You are on page 1of 16

Privacy and Innovation:

Information as Property and the Impact


on Data Subjects

RITA S. HEIMES

INTRODUCTION

n What Stays in Vegas: The World of Personal DataLifeblood of Big


Businessand the End of Privacy as We Know It (What Stays in Vegas),1
Adam Tanner describes the world of Big Data and the comprehensive
data collection practices of the casino industry. Casinos collect vast
amounts of personal information about their customers in an effort to
understand their consumption habits and behaviors, and therefore provoke
them to buy more goods and services. Casinos also gather and study
consumer information to detect and avoid security concerns and theft.
Tanner explores the pioneering data mining and analytics practices of
the Caesars Properties. He also delves into the entrepreneurial activities of
others who seize upon the opportunity to convert generally inaccessible
information into searchable electronic data, or to add value to vast troves
of information by developing useful analytical tools. These activities spur
economic growth and opportunitythe upside of innovationbut
potentially at a cost to individual privacy.

Counsel, Verrill Dana LLP; Senior Fellow, Center for Law + Innovation, University of
Maine School of Law.
1 ADAM TANNER, WHAT STAYS IN VEGAS: THE WORLD OF PERSONAL DATALIFEBLOOD OF
BIG BUSINESSAND THE END OF PRIVACY AS WE KNOW IT 4 (2014).

649

650

New England Law Review

v. 49 | 649

This Article explores the innovation examples uncovered and


described by Tanner in What Stays in Vegas. This Article argues that a loose
individual privacy regime helps foster entrepreneurship and innovation
bringing value to consumers and creating job opportunities. Incentives to
innovate in the Big Data context primarily stem from first-to-market, ease
of use, and accessibility opportunities rather than a traditional intellectual
property rights regime that rewards innovation with patent or copyright
assets.
This loose privacy rights regime cannot go unbounded, however, and
thus this Article explores the existing tort, contract, and regulatory regimes
for signs of proper restrictions on innovation to the extent it causes public
or private harm. Unlike intellectual property law, which empowers
individual property owners to enforce their own valuable rights against
others, privacy rights are weak and dispersed. Sounding in tort and
contract theories, they lack the statutory damages and other strong
remedies that incentivize enforcement. Perhaps this is why the United
States is a global leader in information innovationbut at what cost?
Part I of this Article describes the innovations Tanner unearths in What
Stays in Vegas. Part II discusses the traditional property rights regime in the
United States that typically forms the foundation of innovation and
entrepreneurship, principally (in the case of information) the role of
copyright law. Part III summarizes the privacy rights regime in the United
States and notes where it encourages innovation in data analytics and
digitization of analog information but does so at the expense of the data
subjects individual rights.
I.

Information Innovation

The primary subject of Tanners book is Caesars Entertainment2


(Caesars); in particular its data collection practices to track consumer
behavior. Under its prior name (Harrahs), the casino initially began
gathering information using the casino industries first full-scale loyalty
program called Winners Information Network or WINet.3
The WINet project was initiated by the inspiration of Harrahs
employee John Acres, who reverse-engineered a Speak & Spell toy and
thereafter created a prototype card reader that allowed slot machines to
identify their players.4 This illustrates the flash of genius creativity and
inventive behavior that is the foundation of innovation. Many ideas that

See id. at 16.


Id. at 2627.
4 Id. at 25.
3

2015

Privacy and Innovation

651

advance an industryor spawn a new oneare born in moments of


inquisitiveness and given life by motivated inventors with a platform to
test and deploy their ideas. To commercialize this technology, Tanner
reports, Harrahs spent years and millions of dollars installing a common
database across all of its properties . . . .5 Thus, one mans idea creates job
opportunities for others, and potentially generates an invention that can be
deployed in other markets.
The WINet systemand later the Total Rewards Programallowed
Harrahs to gather data on consumer behavior such as: how much a
consumer wagers in a day; what games she prefers; what food she eats;
what time of day, month, or year she visits; and what entertainment she
enjoys.6 Additional information gathered by the casino may complete a
customers dossier with information such as a favorite hostess or whether
the customer dines alone.7
In all . . . Caesars casinos know: Did you respond to an offer
when you came to the facility? Are you a resident with us at the
hotel or not? When do you come? How long do you stay? What
game do you play? How intently do you play it? Whats the
average wager? What sort of success did you have in the game?
Were you a big winner, a big loser, an average winner, an
average loser? Did you eat when you were with us? Did you go
to the show? What kind of dining habits do you have? Do you
shop?8

