Mihailis Diamantis (U Iowa Law), Maaz Bin Musa (U Iowa), Lucas Ausberger (same), Rishab Nithyanand (same) has posted “Forms of Disclosure: The Path to Automated Data Privacy Audits” (62 Harv. J. L. & Tech.; Forthcoming) on SSRN. Here is the abstract:
The weakest link in privacy enforcement today is detection. For years, agencies and activists sounded the alarm about unregulated, opaque mechanisms that organizations employ to harvest, process, and sell online user data. Some state legislatures have responded in recent years by passing legislation to protect privacy rights. Federal legislation may not be far off. But privacy rights are meaningless without effective enforcement, and enforcement is blind without detection.
New techniques for uncovering privacy violations hold promise. Historically, this would have required access to data brokers’ books. Unsurprisingly, such access was not forthcoming.
Researchers now have tools that can carry out what this Article calls “closed book privacy audits,” detecting privacy violations without targets’ cooperation. For example, by selectively feeding fictitious personal data to online platforms and measuring its impact web experience, closed book privacy audits can track corporate use (and misuse) of personal information across the data ecosystem. Automated closed book privacy audits could uncork the detection bottleneck, empowering private and public enforcers.
There is one hitch… Privacy audits require both data to test and benchmarks to test it against. Crisp evaluative benchmarks have remained elusive. Emerging privacy laws require corporations to disclosures how they collect and use personal information. The laws do not mandate any particular form of disclosure. Through an original empirical study of privacy disclosures by California data brokers, this Article documents the result: a widely variable mishmash of opaque representations that are impossible to audit using a consistent procedure. We argue that the law should mandate uniform privacy disclosures in a machine-readable format. Regulators could borrow from standardized disclosure frameworks used by other regulatory bodies (e.g., the United States Securities and Exchange Commission) to simultaneously improve disclosure clarity and facilitate low-cost detection of violations through closed book audits.