et. al., “Data Brokers: A Call for Transparency and Accountability,” FTC Rep. 8, 46 (2014). Data brokers do not generate consumer reports, however, and are subsequently not regulated by existing U.S. consumer-protection or privacy laws limiting who and for how long one may see negative information prior to being “forgotten.” Thus, any exploitation of such data remains unregulated. This article will explore existing exploitations of PII that are resulting in the consolidation of massive troves of comprehensive, consumer-specific PII that may equate to the commoditization of one’s identity.
The Existing Exploitation of PII in Relation to Individual Liberty
Automobiles need oil to function. Petroleum requires refinement for an automobile to operate as expected. The exploitation of crude oil serves an important purpose in allowing individuals to travel according to their needs or desires. Such an exploitation enhances individual autonomy and liberty. Servitude, on the other hand, allows one individual to take unfair advantage of the fruits of the labor of another individual. Such exploitations significantly diminish individual autonomy and liberty. Meanwhile, slavery and indentured servitude facilitate a mechanism of empowering one individual to comprehensively control another individual’s person. Such exploitations decimate individual autonomy and liberty. Consequently, the spectrum for interpreting the meaning of an exploitative act—in terms of liberty—is one of degrees ranging from augmentation to annihilation. Perhaps George Orwell was right about the notion of “doublespeak” in that no term is more fitting to describe existing collection and consolidation efforts of PII than the term “exploitation.” Current collection efforts have both the power to enhance individual liberty or extinguish it. The key will be determining the core purpose for which PII is collected.
PII is primarily gathered and aggregated for marketing and predictive analytics, people-search functions, risk mitigation, and predictive voting models.
- Marketing and Predictive Analytics. The FTC recognized that large data brokers consolidate aggregate PII for the purpose of utilizing predictive analytics to discriminate among consumers regarding their race, economic status, age, credit worthiness, health status, familial status, and propensity to default to or engage in a crime, etc. Ramirez at 19–21, App’x B. Marketing purposes include thousands of data points designed to consolidate an individual’s prior actions for the purpose of predicting future behavior (i.e., predictive analytics). Id. For example, Cambridge Analytica has created profiles consisting of: (i) demographics/geographics (e.g., age, gender, ethnicity, race, income); (ii) “psychographics” (i.e., advertising resonance, consumer data, lifestyle data, political engagement, cellular/mobile opinions); and (iii) personality to predict how an individual will act when confronted with a specific purchasing decision or an opportunity to vote. Alexander Nix, The Power of Big Data and Psychographics, Concordia Summit (Sept. 27, 2016), available at https://www.youtube.com/watch?v=n8Dd5aVXLCc.
- People Search. Data brokers are engaged in consolidating broad data sets for the purpose of tracking and locating specific individuals. According to the FTC, these products allow users to “research corporate executives and competitors, find old friends, look up a potential love interest or neighbor, network, or obtain court records or other information about consumers.” Ramirez at 34.
- Risk Mitigation. Data brokers engaged in risk mitigation provide services that allow users to conduct identity verification and fraud prevention. For example, financial institutions utilize these services to comply with “know your customer” identity verification requirements pursuant to the USA PATRIOT Act. Ramirez at 32–33 (e.g., knowledge-based authentication (KBA) and fraud detection).
- Predictive Voting Models. Data brokers engaged in predictive voting models aggregate thousands of types of PII for the express purpose of predicting how an individual will react to voting advertisements or propaganda. See, for example, Nix (discussing the “OCEAN” Paradigm (i.e., Openness, Conscientiousness, Extraversion, Agreeableness, and Neuroticism)).
These efforts have both the power to increase individual liberty or suffocate it. On the one hand, individuals may receive enhanced product offerings with expedited purchasing options, increased social connectivity, better searchablity of public or private figures, enhanced digital security when engaging in sensitive online financial transactions, or more relevant political information during elections. On the other hand, all such records containing aggregate PII in possession of these entities—by virtue of existing—are discoverable by government authorities, exposed to significant risks of unauthorized access or theft, and may be used in illegally discriminatory ways to limit, inter alia, the individual’s ability to access credit (i.e., mortgage, educational loans or auto loans) or procure certain types of employment. Consequently, existing exploitations are in need of effective regulation to ensure that such information is not misused.
