For big tech platforms, this was the year when violating users’ privacy got expensive. But did it get expensive enough?
In July, Facebook agreed to pay $5 billion to settle charges that it had misled hundreds of millions of users about their data privacy. That same week, credit reporting agency Equifax was ordered to pay up to $700 million for negligence leading to a data breach that exposed the information of some 150 million people. Earlier this month, Google was fined $170 million for harvesting millions of kids’ data on YouTube without their parents’ consent. Back in February, TikTok’s parent company had to pay $5.7 million for similar violations.
Each of those fines, issued by the Federal Trade Commission (FTC), was record-breaking in some way. The $5 billion Facebook settlement, in particular, dwarfed any that a U.S. company had been previously forced to pay for privacy infractions. Yet privacy advocates found it woefully insufficient, and the two Democrats on the five-member commission publicly dissented. They argued that Facebook’s gains and the public’s injuries from the platform’s fast-and-loose privacy practices may have far exceeded the amount of the fine.
Behind the big numbers is a simmering debate in tech policy and consumer economics over the true value of online privacy. At a time when the states and the federal government are eyeing sweeping privacy laws and the FTC is trying to rein in big tech’s abuses with financial penalties, a growing body of research is trying to establish just how much data protection is worth to consumers. If we could establish that dollar figure, the thinking goes, we could find the right trade-offs between their interests and those of the companies that collect and traffic in their data.
One problem: Figuring out precisely what value consumers place on their personal data is starting to look like a fool’s errand. And the people who have studied the question the most are beginning to come to the conclusion that it’s the wrong approach altogether.
On one hand, we know people say they want more online privacy. Surveys find that the vast majority of Americans feel they’ve lost control of their data and worry about how companies are using it. We can find evidence of that in the rapid growth of encrypted communication, the rising use of VPNs, and market research that shows people are avoiding smart speakers due to privacy concerns. It’s also telling that Apple has built a major marketing campaign around its privacy protections.
On the other hand, the vast majority of Americans still use free services such as Facebook and Google with business models that revolve around the collection and exploitation of our personal data. We post photos of ourselves and our families online, carry around customer loyalty cards that track our purchases, and sign up for apps that track our location wherever we go. If people really cared about online privacy, skeptics and industry advocates ask, wouldn’t more of us be deleting Instagram and doing our internet searches on the privacy-minded Google alternative DuckDuckGo? Instead, Facebook posted record profits amid a privacy backlash, and share prices for Google and Amazon are hovering close to their all-time highs. In a New York Times op-ed this week, author Rob Walker gazed across the consumer landscape and concluded, “There is no tech backlash.”
For all those reasons, academics have been trying to get a bead on people’s true preferences by conducting controlled surveys and experiments. Typically, these are aimed at figuring out exactly how much monetary value people attach to various forms of privacy under specific conditions. While attaching a dollar figure to a value as murky as privacy might seem misguided, it’s a common way for economists and policy wonks to compare competing priorities. It’s similar to efforts to estimate the economic impacts of climate change or quantify the value of the “ecosystem services” that nature provides. If nothing else, it would seem to be a promising path toward figuring out how much to fine a company like Facebook or Google when it treats users’ personal data carelessly.
Historically, fines for data breaches have been based on the direct monetary impact on consumers, such as the time and money they could lose if their identity were stolen or the amount they’d have to pay for credit monitoring. That makes sense in a case like the Equifax breach. But the damages are much harder to assess when the data in question is your browsing history, location history, or address book. No one wants that stuff mishandled, but how much exactly is it worth to them?
A study published in the Journal of Consumer Policy this summer found that Americans say they would be willing to pay, on average, $5 a month to delete all their personal data from the companies that have collected it. That’s less than half the price of a subscription to Netflix or Amazon Prime, and it’s certainly less than the value that tech companies, marketers, and data brokers extract from this information. (Facebook alone hauls in about $30 per year in revenue per North American user, or about $2.50 per month, and, of course, it’s just one of the countless companies tracking your online behavior.) So, if you took the $5 per month figure at face value, you might suspect that people don’t particularly value their privacy.
But when the question was flipped — asking how much money companies would have to pay an individual to receive full access to their personal data — the average answer was a hefty $80 per month. Multiply that by some 250 million American adults, and you’d get a value on the order of $240 billion per year for online privacy. That’s more than the combined annual revenue of Facebook and Google, including all their subsidiaries. At that price, stringent privacy laws might be justified on the grounds of welfare economics alone. And the FTC’s $5 billion Facebook fine would look like a pittance compared to the value of what users lost when their online privacy was violated.
