Privacy Law Needs Cost-Benefit Analysis
Published by The Lawfare Institute
in Cooperation With
The debate over privacy law in the United States often takes place at the extremes. Proponents of comprehensive privacy reform often focus on the need for reform without contending with the costs of it. Meanwhile, critics of reform often articulate only the harms in new privacy rules. For proponents, reform has no costs, while for critics, reform has no benefits. Neither side wrestles enough with the trade-offs.
In this piece, we make three arguments: (1) The central problem with the privacy law debate is privacy absolutism; (2) to counteract this, privacy law must weigh the costs as well as the benefits of protecting privacy; and (3) judges and policymakers should build this balancing into legal review and policy development. Very simply, policymakers have the opportunity to enact reforms that will make things better, while avoiding reforms that make things worse on balance.
To ensure that we evaluate the relative strengths and weaknesses of major privacy proposals, we suggest several options that judges and policymakers might consider for embedding some form of cost-benefit analysis into their decision-making. Our intent is to establish the importance of focusing legislative analysis on trade-offs and then to introduce potential policy mechanisms to translate this theory into concrete policy and economic measurement tools. Others will be better equipped to determine how to optimize the use of cost-benefit analysis or other tools to evaluate privacy legislation.
The solutions we offer are intended to increase the speed and quality of policymaking in the tech sector. We do not intend for cost-benefit analysis to slow the pace of reform or to serve as a rampart to protect against change. In our view, developing processes for institutionalizing the evaluation of trade-offs in the policy development process will make debates less political, less uncertain, and more grounded in empirics. The result, we believe, is smarter governance that will yield better tech products and better experiences for the people who use them.
1. The Problem: Privacy Absolutism
The general stance of many privacy proposals is absolutist; they identify privacy harms but may be inattentive to the countervailing benefits of information sharing. Absolutism is rarely good policy because it does not adequately grapple with trade-offs.
Consider a few examples.
Comprehensive privacy laws—like the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act, and the proposed American Data Privacy and Protection Act—focus overwhelmingly on the costs of new technologies, rarely the benefits, and most importantly they lack a framework for balancing the two. But regulations aimed at reducing costs will also potentially limit some of the benefits. For example, studies provide evidence that the GDPR reduces innovation and investment in novel technologies as well as competition in the market. While the GDPR’s pursuit of a coherent set of privacy rules is admirable, that pursuit must be weighed against its costs.
Health laws often focus on protecting patient data, even if those protections come with great cost to medical innovation. For example, the leading health information law, the Health Insurance Portability and Accountability Act, or HIPAA, is cited regularly as a barrier to innovation in health care because of compliance costs and limits on how information can be collected and shared. Importantly, HIPAA applies or does not apply; there is no mechanism within the law for identifying moments when the benefits of sharing medical information outweigh the costs. But does the law currently strike the right balance of privacy protections and health care innovation in every instance? Recent evidence suggests not. During the coronavirus pandemic, health regulators relaxed HIPAA enforcement to expand the kind and number of telehealth providers in the country, without evidence that this step had negative privacy consequences. This at least suggests that the previous HIPAA regime was not striking the right balance of privacy protections against health care access and innovation. To be sure, private health information ought to be protected, but—and this is the crucial question—in what ways and at what cost to health care? How should this trade-off be made? HIPAA largely does not say.
So-called self-driving cars offer another example. Autonomy could bring about one of the biggest public health innovations in years: a significant reduction in road fatalities. This is possible because, of course, these vehicles collect and process enormous amounts of data about their surroundings. Accordingly, privacy advocates have repeatedly raised the alarm about how “the sheer mass of this information poses a potential threat to civil liberties and privacy,” because of course this data could be used to track how and where and when people move around. It makes good sense to be worried about location data because it is potentially quite revealing information. But any privacy proposal to limit the collection of sensor data from an automobile must be weighed against the massive boon to public safety that this technology promises.
There are even “privacy-privacy tradeoffs,” as law professor David Pozen has explained, where “enhancing or preserving privacy along a certain axis may entail compromising privacy along another axis.” For example, travelers can sign up for the Transportation Security Administration’s PreCheck program, through which they effectively trade personal information for “reduced access to your body and belongings.”
In each of these examples, there are rules that seek to protect privacy—which is undeniably important—but these rules fail to account for other competing values such as innovation, health, safety, or even in some instances different kinds of privacy.
2. The Normative Claim: Privacy Law Must Account for Trade-Offs
At some level, every area of the law requires trade-offs and often provides a mechanism for balancing competing interests. The First Amendment is the most aggressive constitutional guarantee of free speech in the world, for example, but it has limits. Incitement, defamation, and threats are not protected categories of speech. And the government can generally impose time, place, and manner restrictions on speech (such as a rule that bans loudspeakers late at night in a residential neighborhood).