The Total Rewards program also collects a customers name, address


and date of birth, among other information. 9 This occurs when a customer
voluntarily enrolls in the program. The incentives for giving a casino such
personal details? Free blackjack chips, meals, drinks, perhaps even free
lodging.10 These offers are not made to everyonethey are made to the
individual customer who has earned the offer through her gambling and
other consumer activities at Caesars. Such individualized and targeted
offers are possible because of data analyticsalgorithms that humans
create and run using computers to make sense of data trends and connect
them to likely human behaviors. These formulas are themselves works of
considerable ingenuity and innovation.
Consumers love these opportunities, and indeed with such vast

Id. at 26.
Id. at 18.
7 TANNER, supra note 1, at 18, 39.
8 Id. at 35.
9 Id. at 37.
10 Id. at 39.
6

652

New England Law Review

v. 49 | 649

amounts of information about consumers, the enterprise is able to offer


those who spend the most money better perks than those who spend the
least.11 They are also able to determine who is a better customer in ways
that may not have been apparent prior to data collection and analytics. For
example, in prior years the industry may have rewarded only those who
spent a great deal on a single day with deals and special treatment, but
with long-term data collection and analytics the industry can now see that
small amounts spent multiple times per year is just as valuableif not
more so to the business. That repeat consumer, possibly ignored
previously, is now rewarded with more attention and valuable offers.12
Tanners research for this book extended beyond casinos to other
examples of Big Data innovation. He describes the evolution of what
became PeopleSmart, a reverse phone lookup company founded by
brothers Matthew and Brian Monahan. An entrepreneur at an early age,
Matthew sought inspiration from Warren Buffet and others to build his
next business in the inefficient markets where few other players had
dared to go.13 This is one of the hallmarks of innovation and
entrepreneurship, and offers a benefit to society by providing to consumers
services they otherwise would not have elsewhere. What seems obvious to
us today was the ingenuity and hard work of an inventor/entrepreneur
yesterday. Conversion of obscure public records and directories into
searchable electronic ones14 is sheer sweat equity and innovation. As
Tanner describes it, Matthew and Brian invested their own money and
years of their lives not only to manually enter analog data into a searchable
database, but also to test key words and number fragments that would be
attractive and accessible to potential consumers. 15
Vinod Gupta achieved the American Dream after moving to the
United States in 1967 and eventually creating a data brokerage company
that he started in his garage. His lists of potential customers (initially
mobile home vendors) had value to his employer and to others. 16 Gupta
understood that no one else had taken the time to compile this information
and make it readily accessible. He also understood that the information
could be rented to others repeatedly; he did not have to transfer

11

Id. at 31.
See id. (Harrahs create[d] more benefits for the repeat customer who spen[t] modest
amounts on each visit . . . [T]he company stated offering these regulars special perks such as
free valet service, faster check-in, and better buffets.).
12

13

See TANNER, supra note 1, at 53.


Id. at 5354.
15 Id. at 55.
16 See id. at 82.
14

2015

Privacy and Innovation

653

ownership of the database, but rather could share multiple copies of the
same information with multiple buyers. Guptas company, eventually
called InfoUSA, was so lucrative Gupta was eventually able to take the
business public.17
Other examples of innovation in data collection and analytics include
databases and software that predict ethnicity, allowing more targeted
marketing based on cultural preferences, geography, and neighborhood
analytics.18 Although racial and ethnic profiling for commercial purposes
meets with obvious skepticism, Tanners balanced research also
demonstrates that the use of the information is backed by innovative and
sophisticated algorithms and analytics techniques.
Tanner discusses in adequate detail the consumer interest in
personalization of products and services, noting that what many find
creepy many others enjoy and even have come to expect.19 Were it not
for regulation, Tanner reports, slot machines and other gambling devices
would already be able to assimilate personal information about their users
and tailor the game to their unique data. Tanner describes a slot machine
entrepreneur whose slot machines of the future would introduce bonus
rounds and winnings based upon who the player is.20 If one can set aside
moral judgment regarding the gambling industry, as well as the potential
for unfair treatment of vulnerable consumers, both of which are valid
concerns, the machines ability to adapt to its user through interface with
personalized data is remarkable innovation.
II. Innovation Assets
Now everything has changed. Now the bottom line, the bean counters
have said that every department has to make money.21
Tanners account of how casinos gather and use information illustrates
the ultimate motivation for such practices: the bottom line. Profiting from
data collection and analytics is obviously the reason most commercial