Scope of Collection Efforts
Data brokers acquire PII not from the individuals themselves, but from other businesses or government entities. Ramirez at iv, 49. Consequently, data brokers afford no choice or consent options to the individuals impacted by the collection of such data. There are both government and private actors, such as administrative agencies like the NSA, data brokers, search engines, social media giants, and consumer reporting agencies, that have feasible and independent capacities to collect and store vast quantities of data on each of the approximately 8 billion people presently living on this planet. See, for example, Utah Data Center (last visited Aug. 25, 2017) (stating that one facility has the capacity to store one yottabyte of data). For example, Facebook alone has confirmed that it has consumer-specific data on nearly one-quarter of the entire global population. Jack Flemming, Facebook reaches 2 billion users, L.A. Times (June 27, 2017). The FTC has confirmed that individual data brokers each house billions of consumer transactions. This information is consolidated into profiles on nearly every U.S. consumer and used to generate millions to billions of dollars for these entities. Ramirez at 8, 23; IAB Internet Advertising Revenue Report, IAB.com (2017). There are approximately 2,500 to 4,000 data brokers in the United States alone. E.g., Paul Boutin, The Secretive World of Selling Data About You, Newsweek (May 30, 2016). Thus, existing collection efforts have the technological capacity to collect and store consumer-specific data on every human being on Earth.
Furthermore, each data broker has the capacity to consolidate PII and categorize it for discriminatory purposes based on thousands of criteria, ranging from household size, personal relationships, societal memberships, personal preferences, medical-related purchases, employment activity, educational opportunities, and political and religious leanings, to name a few. See Ramirez at App’x B. Such PII may include government IDs, biometrics, account numbers, purchase histories, etc. See, for example, Ramirez at 11–15; Adam Schwartz, End Biometric Border Screening, EFF.org (Aug. 9, 2017). In fact, the power now exists to create independent registries that may be synonymous with the power to control one’s actual identity within society. Such entities have converted the intangible nature of one’s existence into intellectual property that may be purchased and sold without any regard to the choice or the consent of the individual. Thus, private and public entities have power to commoditize one’s identity.
Can PII Ever Equate to an Individual’s Identity?
PII has been defined as any information about an individual, such as data that can “distinguish or trace an individual’s identity” (e.g., name, Social Security number, date and place of birth, mother’s maiden name, or biometric records) or that is “linkable to an individual” (e.g., medical, educational, financial, and employment information). NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), ¶2.1 (2010). The U.S. Constitution was drafted in a day when an individual’s “papers and effects” were physical tangible pieces of property. U.S. Const. amend. IV. The Founders’ intent on codifying this natural right likely had little to do with protecting the intrinsic value of the actual paper or effect in question, and everything to do with protecting the information or content contained thereon. Consequently, it was the information that might be revealed via an illegal search or seizure that was protected. Thus, the right to control one’s personal information has always been a protected Constitutional interest.
In the 21st century, property has been transferred into bits and bytes of data that may seamlessly and instantaneously flow across intercontinental land masses via satellite or Internet transmission. An individual’s “person” in terms of character, creditworthiness, thoughts, desires, geolocation, biometrics, DNA, expenditures, business ventures, religious, political, or social preferences may now be gathered, processed, consolidated, sold, purchased, and transferred into registries that have the potential of defining who they are, what their potential is, and what their social desirability is without ever physically entering their home or their land or without coming into contact with their physical person. These essential elements of a person, having been reduced to bits and bytes of data, have effectively transformed the person into property.
In isolation, PII is a reproduction, a writing, or a record of a physical object, characteristic, attribute, behavior, or action of an identifiable human being extant in the tangible world. In its simplest form, PII is merely the annotation of data like a name or address. When aggregated, however, PII has the potential of becoming the digital equivalent of a living person’s identity. If an unauthorized third party spied on another person and collected saliva samples containing DNA, fingerprints, faceprints, complete lists of past addresses, employers, educational institutions attended, and close relationships, journals, thoughts, ideas, desires, innovations, writings, wants, purchase histories, vacation destinations, acts of religious observance, political statements and leanings, and economic status, would the law grant a superior property right to that individual in relation to the person to whom the data related? The answer lies in whether aggregated PII may become something more than property: a right to control one’s identity.
Does an Enforceable Cause of Action Exist to Safeguard the Right to Control One’s Identity?
