Professor: Make Companies, Not Individuals, Responsible for Privacy Protection

For example, despite the laws, some people believe they have no choice but to share their data, which can lead to fewer regulations based on the incorrect perception that people don't value their privacy, Solove said in a speech to the American Bar Association's Privacy and Emerging Technology National Institute.

“There are a lot of reasons" why people aren't taking privacy-protective steps that regulation has created, Solove said. One is “it’s not clear" to consumers that they "get a choice." Perhaps as importantly, "it's also not clear that consumers really understand the risks of what is going to happen with their data, and that is leading this behavior.”

There are other problems within the privacy paradox, said Solove. For example, many things that people are asked to do to protect their privacy "are not very meaningful,” he said. People are asked to read privacy notices, but lawyers write them not to be meaningful. "That's the skill of writing these things ... to write them in a way [that] they don't really pin down a company to anything.”

Despite all that, Solove said this is the “golden age of privacy law" and that "privacy law is really taking off." But while we're seeing privacy law "move about as fast as [it] has ever moved,” he said privacy law isn't working and is going in the wrong direction.

One of the main problems with many recent privacy laws is that they're based on "the futility of individual control.” For instance, though laws contain a right to delete or correct information and the right to access it generally, “these rights are not very helpful.”

And the privacy self-management approach "puts too much onus on the individual. It's just too much for individuals to figure out.”

For privacy self-management to work, he said, people must know which companies have their data, and constantly check, update, correct or delete it. And it’s a never-ending cycle since companies are always collecting information about people.

In addition, people must read and be able to make sense of privacy notices, which can be hard since they are written in a way that the average person may not understand, Solove said: Moreover, as noted earlier, lawyers draft notices to be as vague as possible, ensuring companies have a lot of leeway.

When the onus is on individuals to manage data, and they aren't vigilantly monitoring their information, the privacy paradox widens, he said.

Additionally, “privacy consent is fiction,” Solove said: No matter if there is an opt-out or opt-in system, “people really don't understand what they're deciding.”

An effective system would ensure that privacy protection is done structurally at a societal level. “We need to bring the uses of data under control,” he said. “It's true that our data is out of control, but that doesn't mean the individual then has the burden of somehow trying to rein all this in. The burden should be on the law to do it.”

One way to do this is by posing a duty of unreasonable risk, making sure there is safety and accountability, Solove said.

“But to expect sharks to suddenly turn into vegetarians, I think, is foolish, and that's what the law often is doing,” he said. “We hope that if we barely regulate [companies], they'll just self-regulate themselves.”

Since this isn't so, the law must hold companies accountable and make data policies safer and more privacy protective, said Solove.

He ended with a cautiously optimistic message. “We should be worried about privacy, and we should be worried about privacy dying, but it doesn't mean that it's dead, and it doesn't mean there's nothing we can do about it.” To accomplish this, "start thinking about [privacy] differently, and then the law [must take] a very different direction than it's taken.”