The study’s researchers, Angela Winegar and Cass Sunstein of Harvard University, offer some theories for the vast discrepancy they found between consumers’ willingness to pay, as it’s called in behavioral economics, and their willingness to accept. One is that people feel their data should be kept safe by default and are thus indignant at being asked to shell out to protect it. It’s a bit like being asked how much you’d be willing to pay for your drinking water to be kept poison-free. Another is that accepting payment in exchange for your personal data strikes people as improper or ill-advised, particularly data about their health, which the study found them especially unwilling to part with.
The authors also acknowledged some limitations in the study’s design. Its sample of 2,416 Americans included a disproportionate percentage of millennials. Perhaps more important, the question respondents faced in the study was merely hypothetical. Many consumer economists believe you get more realistic results when your experiment requires respondents to actually pay or accept money, rather than simply fill out a survey, because people’s behavior doesn’t always line up with their words. At an FTC hearing on consumer privacy in April, a panelist made that point explicitly:
Studies using those methods, including a seminal 2012 paper by Carnegie Mellon’s Alessandro Acquisti, have found that people will in fact part with specific types of personal data for much less than $80 per month. One study found that MIT students could be induced to give out their friends’ email addresses in exchange for a free pizza.
You can argue that the mining of data, provided it could be done responsibly, creates trillions of dollars in economic value that otherwise wouldn’t exist.
Those findings are embraced by some right-leaning thinkers, including James C. Cooper, who directs the program on economics and privacy at George Mason University’s Scalia Law School. (That’s Scalia as in the late Supreme Court Justice Antonin Scalia, a deep judicial conservative.) In a 2017 white paper for the U.S. Chamber of Commerce Foundation, Cooper rejected surveys like Winegar and Sunstein’s that look at people’s stated preferences in favor of the revealed preferences subjects demonstrate in more practical experiments. He argued that, despite what they might say, most people are “largely comfortable with the trade-offs they make in their digital lives.”
Cooper concluded that privacy regulators risk damaging the economy by overestimating the value of protecting people’s data and underestimating the value of letting tech companies use it. Data is often called the new oil, but while each barrel of oil has a set value on its own, most forms of consumer data are only economically useful when collated and analyzed on a mass scale. Individual users of Facebook and Google would be hard-pressed to monetize their own online behavior as efficiently as those companies do. In that sense, you can argue that the mining of data, provided it could be done responsibly, creates trillions of dollars in economic value that otherwise wouldn’t exist.
A 2015 white paper by Benjamin Wittes and Jodie C. Liu of the Brookings Institution made a different case, arguing that many of the same technologies blamed for eroding our privacy are actually enhancing our privacy in less obvious ways. They suggest that people’s continued use of allegedly privacy-violating internet platforms can be explained by understanding that the type of privacy they’re risking isn’t the kind people really care about.
But the researchers behind the experiments on people’s willingness to pay for privacy, including Winegar and Sunstein, as well as Acquisti, have drawn a different conclusion. They argue that consumers’ behavior and preferences simply aren’t a reliable indicator of how they value their own privacy, let alone how a society as a whole should value it. “One of the headline findings is that policymakers should disregard values placed on personal data, due to the behavioral biases consumers have in thinking about how to value their own personal data,” Winegar said in an email to OneZero.
That’s partly because the dollar amounts people attach to data privacy in various studies are all over the map. In Winegar and Sunstein’s survey, the $5 per month and $80 per month figures are medians. But a fraction of respondents valued their privacy at wildly higher levels — in the hundreds or even thousands per month — while 14% were willing to hand over all their data to internet companies for free.
While the variation tends to be less extreme in experiments involving actual money, it makes sense that people would value online privacy very differently. Some people who signed up for the controversial Facebook Research app, which granted the company deep access to their mobile activity in exchange for $20 per month, reported that they found it a bargain because they weren’t doing anything on their phones that they felt they needed to hide. On the other end of the spectrum, to a dissident using internet platforms to organize a political movement, online anonymity might be the difference between freedom and jail.
