Corporate Privacy Failures Start at the Top

Victoria Schwartz is Associate Professor of Law at Pepperdine University School of Law. This post is based on a recent article by Professor Schwartz.

In my article, Corporate Privacy Failures Start at the Top, forthcoming in the Boston College Law Review, I offer a new theory to explain why corporations are so bad at privacy. We have all heard numerous stories of corporations neglecting to protect, failing to consider, or in some cases even intentionally violating the privacy of their consumers, employees, and even occasionally their shareholders. In recent years, consumer backlash has repeatedly caused corporations to issue apologies regarding their treatment of privacy, prompting the question of why the corporation failed to anticipate the privacy problem in the first case.

This corporate privacy failure phenomenon is not limited to technology companies. As the result of an internet-of-things world in which modern technology is rapidly being integrated into everyday objects, more traditional corporations have also found themselves facing scrutiny for failing to protect privacy. For example, the automobile industry has been under attack for failing to protect consumer privacy as it integrates modern technology into the automobile. Similarly in the toy industry, Mattel received criticism for the privacy-invasive way it integrated modern voice-recognition technology into its “Hello Barbie” doll, causing the doll to be insultingly nicknamed the “Eavesdropping Barbie.”

On the employee privacy side, in 2014 at a town-hall style meeting with AOL employees AOL CEO Tim Armstrong revealed that the company “had two AOLers that had distressed babies that were born that we paid a million dollars each to make sure those babies were OK in general.” Mr. Armstrong subsequently apologized after widespread outrage at the disregard for the privacy of his employees and their families. While Mr. Armstrong’s comments made headlines, far more ordinary corporate workplace invasions of privacy occur daily as the result of such commonplace corporate policies as drug testing, medical testing, corporate wellness programs, psychological and personality testing, and workplace surveillance programs ranging from monitoring e-mail to GPS tracking.

Even shareholders are not immune from the corporate privacy failure phenomenon. Original New York Stock Exchange member General Electric sent a supposedly anonymous survey to shareholders of their subsidiary, GE Investments, asking them to rate different aspects of the company. The shareholders were not informed that the return envelopes were coded such that the responses could be matched to names.

These sorts of privacy failure stories are neither unusual nor new. Famously, Sun Microsystems CEO Scott McNealy told reporters and analysts that consumer privacy issues are a “red herring.” “You have zero privacy anyway,” McNealy proclaimed, “[g]et over it.” Until now, scholars have explained the poor corporate treatment of privacy by focusing on various consumer-side theories ranging from consumers not carrying about privacy to various privacy-market failures by which consumers who do care about privacy are unable to make choices based on that preference in the market.

My article offers a new theory that adds an additional perspective to those prevailing consumer-centric accounts for why corporations inadequately consider and protect privacy. Rather than solely focusing on consumers, I argue that there is an additional corporate actor-side market distortion theory that could help explain poor corporate treatment of privacy. A combination of corporate disclosure laws that offer no express flexibility for protecting private personal information of corporate executives and legally-unchecked media interest in the personal lives of corporate executives means that individuals who choose to become corporate executives know that they will be unlikely to reliably maintain their own personal privacy. Therefore, individuals who do highly value their own privacy are less likely to pursue such high level corporate positions at publicly traded corporations. Instead, highly qualified individuals who value their privacy make different career choices in favor of different kinds of high-paying careers that allow them to maintain their personal privacy. As a result of this sorting-out effect, those remaining candidates who do pursue high level corporate executive positions are, on the whole, less likely to highly value their own privacy. This sorting effect within the executive suite that results in corporate executives who place a lower priority on personal privacy in turn impacts corporate privacy decisions as the result of a number of recognized behavioral and psychological phenomena and biases including often limiting the ability of the corporation to recognize when seemingly innocent neutral decisions may have privacy consequences.

In addition to offering a new theory to explain the corporate privacy failure phenomenon, the article offers some corporate-side solutions that would help counterbalance these causes. For example, as I have written about further in earlier work, the law could be changed to permit corporate executives to negotiate individualized disclosure policies limiting the corporate disclosure of certain types of personal information. Furthermore, good corporate governance practices can be amended to include chief privacy officers in order to ensure that there is someone within the corporate suite whose job it is to spot and address hidden privacy concerns. Finally, the article also presents a roadmap for future empirical work that can test various aspects of the theory offered.

The full article is available for download here.

Both comments and trackbacks are currently closed.