Currently, many scholars and practitioners most closely categorize the harm associated with an unauthorized collection of PII with protections afforded by the fundamental right to privacy. The harm, however, transcends right to privacy precedence because the control of one’s identity is fundamental to liberty. When analyzing government actors, the Supreme Court has bifurcated the fundamental right to privacy subjecting data privacy to rational basis review, thus allowing government actors to easily subvert such privacy rights. See Whalen v. Roe, 429 U.S. 589, 598 (1977). With regard to private actors, the FTC observed that data brokers are not currently regulated under the Fair Credit Reporting Act (FCRA) or other federal consumer-protection laws because data brokers do not generate “consumer reports.” Given that there is no direct relationship with a consumer, UDAAP laws, Dodd-Frank, and Gramm-Leach-Bliley arguably do not apply. Thus, analyzing the unauthorized collection of PII pursuant to existing right to privacy precedence equates to analyzing the harm associated with this conduct in a laissez-faire economy or deregulated environment. The individual is thus subject to the will of those with far greater resources to track or acquire their PII. See Mark T. Andrus, Not without My Consent: Preserving Individual Liberty in Light of the Comprehensive Collection and Consolidation of PII, 20 J. Internet L. 9 (Mar. 2017).
There exists another relevant aspect of the right to privacy that goes beyond a “right to be let alone” to a right “to not be harmed.” Cf. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890); Thomas McIntyre Cooley, A Treatise on the Law of Torts or the Wrongs Which Arise Independent of Contract 29 (2d ed. 1888) (expounding a right of complete immunity to be free from injury). William Prosser propounded that the right to privacy was rooted—in relevant part—in the tort of appropriation. He defines an “appropriation” as the “exploitation of attributes of a plaintiff’s identity.” William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 401 (1960). The Supreme Court later affirmed this definition. See, for example, Zacchini v. Scripps-Howard Broad. Co., 433 U.S. 562, 571 (1977). The Restatement Second of Torts requires “the appropriation [i.e., taking] of another’s name or likeness for the use or benefit [i.e., gain] of the defendant.” Restatement (Second) of Torts § 652C. The right is designed to protect a person against the harm of forfeiting something of value (i.e., profit) associated with the individual’s identity. The harm is rooted in a lack of consent. Prosser notes that it is the plaintiff’s attribute “as a symbol of his identity” that creates an appropriation action. Prosser at 403.
Furthermore, the U.S. Supreme Court has recognized “right to publicity” laws in which an individual possesses rights that protect their interest to reap benefits from proprietary interests in any rewards from their endeavors, which include the unauthorized use of characteristics of their identity. See, for example, Zacchini, 433 U.S. at 562. The Restatement Third of Unfair Competition defines the right of publicity as “one who appropriates the commercial value of a person’s identity by using without consent the person’s name, likeness, or other indicia of identity for purposes of trade.” Restatement (Third) of Unfair Competition § 46 (emphasis added). Thus, rights to control a benefit associated with one’s identity are currently extant.
Although these causes of action are rarely utilized and would be matters of first impression in a data acquisition case, they provide a framework that goes beyond trespass, intentional torts, or intellectual property, which are areas of law not well suited to address the potential harm involved in amassing troves of aggregate PII. The harm is not one associated with an interference preventing an individual from using his or her own PII, but rather in empowering an unauthorized third party with the ability to control and profit from that individual’s identity. The harm is wholly distinct from mere interference or invasion.
Is There Actual Harm When an Unauthorized Third Party Collects PII on an Individual?
Historically the element of actual injury required a tangible harm. For example, trespass laws allowed courts to remediate harm associated with unauthorized physical invasions of land and chattel. Trespass to an individual’s person was governed based on harm associated with an unconsented touching, fear, apprehension, or confinement through battery, assault, and false imprisonment laws. When analyzing the modern acquisition of PII, there is often no physical invasion, no confiscation of actual property, and no physical touching, apprehension, or confinement. Physical invasion is no longer relevant. One series of cases has attempted to analyze harm associated with the unauthorized acquisition of PII as a trespass to chattel. This analysis requires actual interference with the physical functionality to the tangible computer system. Intel v. Hamidi, 71 P.3d 296 (Cal. 2003); see also eBay, Inc., v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000). Unfortunately, the root harm has been largely overlooked.
The lesser yet substantial harm associated with an unauthorized comprehensive collection of PII is an unconsented and forfeited benefit from the value of such property through the appropriation of the individual’s identity. The greater and more compelling harm associated with these acts is a loss of liberty and autonomy, particularly if biometrics (i.e., facial profiles, fingerprints, DNA, etc.) are involved. See, for example, Amy Korte, Federal Court in Illinois Rules Biometric Privacy Lawsuit Against Google Can Proceed, IllinoisPolicy.org (Mar. 8, 2017). Comprehensive PII profiles may literally include not only preferences and consumer’s past dealings with businesses, but also one’s biology and genetic makeup. If used for malevolent purposes (e.g., eugenics-based sterilization), one’s aggregate PII, or identity, could be manipulated or abused by those in possession of such data. Could an individual in such a society be denied educational, employment, or familial opportunities based on predictive analytics? If so, such a harm would be more akin to servitude or slavery than a lost wallet. Some harms truly are irreparable.
