Written by Katie Booth
Edited by Vivian Tao
I. Introduction: Not all data uses are created equal.
Google recently introduced a new social networking tool called the Google+ project, which capitalizes on the fact that consumers want more control over whom they share their personal information with online. Google+ allows users to set up separate groups—such as a group for friends, a group for family, and a group for coworkers—and then share different information with each group. This recognizes a simple fact of life: As Google puts it, “[n]ot all relationships are created equal.” The popularity of the national Do Not Call Registry, which prohibits telemarketers from calling phone numbers listed in the registry, is another example of consumers’ desire to keep particular groups of people, such as telemarketers, from using their personal data.
In Sorrell v. IMS Health, however, the Supreme Court held that the First Amendment did not allow the government to regulate speech on the basis of the types of categorical distinctions between speakers that consumers make all the time. Invalidating a Vermont statute that prohibited data mining companies from using physician prescription data for marketing purposes, the Court held that the government could not engage in “content” or “viewpoint” discrimination against marketers by prohibiting the commercial use of this data while permitting its non-commercial use. Sorrell at 2659, 2663-64. This ruling, which seemingly has its roots in the Court’s Citizens United decision, eviscerates the commercial speech doctrine—the First Amendment doctrine governing speech with a commercial viewpoint and content—by effectively holding that the government cannot regulate commercial speech, such as marketing, differently than other types of speech just because the speaker is a corporation or the content of the speech is commercial.
If Sorrell applies to the world of online data, then the Court leaves legislatures with difficult choices when it comes to regulating data privacy. Under Sorrell, legislatures cannot regulate the commercial use of data any differently than its non-commercial use. This means that proposed legislation such as the Commercial Privacy Bill of Rights Act of 2011 (“Commercial Privacy Bill”), which aims to do precisely the opposite, would likely not pass constitutional muster. Instead, legislatures may have to consider universal opt-in or opt-out schemes, under which consumers could individually opt in or out of the use of their personal data for any purpose, not just commercial use. In its opinion, the Sorrell Court mentioned HIPAA, the Health Insurance Portability and Accountability Act of 1996, which requires all consumers to receive and acknowledge notice of the ways in which health care providers may use their personal data, approvingly in this context. However, both opt-in and opt-out data privacy schemes may negatively affect innovation, research, and even privacy. If legislatures choose to pass consumer data privacy laws in the wake of Sorrell, they will face difficult choices between competing values and may ultimately leave consumer data privacy up to the market. (more…)