Mihailis Diamantis, Rishab Nithyanand

Privacy enforcement relies on an overlooked and often false premise—that firms know what their own data practices are. No enforcement action can induce firms to adopt responsible data practices if firms do not know where they fall short. This paper starts by offering a theoretical framework for assessing what firms know.

Drawing on cognitive scientific characterizations of system awareness, we propose that firms know some item of information when it is dispersed internally and poised for governing behavior. With respect to data handling practices, we argue this means that at least four internal constituencies would know how their firms collect, store, and use data: the technologists who directly manage data, the executives who make strategic decisions about data, the marketers who advertise firm data practices, and the attorneys who verify compliance with internal standards and external regulations. Next, we empirically demonstrate that firms know surprisingly little about their data practices. Our interviews and surveys of employees at firms that handle large amounts of personal data uncover three obstacles that prevent firms from having the sort of self-knowledge that deterrence presumes. First, firms may not generate the necessary internal reports on their own data practices. Second, even when such reports are generated, they may not be presented in a manner that is comprehensible across constituencies. And third, information tends to become siloed within firm units. This paper looks outside of privacy law for a solution. Recent scholarship on securities disclosures has highlighted the variety of goals that disclosures serve. While the main purpose of publishing financial disclosures is to inform outside investors, the process of preparing disclosures also has beneficial internal effects. It forces firms to study their own financial health and ensures that relevant corporate leaders are apprised of the results. Mandatory disclosures about corporate data practices could have a similar effect. While some states already require firms to publish generic information about data practices to consumers, but these disclosures lack basic attributes that make financial disclosures effective—they lack detail, no human signs them, and they are not filed with any state authority. Securities-style disclosures hold more promise. By carefully tailoring the content, format, and required signatories of data practice disclosures, authorities could force firms to generate, translate, and internally propagate important information. We provide a disclosure template that balances the cost to firms of preparing the disclosure with enforcers’ need to ensure firms know what they are doing with our data.