17

Id. at 8283.
Id. at 8688.
19 TANNER, supra note 1, at 77, 19091 (Loveman scoffs at personal-data-rich firms that
dont provide individualized services. He gives the example of his own American Express
Black Card, for which he paid a $7,500 initial premium and must pay another $2,500 even
though there is absolutely no service that has been provided . . . based upon what they have
learned about him). Tanners sources opine that creepiness is fungible and changes over
time: We will never have the anonymity that we once had. That is part of the price of living
in modern society. Id. at 191 (quoting entrepreneur John Acres).
18

20
21

Id. at 190.
Id. at 32 (quoting former Las Vegas Mayor Oscar Goodman).

654

New England Law Review

v. 49 | 649

enterprises engage in Big Data activities.


Technological innovation and expressive creativity are central to the
development and progress of the American economy, as well as to society
at large. Encouragement for invention and creative expression can be
found in no lesser a place than the United States Constitution. Article I,
Section 8, Clause 8 provides that Congress has the power: [t]o promote
the progress of Science and the useful Arts, by securing for limited Times
to Authors and Inventors the exclusive Right to their respective Writings
and Discoveries . . . .22
Congress invoked this power in passing the Patent Act 23 and the
Copyright Act.24 The fundamental purpose behind these laws, establishing
the rights of inventors and authors to exclude others from using or copying
their intellectual property, is to encourage innovation through a propertyrights reward regime.25 Fundamental to intellectual property legal regimes
is the notion that invention is costly, time consuming, and often inherently
expensivebut copying is cheap.26 If copying the fruits of anothers
ingenuity were acceptable, many would simply wait for others to expend
inventive efforts and capitalize on those results without investing their
own resources in research and development. This would, in turn, generate
disincentives for inventors and authors either to be creative in the first
place or, at a minimum, to disclose their creations to the public. With only
copiers and no creators, society would not advance. Therefore, legal
incentives not only to create, but also to feel confident in disclosing and
commercializing inventions, are necessary for the improvement and
enjoyment of society. The reward is a period of time when patented
inventions may not be made, used, or sold by others, 27 and works of
authorship may not be copied, displayed, distributed, or revised by others,

22

U.S. CONST. art. I, 8, cl. 8.


See 35 U.S.C. 1390 (2012).
24 See 17 U.S.C. 1011332 (2012).
25 See Robert Cooter, An Escape from Poverty: Developing Productive Organizations, 12 SW. J.L.
& TRADE AM. 181, 183, 186 (2006) (explaining the property principles allow those who
generate wealth to keep most of it which motivates people to generate property rather than
steal from others).
23

26 E.g., JAMES BOYLE, Preface to SHAMANS, SOFTWARE, AND SPLEENS: LAW AND THE
CONSTRUCTION OF THE INFORMATION SOCIETY, at xi (1996) (In market terms, information has
significant public good qualities; it is often expensive to create or generate but cheap to
copy.).
27

See 35 U.S.C. 271(a) (Except as otherwise provided in this title, whoever without
authority makes, uses, offers to sell, or sells any patented invention, within the United States
or imports into the United States any patented invention during the term of the patent
therefor, infringes the patent.).

