In March 2018, the New York Times revealed that Cambridge Analytica, a political data firm tied to President Donald Trump’s 2016 presidential campaign, had accessed private information on more than fifty million Facebook users, including their identities, friend networks, likes, and locational data.
It was not immediately obvious whether this access constituted a hack, a breach, or a leak.
But what became clear was that data and privacy issues had resonated in the public consciousness in an unprecedented manner.
The Cambridge Analytica scandal came on the heels of a string of high-profile corporate and governmental data breaches over the last five years, including those of Under Armour,
the U.S. Office of Personnel Management,
and Home Depot.
But unlike the steady drip-drip of another corporate data breach, Cambridge Analytica arrived as a true watershed moment, helping spark more significant discussions about the misuse of consumer data.
The scandal also significantly accelerated reformers’ efforts to pass sweeping consumer data privacy laws.
In June 2018, California’s legislature unanimously passed the California Consumer Privacy Act (CCPA).
The law provides Californians with a right to access the data companies collect on them,
a right to have said data deleted,
a right to know which categories of third parties these companies are sharing data with or selling data to,
and a right to opt out of such sales.
The rights are enforceable by a private right of action by consumers if a company fails to take reasonable safeguards before a data breach,
and a public right of action by the state Attorney General for any violation.
The law represents a seismic shift from sector-specific regulation (such as financial or personal health information) to a comprehensive data privacy regime.
Though the CCPA grants Californians many rights with respect to their data, this Note focuses more narrowly on the right of consumer data access. Specifically, this Note argues that the CCPA’s individual request-and-respond approach to data access is fundamentally mismatched to the problems posed by current corporate data practices.
This Note’s critique of the CCPA’s request-and-respond provision is inspired by the half century legacy of the federal Freedom of Information Act (FOIA), which contains an analogous individual right and shares similar transparency roots. Using an understanding of both FOIA’s operative provision and how it has worked in practice, this Note argues that an individualistic, request-and-respond model of private data disclosure will fail to achieve the progressive aims of privacy advocates and tech reformers. This Note concludes by suggesting that an alternative model of prophylactic, command-and-control regulation will better stem harmful data collection, retention, analysis, and sales.
In Part I, this Note reviews the advent of request-and-respond data access provisions, contextualizes these provisions by providing a primer on what makes data personal and why consumers care, and identifies the connection between the CCPA’s specific provision and FOIA’s. Part II lays out a substantive critique of how past FOIA practice informs future shortcomings in a request-and-respond data access regime. The Note concludes in Part III by considering and rejecting a tailored affirmative disclosure solution before settling on prophylactic, command-and-control directives as the proper means to regulate the booming consumer personal data industry.