Skip to content
Jeremy-Telman
ContractsProf Blog
Official Blog of the AALS Section on Contracts

Privacy Legislation and Contractual Authority

By ContractsProf Blog
February 12, 2021

Contracts and data governance go hand-in-hand.  In the absence of regulation, parties engage in private ordering – at least in theory.  But even when there is regulation, contracts often play a pivotal role.  In most cases, data governance laws are essentially laws regulating contracts.  California recently passed the country’s first real sweeping privacy law.  Although it is a giant step in the right direction, it would be better if the opt-out had been an opt-in to the sale of personal information.  I was delighted and surprised when blogmeister Jeremy Telman passed along information about another state that may pass legislation that may be even more proactive and protective of consumers privacy than California’s sweeping new law.  That state?  Oklahoma.  The bi-partisan House Technology Committee unanimously passed the Oklahoma Computer Data Privacy Act, House Bill 1602, which requires technology companies to obtain “explicit” permission to collect and sell consumer data.  The bill now goes to the House floor.

The bill is promising because it presumes privacy protections rather than forcing the consumer to opt-out.  As I know from experience, some companies make it rather difficulty to opt-out by having you mail in written forms rather than clicking a box (contrast that to how easy they make it to enter into a wrap contract in the first place).  Some companies make it hard to figure out how to even opt-out.  Clearly more needs to be done here.

What I particularly like about the Okalahoma bill is that it provides that “contracts or other agreements purporting to waive or limit a right, remedy or means of enforcement are contrary to public policy and are void.”  This provision recognizes what all readers of this blog know by now – nobody reads wrap contracts. 

But in addition to the no-reading problem, there is another reason that this provision makes sense.  Certain issues relating to privacy and data collection should not fall within the purview of individual authority and private ordering.  As I have noted elsewhere, individuals should not be able to consent to everything – some things aren’t, and shouldn’t be, within their authority.  Certain data collecting practices have harms that reverberate throughout society.  As Salome Viljoen argues in this article, which is reviewed by Ari Waldman here ) many current data governance efforts miss the “population-level relations among individuals for how data collection produces both social value and social harm.” 

An individual might consent to a company using that individual’s digital images for a broad range of uses but the use of those images is not limited to that individual.  Those images may be used to create a database that is used to discriminate against someone who did not consent.  Same with many types of data – an individual’s data is aggregated with those of many others and used to make predictions and create algorithms that affect many others.  Furthermore, the more people who participate, the harder it becomes for any one individual to “opt-out” – and the mere fact of refusing may be incriminating. 

Much like a virus, certain data collection practices create harms that spread beyond the individual contracting parties and these harms often mutate. Legislation that doesn’t recognize the limits of contracts and consent will always be insufficient to prevent societal harms.