Exclusive Rights and the Right to Control One’s Identity
Owners of real property may bring trespass actions based on their exclusive rights for the use and enjoyment of the property. Existing intellectual property rights, such as copyright, trademark, and patent laws grant an owner exclusive rights to any benefit derived from such property. The U.S. Constitution expressly grants exclusive rights to “authors and inventors” to their respective “writings and discoveries.” U.S. Const. I. sec. 8 cl. 8. Such “writings” include the act of converting such content to bits and bytes of digital data. See, for example, The Digital Millennium Copyright Act, Pub. L. No. 105-304, 112 Stat. 2860. In articulating a right to privacy, Louis Brandeis and Samuel Warren argued that any individual desiring to make “public” private sentiments (e.g., with paintings or words) had exclusive rights to limit any disclosure. Consequently, publication was prohibited absent consent. Which is more worthy of exclusive rights: a painting or an individual’s right to control their identity? No third party should have a greater right to control aggregated data equating to the identity of another.
Regulating the Acquisition and Consolidation of Aggregated PII: Consumer Reporting v. Social Control
The FCRA was primarily enacted to govern and regulate private parties engaged in gathering, storing, and transferring consumer-specific data for the purpose of improving the effective interest rate or premium that the consumer would be offered based on the consumer’s risk of nonrepayment or filing an insurance claim. In theory, the collection and processing of this data increased the efficiency of the banking and insurance markets, thus increasing the likelihood that consumers would have access to credit or insurance products when needed. The overall regulatory scheme was constructed to exploit consumer data for the purposes of increasing consumer access to credit and arguably liberty. Furthermore, the consumer-specific data was limited to only those parties with a valid permissible purpose, and negative information was required to be deleted, or “forgotten,” no later than seven to ten years from the first date of delinquency.
Existing data-collection efforts by private parties such as data brokers, search engines, and social media giants far exceed anything that Congress attempted to regulate in consumer-protection statutes such as the FCRA or other consumer-protection laws. Such efforts go beyond consumer reporting and have the potential to create new mediums for social control. Current data-collection efforts go beyond liens, late payments, and bankruptcy filings by including biometrics, DNA reports or analyses, geolocation records, browsing history, vast records of social relations, public commentaries, and political, religious, or social leanings. Yet, consumer records that consolidate these types of data are not classified as “consumer reports.” See Ramirez at 7–10. Thus, they are not regulated by consumer-protection laws.
The entire data-gathering/consumer-reporting process must be revisited and redefined in light of the harm inherent within aggregated PII, such as a loss of liberty, both in terms of consent to benefit from the economic use of the individual’s indicia of identity and in terms of a forfeiture of the control of one’s identity. The key will be in regulating PII in a way that allows for the positive exploitation of such data while minimizing the comprehensive consolidation of aggregated PII that may allow a third party to control the identity of another. These objectives will be best achieved by applying underlying principles associated with the separation of powers doctrine (e.g., a sectoral mandate, such as a prohibition on consolidating medical/genetic PII with consumer financial PII), by requiring the eventual anonymization of PII (e.g., businesses may continue to benefit from generalized statistics and analytics involving PII; however, PII itself could only be possessed for a set period of time), and by recognizing an exclusive or inalienable right to control aggregated PII equating to one’s identity. The U.S. Constitution is founded on “Creator-created” inalienable rights (i.e., granted by “Nature and Nature’s God”) as opposed to man-made or man-revoked civil rights. See Andrus at 18–23. Such rights may not be legally transferred. No third-party entity should have a superior right to control aggregated PII equating to one’s identity.
A right to control one’s identity in light of existing exploitations of PII rests on the degree of control a third party has by virtue of possessing aggregate PII. Possession is ninth-tenths of the law of ownership. No third party should have an ownership interest in an individual’s comprehensive PII, particularly when such data may reasonably equate to the ability to control one’s identity. Although the “new oil” may be exploited for purposes that benefits the consumer and enhances liberty, the risks associated with the existence of individual profiles on societal-wide populations are significant. Regulation is required to ensure that existing data-collection efforts properly safeguard and protect liberty interests. Although there is currently no official recognition of a right to control one’s identity, torts of appropriation and rights of publicity protect an individual’s right to control their identity. The right to control one’s identity is fundamental to liberty and should be recognized as inalienable. Absent such recognition or regulation, data gatherers will continue to commoditize the individual by converting the tangible person into intangible property that may be bought or sold at will, regardless of the consent of the individual.