In February 2025, the House Committee on Energy and Commerce announced the creation of a privacy working group to address many of the now-familiar challenges created by our advanced digital economy. Shortly thereafter, the Committee released a Request for Information, inviting expert recommendations for the newly-formed group. I have given some thought to some of these issues and so dashed off a few lines to share, with links to relevant reports. Below is the text I submitted, with links to each report.
Read the whole thing! Each of them! If congressional staff can do it, why not you?
*****
I was interested to see that you are investigating anew the issues of privacy and data security, much analyzed for decades now. I have worked on these issues for some years and offer a small collection of reports that may illuminate your efforts.
The first focus I recommend is privacy itself. In my 2020 report entitled “Privacy and the Four Categories of Information Technology,” I unpacked the many meanings of the term “privacy,” which refers variously to: control of personal information, fairness, personal security, financial security, peace and quiet, autonomy, integrity against commodification, and reputation.
The “control” value is arguably the leader, and people often use control in pursuit of other values. People refuse to disclose financial identifiers and information, for example, to prevent identity fraud (protecting the financial security value). They may limit public availability of contact or location information to prevent physical access by an ex-spouse (the personal security value). Limiting others’ access to derogatory information protects fairness and ensures good treatment—but note that control promotes unfairness when it is used to elicit undeserved good treatment, which can rise to the level of fraud.
That report also examined at a high level of abstraction how different types of information technologies affect the above-mentioned values. A given technology, information practice, or business model may promote some values while denigrating others, such as when a company collects detailed information unknown to customers (lost control) to prevent theft and fraud on their customers or systems (financial security, fairness).
In 2022, I ran these values through some testing by asking 3,000 people about their privacy interests. The report, “What Do People Mean by ‘Privacy,’ and How Do They Prioritize Among Privacy Values? Preliminary Results,” includes the methodology we used to assess the above-discussed values and to try to understand people’s thinking in this area. According to three different ways of testing priorities, people are most concerned with “financial security”—essentially freedom from identity fraud. They are not terribly concerned with commercial uses of information, such as advertising. This is at odds, in my opinion, with the priority given to commercial data use in mainstream regulatory discussion of recent decades.
I assessed the “fair information practices,” a model for much legislation and regulation, in a 2021 report entitled, “Privacy and Fair Information Practices: The Struggle to Protect Threatened Values.” Along with a history of the FIPs and an assessment of their content, the report checks their results against privacy values. “There is a jagged intersection between FIPs and the many values under threat,” the report says. “FIPs-based legislation aimed at solving the ‘privacy’ problem in one fell swoop seems unlikely to do so.”
A staple of federal legislation, of course, is the question whether state law should be preempted, moving the privacy issue once and for all to the federal level. Last year, economist Geoffrey Manne and I published a report entitled “A Choice-of-Law Alternative to Federal Preemption of State Privacy Law.” In it we assessed the “patchwork” problem in privacy law, which is real but not necessarily as significant as its characterization in federal policy debates. Federal preemption would deviate from the ideal in many ways, too, which we discuss. And we propose an approach already used in other national markets, which is to establish choice of law through contract. Narrowly targeted federal legislation could support such a practice, which would sustain competition around privacy as a consumer interest and invite competition among states to provide well-tuned regulatory regimes.
I appreciate the opportunity to share these materials with you. As a former congressional staffer myself, I am aware of the workload I impose on your staff in doing so, and apologize, somewhat bemusedly. If I can assist your efforts further, I would be happy to do so.