Steering Clear of ‘Privacy Washing’

Danielle Citron and Daniel Solove recently published a fantastic roadmap for courts to understand different types of privacy harm and provided suggestions on when harm should be required in legal cases.

I highly recommend it for anyone working in privacy today. Of course I read it, not as a lawyer, but as a communications advisor — and one who’s spent a great deal of time helping organizations understand how good privacy can be a proactive brand-building strategy rather than a defensive response.

“Privacy harms are highly contextual,” write Citron and Solove, “with the harm depending upon how the data is used, what data is involved, and also how the data might be combined with other data. Sharing an innocuous piece of data with another company might provide a key link to other data or allow for certain inferences to be made.”

This means the definition of harm can also vary in legal contexts, which the authors seek to clarify. Yet, while the law continues to progress with meaningful discourse such as this recent report, there is an area of privacy where further debate on definitions is morally irresponsible: privacy communications.

Legal definitions or precedents do not define public expectations or trust. So, it should be clear to any communications professional responsible for privacy-related issues that there is no grey area when it comes to privacy. Messaging that claims privacy commitments, guarantees, or benefits without an acknowledgement and honest due diligence into potential arms is “privacy washing” — a form of manipulation designed to make people believe that an organization is doing more to protect privacy than it really is.

In fact, where Citron and Solve state, as legal scholars that, “in many cases, harm should not be required because it is irrelevant to the purpose of the lawsuit,” the opposite is true in privacy communication strategies. The harm is exactly the point.

Focusing on the legal consequences of privacy violations, Citron and Solove further explain:

“When cases are dismissed due to the lack of harm, organizations engaging in wrongdoing escape without accountability. The message to other organizations is both clear and troubling — they can ignore privacy commitments enshrined in legislation and common law without concern.”

Based on my experience working with organizations before, during, and after major privacy violations, I agree completely with this sentiment. I’ve seen it happen.

However, when it comes to public perception and organizational reputation, people have little patience to wait for clarifications from the court. Public judgment on your brand is immediate and not bound by legal opinion. You do not need to be found legally liable in order for privacy violations to destroy trust and erode reputations. The courts do not hold a monopoly on public accountability and often, they’re too late anyway.

The reality behind all of this is that not being able to prove harm in court does not mean harm doesn’t exist. The mere perception of harm should matter a great deal to anyone with responsibility over an organization’s reputation. Speculation and rumors may not hold up in court, but they will haunt your brand for years.

As I’ve written before, it should always be our primary goal to prevent privacy violations from happening in the first place. But when accidental incidents occur, communications advisors need to be prepared with recommendations to:

1. Compensate those who have been harmed or believe they’ve been harmed

2. Secure assurances to prevent repeated incidents

3. Go beyond expectations to reinvest in public trust
   

Types of Harm Caused by Privacy Violations

Below are the 14 types of harm defined by Citron and Solove in their paper. It would be prudent for communications advisors to familiarize themselves with these concepts because regardless of their standing with a judge, they are very real to customers, politicians, partners, and employees.

Physical Harms: “Entities handling personal data have been found liable for negligently, knowingly, or purposefully paving the way for a third party to physically injure someone.”

Economic Harms: “Privacy violations can result in financial losses…Many privacy violations involve the loss of important opportunities rather than direct financial injuries.”

Reputational Harms: “Reputational harms impair a person’s ability to maintain ‘personal esteem in the eyes of others’ and can taint a person’s image. They can result in lost business, employment, or social rejection.”

Emotional Harms: “One of the most common types of harm caused by privacy violations is emotional distress. Emotional distress encompasses a wide range of emotions, including annoyance, frustration, anger, and various degrees of anxiety. The impact of emotional harm varies depending upon the emotion triggered. Fear can be among the most damaging emotions given its impact on people’s life choices…Privacy violations can cause emotional distress that can impede someone’s life as much as certain physical injuries.”

Relationship Harms: “Privacy violations can harm personal and professional relationships as well as relationships with organizations. People modulate personal relationships by maintaining boundaries around their information or by withholding information from some people and not others…Relationship harms are two-fold: most immediately, the loss of confidentiality and in the longer term, damage to the trust that is essential for the relationship to continue.”

Chilling Effect Harms: “Privacy violations can produce harm by inhibiting people from engaging in certain civil liberties such as free speech, political participation, religious activity, free association, freedom of belief, and freedom to explore ideas. Such harm is often called a ‘chilling effect…’ Chilling effects have an impact on individual speakers and society at large as they reduce the range of viewpoints expressed and the nature of expression that is shared.”

Discrimination Harms: “Privacy violations can cause discrimination harms, which involve entrenching inequality and disadvantaging women and people from marginalized communities. Discrimination harms thwart people’s ability to have an equal chance to obtain and keep jobs, secure affordable insurance, find housing, and to pursue other crucial life opportunities. The misuse of personal data can be particularly costly to women, sexual minorities, and nonwhites given the prevalence of destructive stereotypes and the disproportionate surveillance of women and marginalized communities in their intimate lives.”

Thwarted Expectations Harms: “A common type of privacy violation involves thwarting people’s privacy expectations by breaking promises made about the collection, use, and disclosure of personal data.”

Control Harms: “Losing control over our personal data constitutes an injury to our peace of mind and our ability to manage risk. In the clutches of organizations, personal data can be used for a wide array of purposes for an indefinite period of time. Privacy laws seek to regulate data flows to protect individuals from potential downstream uses.”

Data Quality Harms: “Many privacy laws require that organizations adhere to the principle of ‘data quality’ — keeping data accurate, complete, and up-to-date… It can be hard for individuals to find out about errors and when they do, third parties will ignore requests to correct them without the real risk of litigation costs.”

Informed Choice Harms: “When individuals are not informed of their rights or not given important information, they are harmed because they lose their ability to assert their rights at the appropriate times, to respond effectively to issues involving their personal data, or to make meaningful decisions regarding the use of their data.”

Vulnerability Harms: “…failing to follow security safeguards that have not yet resulted in a data breach.”

Disturbance Harms: “Disturbance harms involve unwanted communications that disturb tranquility, interrupt activities, sap time, and otherwise serve as a nuisance.”

Autonomy Harms: “Autonomy harms involve the restriction, coercion, or manipulation of people’s choices. People are either directly denied free will to decide or are tricked into thinking that they are freely making choices when they are not…Manipulation can affect not just individuals but also create societal harm, as people’s decisions can affect not just themselves but society as well.”