2015

Privacy and Innovation

655

at least without the inventors/creators authorization28 and presumably


financial reward.
Are any of these incentives at play in the Big Data regime? Patents are
not really a factor, for they apply to any new and useful process, machine,
manufacture, or composition of matter, or any new and useful
improvement thereof29 which, except for nuances surrounding data
analytics algorithms and a variety of other sophisticated computing
techniques, generally does not apply to data collection, analysis, and
usage.30
Copyright law, however, may provide a better fit; although as we will
see, even copyright law is not terribly accommodating to mere collections
of facts. Copyright generally applies to original works of authorship fixed
in any tangible medium of expression.31 The hallmark of copyright law is
originality, which embodies both the notion that the author is the first
(original) creator of the work, and also that the work itself must represent
at least some modicum of creativity. 32 The standard is very low indeed, but
not so low that it includes mere facts. Section 102 of the Copyright Act
excludes from copyright subject matter any idea, procedure, process,
system, method of operation, concept, principle, or discovery, regardless of
the form in which it is described, explained, illustrated, or embodied in
such work.33
Databases, in copyright terminology, fit most neatly, if anywhere,
under the definition of compilation. A compilation is defined in the
Act as a work formed by the collection and assembling of preexisting
materials or of data . . . .34 For many years, one rationale for protecting
compilations under copyright was the sweat of the brow doctrine which
acknowledged the need to reward the compilers efforts and the unfairness
of allowing others to use the work without expending the time and labor of
investigation.35 This rationale was rejected by the United States Supreme
28

See 17 U.S.C. 106 (setting forth the copyright owners rights).


35 U.S.C. 101.
30 The Patent Act excludes from patentability laws of nature, natural phenomena, and
abstract ideas, therefore restricting the patent eligibility of software and business methods.
Alice Corp. Pty. Ltd. v. CLS Bank Intl, 134 S. Ct. 2347, 2354, 2357, 2360 (2014).
29

31

17 U.S.C. 102(a).
See Bleistein v. Donaldson Lithographing Co., 188 U.S. 239, 250 (1903).
33 17 U.S.C. 102(b).
34 17 U.S.C. 101.
35 See Database and Collections of Information Misappropriation Act of 2003, Before the
Subcommittee on Courts, the Internet, and Intellectual Property and the Subcommittee on Commerce,
Trade and Consumer Protection Committee on Energy and Commerce, 108th Cong. (2003), available
at http://www.copyright.gov/docs/regstat092303.html (Statement of David O. Carson, General
32

656

New England Law Review

v. 49 | 649

Court in Feist Publns, Inc. v. Rural Tel. Serv. Co.,36 which held that creativity
rather than sweat of the brow was required by the United States
Constitution as a prerequisite for copyright protection. This holding
considerably narrowed the protection copyright can provide to databases
as compilations.
What remains is a thin layer of copyright protection for
qualifying databases. In order to qualify, they must exhibit some
modicum of creativity in the selection, arrangement, or
coordination of the data. The protection is thin in that only the
creative elements (selection, arrangement, or coordination of
data) are protected by copyright. Explanatory materials such as
introductions or footnotes to databases may also be
copyrightable. But in no case is the data itself . . . copyrightable.37

The vast data collections described in What Stays in Vegas will struggle
for meaningful copyright protection, particularly to the extent they are
mere collections of public records translated into digital format and
organized in a useful but not creative way (such as alphabetically, or by
ZIP code, or in some other obvious and non-creative manner). It is the fate
of databases generally to be useful and not creative in their selection and
arrangement; after all, to allow for resale and licensing of such information
for direct marketing purposes, for example, the information must be
accessible in its format and delivery. Creativity may hinder function and
thereby render the information sets less commercially valuable.
Nonetheless, the personal information troves generated through the
Total Rewards program, for example, could conceivably enjoy copyright
protection if maintained in a certain fashion. One could argue that the
decisions about what data to collect reflect creativity. Wagers made, food
consumed, hostesses preferredthese are data points that the casinos have
undoubtedly determined, through experience and ingenuity, are
important. The Rules and Regulations for the Total Rewards program
state that some choices about a gamblers wagers and playing activities are
based on the judgment and observations of casino employees. 38 That
selection could provide the creative spark necessary for copyright. What
is unknown is how the databases are arranged or coordinated.

