On False Consciousness and the Compliance Industrial Complex

“I believe people are smart, and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data.” – Steve Jobs, 2010

We often hear calls for more and better privacy laws, as if legislation alone can protect our privacy from companies that misuse and exploit it. And yes, we do need good privacy legislation. The US certainly has a long way to go when it comes to meaningfully enforcing privacy laws, especially compared to Europe, which does a much better job of holding businesses accountable with regard to their data processing operations and compliance obligations.

But the truth is, we need to do a lot more than pass more privacy laws. That’s just the first step. What we really need to do is find ways to fundamentally shift the economic incentives that drive corporations to collect and use our data in the first place. Because, as we know, companies violate our current privacy laws every single day, causing harm to millions of consumers. Most of these violations go completely undetected – the legal system can’t keep up. And even when companies are compelled to pay damages to victims, the amount is often so inconsequential that it does very little to promote meaningful compliance.  

Privacy as an Industry

One of the most pernicious forces working against meaningful privacy is a growing industry around compliance, with countless professionals tasked with protecting our data from inside the $227b information industry. They spend countless resources on creating the appearance or illusion of compliance, but do not actually take steps to meaningfully enforce privacy into the very design of their products. Rather, it’s to put on a show for regulators, shareholders, consumers, the media, and even their own employees. This consultancy even promises to support businesses on their “compliance journey.” Imagine a food and bev company hiring a consultant to help them on their “sanitation journey.” We would never tolerate that – and I don’t really see the difference.

Ari Ezra Waldman is one of the foremost thinkers on this topic. He writes about a false consciousness experienced by privacy professionals, applying the Marxist concept that workers fail to recognize their own role in actively (even willingly at times) helping perpetuate cycles that maintain a harmful status quo. “When companies hire a Chief Privacy Officer,” he writes, “they send a message to the industry that hiring a CPO is privacy law… And when websites send emails saying they care about our privacy and require us to opt out of tracking, we become accustomed to thinking that self-governance and corporate management of our data is privacy law.” 

But real privacy is not about making privacy policies more readable. Creating more buttons is not going to materially change or protect anyone’s privacy. We should all be very worried about laws that focus on procedure, which effectively legitimize data collection as long as the consumer fills out a form. 

Privacy as a Brand 

Even companies that claim to be champions of privacy can fall short when it comes to protecting our data. Take Apple, for example – the very company quoted at the top of this article. Apple is often revered for its belief in the human right to privacy. 

But is this genuine or just a branding strategy? 

The company, under Tim Cook’s leadership, has carried on Jobs’ legacy and built a brand around the idea that it is a privacy-focused company. “Privacy is a fundamental human right,” claims their website. “It’s also one of our core values. Which is why we design our products and services to protect it. That’s the kind of innovation we believe in.”

But even Apple has been sued a dozen times for their data collection practices. A 2022 lawsuit was filed, based on a report by independent researchers that Apple was continuing to track consumers in its mobile apps, even when they had explicitly configured their iPhone privacy settings to turn racking off – a direct violation of the California Invasion of Privacy Act (CIPA). Since then, 12 different class action lawsuits have been filed by consumers in other states including Pennsylvania and New York. 

De-Incentivizing Privacy Violations

This is precisely why we can’t rely on companies to police themselves. We need to target the root cause, and fundamentally change the incentives that drive them to collect and use our data in the first place. Simply put: we need to make privacy violations economically unprofitable. Because companies are driven by profit, only economic incentives will ever make them protect our data. This is a difficult task, to be sure, but it’s one we must undertake if we want to build a better future for ourselves and our children. As lawyers and citizens, it’s our responsibility to step up and demand more from the companies who have access to our data. 

The question of course is how to do this.

My answer: by building technological capabilities, like Darrow’s Justice Intelligence, that ensure every single legal violation is detected and resolved swiftly. To equip litigators (the ones representing and advocating for our rights) with the best possible tools to take on corporations and hold them accountable.