In the past 10 years we've had a natural experiment in relying on market forces. The belief was that if we leave it to the free market, the free market forces will allocate data and privacy in ways that promote our needs. The problem—even with the market fundamentalists—is that we didn't appreciate these barriers to entry and these network effects, which are unique in this data-driven market.
One thing is that market forces will not necessarily provide the solution. We should not rely on that. We can have very powerful firms that can dominate an industry for years and could adversely affect innovation as well.
Given that, there is a role for the government. What type of role should the government play? Up to this point the government has more or less taken a “notice and consent” standpoint, which is that the company just has to provide a privacy statement and that, as a result, will be sufficient.
I was at a conference last weekend. Joseph Turow from the University of Pennsylvania does a study every few years. What people have found is that when you say to someone that a company has a privacy statement, they assume the company is protecting privacy, even though the privacy statement could be to the contrary. Putting too much on the consumer to read and to navigate this.... It is too much.
I would argue instead to look at some good privacy-by-design or privacy-by-default mechanisms to make it easier on the consumer so they don't have to read these privacy notices. Even when they read the privacy notices, many of them say there is no ability to negotiate. What would be an alternative to this scenario? Here, it might be data minimization—that a company can't collect data if it's not necessary for them to provide that product, and the individual can say no. They have universal opt-out. They would expressly have to opt in for particular instances, and it would be well explained to them.
That's a little something that I would encourage you to explore.