Counsel, testifying regarding the Database and Collections of Information Misappropriation


Act of 2003) [hereinafter Statement of David O. Carson].
36

499 U.S. 340, 345, 353 (1991).


Statement of David O. Carson, supra note 35.
38 Total Rewards Rules and Regulations, TOTALREWARDS, https://www.totalrewards.com/
images/total_rewards/Total_Rewards_Rules_Regs.pdf (last visited July 30, 2015) [hereinafter
Total Rewards and Regulations].
37

2015

Privacy and Innovation

657

The value of copyright protection lies primarily in the definition of the


databases as corporate assets. If copyright applies to a database, it may
have value as collateral for securing financing, triggering a host of
securitization requirements, and special treatment in bankruptcy. The asset
will remain a general intangible with or without copyright, but the
added layer of property protection under federal law provides added
protections against misappropriation, which should result in higher
valuation of the database as collateral.39
Data brokers may also characterize their rights to the information
under contract law. The Total Rewards Rules and Regulations provide
that Caesars may share the information collected with third parties, and
further that Caesars may have unconditional use of participants names
and likenesses for promotions/advertising and announcements without
compensation, consideration, notice, review, or further consent.40 In
bankruptcy, a privacy policy may be treated as an executory contract,
requiring an acquiring company to continue to abide by the policys
terms.41
Database owners may be able to use state trade secret laws or the
business tort of misappropriation to protect unauthorized use by others of
information gathered and maintained for commercial purposes. Employees
may be prevented from gaining unauthorized access to the information
through their employment contracts and federal law protecting
information stored on computers. Although these laws have their origin in
preventing unfair and unlawful conductrather than incentivizing
innovationthey are nonetheless important tools for database owners to
understand how to protect and maintain the value of their information
assets.
III. Consumers Privacy Rights
Innovation and its commercially valuable byproducts may not always
come without cost. In the case of Big Data, one possible societal cost is
borne by consumers facing diminished personal privacy. This section
explores the legal rights of consumers whose personally identifying

39 See generally 11 U.S.C. 365(n) (2012) (addressing licenses regarding rights in intellectual
property as executory contracts); see also Kenneth M. Misken & Camisha L. Simmons,
Government Addresses Privacy Concerns in Bankruptcy Sales, 31 AM. BANKR. INST. J. 28, 28 (2012)
(discussing value of consumer data in bankruptcy and restrictions on its transfer pursuant to
363 of the Bankruptcy Code).
40

Total Rewards Rules and Regulations, supra note 38.


Warren E. Agin, The Internet Bankruptcy: What Happens When the Bell Tolls for the
eCommerce Industry?, 1 J. HIGH TECH L. 1, 15 (2002).
41

658

New England Law Review

v. 49 | 649

information forms the basis of databases collected for marketing purposes,


whether for internal use by enterprises or for sale by data brokers.
In general, there are few legal restrictions on consumer data collection
and use in the United States. The lack of regulation has allowed the data
brokerage industry to thrive in the United States. It is fair to argue that the
United States leads innovation in information technology and data
analytics, in part, due to the lack of government interference with such
practices.42
Consumers are, in essence, treated as free to negotiate for themselves
with regard to their own data. If they choose to sell their personal
information in exchange for rewardsfree or discounted goods and
services, or personalized commercial offeringsthen the state and federal
legal regimes in the United States are unlikely to interfere with that
bargain. These bargains take place when consumers agree to terms and
conditions, privacy policies, or other one-sided, non-negotiable provisions
accompanying a data-collection program like the Total Rewards program
described in What Stays in Vegas.
It is true, as Tanner notes, that no one reads privacy policies because
they are so dull and obtuse.43 Nonetheless, they are generally held to be
binding on consumers.44 The Total Rewards Rules and Regulations have
remarkably little to say about how consumer information will be stored,
maintained, or shared after collection. Two provisions that touch on data
use and sharing are:
24. Caesars engages in various strategic relationships with other
companies, which may result in the Member being able to
accumulate additional Reward Credits due to the Members
relationships with such companiessee the Total Rewards
Center for additional information.
. . . .
26. Members agree to allow Caesars the unconditional use of
their name and likeness for promotions/advertising and
announcements without compensation, consideration, notice,

42 See Robert Wiblin, U.S. Laissez-Faire Serves a Greater Global Good, OVERCOMINGBIAS (Jan.
28, 2013, 10:39 AM), http://www.overcomingbias.com/2013/01/us-laissez-faire-serves-agreater-global-good.html.
43

TANNER, supra note 1, at 103.