So how are these trade-offs drawn? Courts have developed a kind of cost-benefit analysis. The constitutional standard of strict scrutiny requires that in any First Amendment challenge to some governmental restriction of speech, the government must show that it is pursuing some compelling government interest and that it is pursuing the least restrictive means of doing so. This standard forces courts to balance costs (speech restrictions, and what kind, narrowly tailored) and benefits (compelling governmental interests). The entire jurisprudence of First Amendment law is made up of similar trade-offs. The same thing can be said of just about every other right, too, because maximally protecting one right will usually create all sorts of unwanted harms.
Privacy is no different. The examples above illustrate how laws seeking to maximize privacy shortchange other societal interests. Of course privacy matters, but it does not obviously matter more than other important social goals like innovation, health, and safety. In that sense, privacy is just like other social values: It should be protected when the benefits of those protections outweigh their costs. The key thing is to determine which types of privacy protections and privacy reforms satisfy this criterion. Every policy proposal should therefore defend the claim: “This is important because it will make the world better in the following ways, and that world is better than the alternative universe where this regulation does not occur.”
In other words, privacy legislation should account for trade-offs. But how should it do that? Administrative agencies seem to have already answered this question: by utilizing cost-benefit analysis.
3. The Solution: Cost-Benefit Analysis in Privacy Law
To account for the trade-offs described above, judges and policymakers could institutionalize some form of cost-benefit analysis into the policy development process and the judicial review of privacy law.
Cost-benefit analysis seeks to quantify the costs and benefits of a proposal and examine how they compare to each other. The basic insight is that even when certain rules might be normatively desirable, a rule that imposes costs that dramatically outstrip benefits should be treated with skepticism. All good policymaking involves trade-offs.
Cost-benefit analysis is not without controversy. Critics claim that it undervalues certain interests that are difficult to quantify—such as the impact on human well-being—and that it attempts to put a price on things that are priceless, such as human life. Defenders counter that it actually can be effective in accounting for a broad range of difficult-to-quantify factors, and that the rigor of trying to quantify exactly what a policy’s impact would be is precisely why it is a valuable tool that should be integrated in decision-making. As legal scholar Cass Sunstein argues, “Under favorable conditions, the use of cost-benefit analysis can provide safeguards against decisions based on feelings, hopes, presumptions, perceived political pressures, appealing but evidence-free compromises, broad aspirations, guesses, or the wishes of the strongest people in the room.”
Both sides raise important considerations. Our argument is not that cost-benefit analysis should be dispositive but, rather, that building it into policy will spur smarter decision-making.
There are aspects of today’s policy process that involve quantifying costs, but none serve the same purpose as cost-benefit analysis. The Congressional Budget Office (CBO) scores legislative proposals to measure their impact on the budget, but that analysis should not be confused with cost-benefit analysis. CBO scoring measures only the impact of a proposal on the federal budget. It does not evaluate other costs, including harms to privacy, nor does it quantify benefits. It is possible, of course, that a law could have a negative impact on the budget but still be desirable if the benefits far exceed those costs.
Impact assessments are another tool that governments have imposed to try to ascertain costs. Increasingly, governments impose requirements on companies to conduct them in various contexts. California’s Age-Appropriate Design Code Act requires companies to produce assessments of the impact of their products on children, for instance. California’s privacy law requires companies to conduct privacy impact assessments, and a cottage industry of assessors has sprung up to help companies complete them. These assessments help firms to better understand the potential negative impacts of their products, but they typically fail to produce detailed assessments of benefits or evaluate the relative value of harms and benefits. They are also typically used for companies’ product and business decisions, rather than to inform policy debates.
Notice-and-comment rulemaking is another tool that policymakers use to gain information about trade-offs. When an agency publishes a proposed rule, it often provides an opportunity for the public to comment on the rule, and then it incorporates that feedback into a revised version. For example, the Federal Trade Commission is seeking comment on seven pending matters at the moment, all available here. The process might involve elements of cost-benefit analysis, since comments often forecast the possible impact the rule might have. But public comments rarely provide the rigorous assessments of both sides of the ledger that is a routine feature of cost-benefit analysis.
Additionally, courts use a number of tests to evaluate the legality of government rules, and some of these tests depend on well-executed weighing of competing trade-offs. In constitutional law, of course, courts have developed a sliding scale of formulas for navigating these trade-offs. Depending on the context, courts will use strict scrutiny, intermediate scrutiny, or rational basis review to determine how to balance governmental interests with other values. In administrative law, courts deploy what is known as hard look review to evaluate the adequacy of a federal agency’s decision-making, including whether the agency has adequately accounted for the potential costs of new rules. And in cases involving presidential powers, as law professor Thomas Merrill has shown, courts often deploy a discretionary form of deference whereby they “defer to executive interpretations [of the law] because sound judicial decision-making requires that they follow the precedent of a coordinate branch of government,” and the careful weighing of competing interests is key.