But that’s only part of the issue. Study after study has found that people’s valuations of data privacy are driven less by rational assessments of the risks they face than by factors like the wording of the questions they’re asked, the information they’re given beforehand, and the range of choices they’re presented. And they’re easily manipulated by small, immediate incentives, whether it’s a free pizza or a minor inconvenience. A study published this year by Dan Svirsky of Harvard Law School found that requiring a single extra click to learn about the data they’re trading off can deter many people from making a privacy-protecting decision.
The current framework for privacy regulations in the United States is fundamentally flawed.
Acquisti told me that lines up with what he’s learned from his own research. “Even subtle changes in the way privacy trade-offs are presented to individuals can cause radical changes in people’s valuations of their data or the importance of keeping their data protected,” he said in a phone interview. “One of the conclusions of my research is that it’s probably fruitless to try to pinpoint with a single number the value of privacy.”
Where does that leave the FTC and lawmakers trying to pass privacy bills? For one thing, it suggests that the current framework for privacy regulations in the United States is fundamentally flawed.
Notice and choice relies on consumers to make rational decisions about online privacy in their own self-interest based on the information in privacy policies. The most obvious problem is that few people have time to actually read those privacy policies, which would seem to suggest that clearer and simpler disclosures are the answer. But if people can’t make consistent or rational choices even when presented with clear information, as academic research indicates, then that won’t solve anything.
Acquisti proposes a different way of looking at online privacy altogether. As long as it’s viewed in economic terms, as a good to be bought, sold, and traded off between consumers and corporations, tech companies will have the upper hand, because individuals’ choices are so easily manipulated. An alternative, he suggests, is to view privacy more like a human right: something everyone deserves, whether they full grasp its value or not. That would make it more like freedom of speech, which the U.S. Bill of Rights protects equally for all citizens, regardless of whether some of them would be willing to trade it for a free pizza.
“It’s probably fruitless to try to pinpoint with a single number the value of privacy.”
There are elements of the Constitution that bear on privacy, such as the Fourth Amendment protections against government search and seizure. But the right to privacy isn’t enshrined as directly as freedom of speech, which is why privacy advocates are pushing for new laws.
Chris Conley, a technology and civil liberties attorney at the ACLU of Northern California, worked on California’s consumer privacy law, which passed in 2018 and has been a focal point of debate at the federal level. He told me that the literature on pricing privacy didn’t play a central role in the policymaking process, perhaps partly because the law was passed on a tight deadline. It may also be partly because advocates like Conley have read Acquisti’s work and agree with him.
Still, he said the pricing question has come up in debates over amendments to clarify elements of the law, such as one requiring that customer loyalty programs provide users value commensurate to the value of the data they’re giving up. That’s the kind of provision that would seem to call for the type of research that Acquisti, Winegar and Sunstein, and others have been doing. And it’s exactly the type that their findings suggest may be misguided.
“As a privacy economist, I’ve been excited by how interesting the research in this area has been, how fast it has grown in the last 10 to 15 years,” Acquisti said. “But I am concerned that the very success of the field ends up making us believe that the only important dimensions of privacy are economic, and that if there is no quantifiable damage from a privacy invasion, then there is no privacy invasion to worry about. That should not be the conclusion one should draw from the research.”
Which brings us back to the FTC fines. In her dissent from the $5 billion Facebook settlement, Democratic FTC commissioner Rebecca Kelly Slaughter acknowledged that “injury to the public” — part of the legal basis for fines — “can be difficult to quantify in monetary terms in the case of privacy violations.” But she implied that the harms from the Cambridge Analytica affair, which included the use of users’ data by political campaigns without their consent in the 2016 U.S. presidential election, went beyond anything that could be measured in a controlled economics study. Rohit Chopra, Slaughter’s fellow Democrat on the commission, warned that the monetary fine was not a strong deterrent to companies like Facebook, because it left intact the business model to quickly recoup the loss through further monetization of users’ data. Both argued that a stronger approach would be to hold Facebook executives, such as CEO Mark Zuckerberg, personally liable.
Perhaps, then, the question of how much companies like Facebook and Google should be fined for privacy violations is the wrong one to ask in the first place. No dollar amount can perfectly reflect the value of data protection to citizens, and no reasonable dollar amount can deter companies for whom data is an inexhaustible gold mine. What the FTC fines amount to, then, is a sort of charade in which the government pretends to stand up for consumers’ online privacy while preserving the status quo that ensures it will continue to be violated.