For a useful discussion of enforceability of privacy policies and recent Federal Trade
Commission (FTC) actions relating to online behavioral tracking, see Susan E. Gindin, Nobody
Reads Your Privacy Policy or Online Contract? Lessons Learned and Questions Raised by the FTC's
Action Against Sears, 8 NW. J. TECH. & INTELL. PROP. 1, 1213 (2009).
44

2015

Privacy and Innovation

659

review or further consent.45

These provisions indicate that consumers participating in the Total


Rewards program may expect their personal information to be shared with
other companies with whom Caesars has strategic relationships, and that
their personal information may be used for advertising and
announcements, presumably including targeted marketing. In short,
Members of the Total Rewards program have very little contractual basis to
expect privacy of their data in the hands of Caesars and its affiliates.
Another company Tanner profiles in What Stays in Vegas is
PeopleSmart, which helps Internet users locate others phone numbers and
addresses. The PeopleSmart privacy policy describes in great detail the
kinds of information collected, and how it is collected, used, protected, and
shared.46 Protection promises include compliance with the Payment Card
Industry Data Security Standard, encryption of sensitive information,
access restrictions for employees, and generally accepted security
standards.47 PeopleSmart promises not to share information except with
the users permission, but notes that it does share the minimum amount
of information necessary with certain trusted third parties that provide
services to PeopleSmart.48 The website additionally has opt out
information to allow anyone who does not wish to be in the database to
remain anonymous.49
Instant Checkmate, another data collection firm Tanner profiles, is
equally open about its privacy practicesbut more likely to share
information than PeopleSoft or Total Rewards. Its privacy policy clearly
provides that Personal Information (defined to include name and contact
information, financial data, and demographic data) may be tracked, used
for direct marketing purposes, and shared with Instant Checkmates
partners.50 Regarding security of such information, the policy states:
Instant Checkmate uses reasonable security measures to protect against
the loss, misuse, and alteration of the information under Instant
Checkmates control.51

45

Total Rewards Rules and Regulations, supra note 38.


See Privacy Policy, PEOPLESMART, https://www.peoplesmart.com/privacy-policy (last
visited July 31, 2015).
47 Id.
48 Id.
49 See PeopleSmart Opt-Out Policy, PEOPLESMART, https://www.peoplesmart.com/optoutpolicy (last visited July 31, 2015).
46

50 Privacy Policy, INSTANT CHECKMATE, http://www.instantcheckmate.com/privacy_policy/


(last visited July 31, 2015).
51

Id.

660

New England Law Review

v. 49 | 649

Violating these privacy policy terms may give rise to contract claims by
consumers, but proving damages for such claims has proved to be a
stumbling block for many lawsuits attempting to enforce privacy policy
breach. A more effective enforcement of consumer privacy rights involves
action by the Federal Trade Commission (FTC) under section 5 of the
Federal Trade Commission Act, which provides that unfair or deceptive
acts or practices in or affecting commerce, are . . . unlawful.52 The FTC has
successfully brought enforcement actions against companies whose
mishandling of consumer information contradicts their privacy policies.53
For example, when a company promises never to share or sell customer
data and does so anyway, that can form the basis of a Section 5 claim by
the FTC. When a company promises to keep information secure and suffers
a data breach, it may also face a finding of unfairness or deception.54
The basis of the FTC enforcement actions is not lack of consumer
privacy per se, but rather breach by a business that collects personal
information of its promises to protect that information. Modern privacy
policiesmore likely called privacy statements todaytrend toward
plain language explanations of what information is collected about
consumers and how it is used. If the information is sold or otherwise
available to third parties, the statements will so provide. If security cannot
be assured, the policies will give warnings such as: Whether honesty in
privacy statements is sufficient to avoid FTC Section 5 enforcement actions
remains to be seen.55
Although health,56 financial,57 and student58 information are examples
of the most heavily regulated in the United States, some privacy-oriented
legislation applies to consumers whose information is gathered, analyzed,
and used by Big Data industries. Tanner describes how Instant Checkmate

52

15 U.S.C. 45(a)(1) (2012).


See Gindin, supra note 44, at 24.
54 See FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 607, 62829 (D.N.J. 2014)
(holding that the Federal Trade Commission has authority under 5 of the FTC Act to bring
action against a company for failing to adequately safeguard its network).
53

55 To the extent privacy policies are not considered contracts, some have proposed
consumer remedies under theories of unjust enrichment, or the little FTC Acts common in
many states that give consumers a private cause of action when faced with unfair or deceptive
acts (such as dishonest privacy policies or inadequate information security regimes). See Agin,
supra note 41, at 1315.
56 See Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110
Stat. 1936 (1996) (codified as amended in scattered sections of 42 U.S.C.); see also HIPPA
Privacy Rule, 45 C.F.R. 164.502 (2014).
57
58