These balancing tests are hugely important, but they are also commonly criticized for being too open ended and not detailed enough to determine the outcome in a given case. But there is one branch of government that does routinely use much more detailed cost-benefit analysis: the executive. The White House Office of Information and Regulatory Affairs (OIRA) reviews executive rules to determine their costs and benefits, and provides this guidance to agencies to help inform the rulemaking process. The integration of cost-benefit analysis in the executive branch is the result of Executive Order 12866 in 1993, which mandated its use. As a result, while administrative agencies are granted broad latitude to create rules to effectuate their policy objectives, they are required to be disciplined about forecasting the impact of those rules.
Congress could be similarly disciplined in forecasting the impact of proposed legislation.
Taking this page from the executive branch playbook should be relatively simple for Congress, since it already has multiple offices that it could use to conduct cost-benefit analysis of proposed legislation. For instance, it could test this approach by tasking the Congressional Budget Office to establish a team to conduct a cost-benefit analysis of proposed privacy legislation, such as the American Data Privacy and Protection Act. The CBO is well positioned to do this analysis, since it already conducts budgetary scoring for certain legislative proposals, as described above. It would not need to perform this analysis for every proposal, just as it does not currently score each bill that is introduced in Congress. The need for the CBO scoring is triggered by a bill passing committee, and the same trigger could work for determining when a cost-benefit analysis is conducted.
Alternatively, this function could be housed in the Congressional Research Service (CRS), which provides detailed analyses of a wide array of policy issues. It provides analysis proactively, as well as in response to members’ requests. If the CRS were to conduct cost-benefit analyses, it could do so in response to a request from a member or when a bill reaches a certain stage of the political process, such as when it passes out of committee.
Selective cost-benefit analysis—rather than making it mandatory—is consistent with our goal of avoiding a scenario in which a request for a cost-benefit analysis would block the legislative process. Congress has struggled to pass new laws in the tech sector, and if a member could delay consideration of legislation by requesting a cost-benefit analysis for every proposal, the likelihood of tech reform would decrease even more.
Another option is to use existing cost-benefit analysis expertise and capacity at the Office of Information and Regulatory Affairs to inform the consideration of legislation that is likely to hit the president’s desk. For instance, the president could request that the OIRA perform a cost-benefit analysis for proposals that pass out of congressional committee, in anticipation of a floor vote in the House or Senate that might result in passing legislation that the president would then need to sign into law or veto.
Pre-passage cost-benefit analysis has the advantage of informing consideration of a bill, but post-passage evaluation of impact also produces important insights about trade-offs that will ultimately inform and improve policymaking in the long run. For example, legislation could institute audit committees to conduct impact assessments—taking into account benefits of the law as well as its costs—and then produce annual reports on the law’s progress. The law could specify the factors that the committee should evaluate. For instance, to understand the efficacy of a state or federal privacy law, lawmakers and observers might want to understand its impact on privacy harms, data breaches, and venture capital investment. These reports could include not only quantitative assessments but also qualitative analysis that explores the impact on well-being and start-up competitiveness.
An additional option is to focus on data production and sharing. Evaluating the impact of a new rule is difficult if neither the government nor companies produces, tracks, and shares relevant data. If new laws specified the data that should be retained and shared, then independent researchers could conduct their own cost-benefit analyses to measure impact. One benefit of this option is that it might create a proliferation of analyses, which might foster a productive debate about how different cost-benefit analyses identified and valued certain factors.
Lawmakers could also consider using experimental models to create real-world testing of products and policies. Policy experiments have been used by governments to test various public policy frameworks, while regulatory sandboxes have been used to provide regulatory relief to enable companies to test new types of products. Policymakers could use either of these options to establish trials of different privacy-protecting products or different privacy-protecting legal regimes. Alternatively, they could deploy hybrid models to trial new products and policies simultaneously. Any experiment should be limited in time and scope so that the trial can be evaluated, the products and policies can be improved with the learnings from the trial, and potential harms are cabined within the bounds of the experiment.
***
With personal data becoming increasingly intertwined with products and services that are part of American lives, regulators will understandably seek to institute new rules to govern privacy. Yet privacy is a social value like any other—one that must be weighed against competing values. Privacy advocates and regulators acknowledge this banal point, but very little serious attention has been paid to how to operationalize this trade-off.
We offer here one possibility: cost-benefit analysis. We propose in particular that legislators adopt the kind of specific cost-benefit analysis that is commonly deployed in administrative agencies. The aim is not to impose new roadblocks to privacy regulation. Rather, the aim is to ensure that privacy debates account for costs and benefits, and that forthcoming privacy legislation maximizes overall social welfare. The choice is not between protecting privacy or not; the choice is over how to protect privacy, and that is a choice that requires rigorous and systematic thinking about trade-offs.