15 U.S.C. 680103 (2012).


20 U.S.C. 1232g (2012); 34 C.F.R. 99.2 (2014).

2015

Privacy and Innovation

661

ran afoul of the Fair Credit Reporting Act59 by allegedly advertising its
background check services to employers and landlords without ensuring
the reports were accurate or that those coming to the site had a
permissible reason to receive such reports.60
If data collection applies to children under the age of thirteen, the
Childrens Online Privacy Protection Act (COPPA) applies.61 COPPA
directly relates to websites that collect consumer information, concerning
itself only with sites that are directed at children or knowingly collect
information from a child under the age of thirteen. Regulations
promulgated in 2013 clarify that COPPA applies to advertising networks
that may collect personal information from a sites visitors, and includes
geolocation information and persistent identifiers within the definition
of personal information.62 The statute does not prohibit the collecting
and use of personal information about children, but rather imposes privacy
notice requirements and data security measures on the collected data, and
prohibits site operators from conditioning a childs participation in
activities on the collection of more personal information than is . . .
necessary . . . [for the] participat[ion] in such activit[ies].63
California also recently passed a law, operative as of January 1, 2016,
which will prevent enterprises that offer online services to K-12 students
from targeting advertisements to those students. 64 Because the statute
applies to persons who are in high school, it covers persons who are older
than thirteen. The law expressly prohibits an operator of an Internet web
site, other online service, or mobile application from knowingly engaging
in targeted advertising to; using information to amass a profile about;
selling, or disclosing (except in certain circumstances) the personally
identifiable information; or materials created or providing by or about a K12 student.65
Laws protecting the personal information of minors collected when
they are consuming Internet or mobile application services could provide
models for legislation applying to consumers at large, if Big Data abuses
become egregious. More likely, however, is that existing tort laws

59

TANNER, supra note 1, at 73; see also 15 U.S.C. 1681 (2012).


TANNER, supra note 1, at 73.
61 See 15 U.S.C. 6501.
62 Childrens Online Privacy Protection Rule, 16 C.F.R. 312.1312.3 (2014).
63 Id. 312.3
64 Student Online Personal Information Protection Act, S.B. 1177, ch. 839, 20132014 Sess.
(Ca. 2014), available at https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=20
60

1320140SB1177.
65 Id.

662

New England Law Review

v. 49 | 649

protecting against public disclosure of private facts, and the FTCs growing
enforcement power with regard to data security concerns, will be the most
prominent consumer protection weapons of choice.
State breach notification laws are also playing a more prominent role in
consumer privacy protection. When private information is shared with
unauthorized parties, typically via a technical glitch, due to a stolen
computer, or a hacking incident, a patchwork of state laws require
notification of affected data subjects as well as regulators. 66 Many of these
laws also require the data collector who suffered the breach to pay for
identity theft and credit monitoring services on behalf of the affected
consumers.
Consumers also have some protections if the owner of a database
containing personal information files for bankruptcy. The Bankruptcy
Abuse Prevention and Consumer Protection Act of 200567 created an
exception to the general rule encouraging sale of assets in bankruptcy.
Under section 363(b) of the Bankruptcy Act, when a party filing
bankruptcy (the debtor) is a company that had offered consumer products
or services subject to a privacy policy that was still in effect when the
debtor filed its bankruptcy petition, then limitations may be placed on the
sale of data collected pursuant to that privacy policy. 68 In particular, the
sale must be consistent with the privacy policys terms. If selling the data
would not be consistent with the privacy policy (if, for example, the policy
had stated we will never sell or share your information with any third
party) it may be possible for the database to be sold. This may only
happen after appointment of a disinterested consumer privacy
ombudsman (CPO) who considers the impact on consumers privacy
and makes a recommendation regarding appropriate disposition of the
data.69
This statutory regime facially appears useful to protect consumers
interests should the sale of their information by a failing casino, for
66

See,
e.g.,
Security
Breach
Notification
Laws,
NCSL
(Jan.
12,
2015),
http://www.ncsl.org/research/telecommunications-and-information-technology/securitybreach-notification-laws.aspx (providing a useful summary of state laws relating to data
breach notification); see also State Data Security Breach Notification Laws, MINTZ LEVIN (Jan. 1,
2015), http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_
data_breach_matrix.pdf (listing matrix of state data breach laws with relevant provisions
extracted).
67 Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, Pub.L. No. 1098,
221, 231, 119 Stat. 23 (codified as amended in scattered sections of 11 U.S.C.).
68

11 U.S.C. 363(b) (2012); see also Misken & Simmons, supra note 39, at 71.
11 U.S.C. 363(b)(1)(B); see also Jessica D. Gabel, CSI Law Vegas: Privacy, Policing, and
Profiteering in Casino Structured Intelligence, 3 UNLV GAMING L.J. 39, 4950 (2012).
69

2015

Privacy and Innovation

663

example, be likely to compromise their privacy. Professor Jessica Gavel


explored just this issue in an article on casino data practices:
With the enormous dragnets of consumer data employed by
casinos, those businesses seem an obvious fit for regulation of the
transfer of consumer information. Yet, casino bankruptcies often
fail to utilize a CPO. In the recent Chapter 11 reorganization of
Station Casinos, the bankruptcy court authorized the sale of
primary consumer data. The buyer was given exclusive rights
over the information. The bidding agreement contained no
mention of supervision or concern about the consumers
privacy.70

If a privacy policy is drafted to allow the free transferability of personal


identifying information,71 then consumers have little remedy in the event of
a wholesale transfer of their data whether in bankruptcy or otherwise.

CONCLUSION
Adam Tanner exposes in fascinating detail the business motivations of
consumer behavioral tracking using the gambling industry for illustration.
His excellent reporting allows us to meet the people behind Big Data, to
put a human face on what consumers otherwise experience as automated
advertising, rewards programs, and unsolicited mail. What Stays in Vegas
does not necessarily make the collection and use of personally identifying
information less invasive, pervasive, or creepy. Tanner, after all, selects an
industry that many would already find distasteful. But his reporting also
exposes the innovation and entrepreneurship behind Big Data. He further
demonstrates that consumers have, quite willingly in most cases,
participated in sharing their own information in exchange for rewards of
varying value.
The United States has generally encouraged innovation and

70
71

Gabel, supra note 69, at 52 (footnotes omitted).


Misken & Simmons, supra note 39, at 71.
A company armed with knowledge of how privacy concerns are
addressed in bankruptcy is a step ahead with respect to ensuring that any
potential sale of its assets will not be thwarted or delayed due to
bankruptcy and nonbankruptcy . . . laws. Pre-petition companies should
consider drafting privacy policies . . . that could expressly allow for the
free transferability of PII . . . .

Id. It is important to note that databases containing protected information such as medical
records are provided greater protection under the Bankruptcy Act than consumer data
collected for general commercial and marketing purposes. See Luis Salazar, Privacy and
Bankruptcy Law, 25 AM. BANKR. INST. J. 58, 59 (2007).

664

New England Law Review

v. 49 | 649

entrepreneurship through its property-rights regimes, including


intellectual property laws. It has also allowed businesses to self-regulate
their consumer data collection and use habits, with exceptions for highly
sensitive information like medical, financial, and student data, as well as
information gathered from or about children. The hands-off approach to
data regulation has allowed the data industries to thrive in the United
States, creating many jobs and generating wealth. Many of the
entrepreneurs Tanner profiles in What Stays in Vegas may have started out
with little but their ingenuity and hard work allowed them to develop
products and services of value to consumers, and to grow companies that
employ many people.
The current United States legal and policy regimes regarding consumer
privacy and innovation seem to be in relative balance. Entrepreneurs are
allowed and encouraged to innovate. Consumers receive the rewards of
this innovation through enhanced services and personalization. Sensitive
data is regulated and companies are prevented by consumer protection
laws from failing to disclose their data collection policies, misrepresenting
how they will handle data, or by adopting inadequate information security
regimes.
There is always room to improve consumer protection, and there will
always be entrepreneurs who demonstrate new ways to take unfair
advantage of unsuspecting and innocent people. But in general, as Adam
Tanner artfully demonstrates in What Stays in Vegas, privacy laws and
norms in the United States appear to exist in harmony with innovation
policies.