Human ingenuity has provided us a great gift, cyberspace. This blooming network of computing-communication technologies is quickly changing the world and our behavior in it. Already, it has become cliché to catalog cyberspace’s striking benefits, its endless possibilities. But great gifts often come with a great price. Congress thinks that the price will be sexual purity due to easy access to pornography. Industry thinks it will be our economy due to easy copying of Hollywood’s and Silicon Valley’s programs. I worry that it will be our privacy.

When I mention "privacy," lawyers naturally think of privacy as used in the historic case, Roe v. Wade. Others think of the privacy of their own homes and backyards, largely in territorial terms. I use "privacy" differently. Instead of emphasizing privacy in a decisional or spatial sense, I mean it in an information sense. Information privacy is an individual’s claim to control the terms under which personal information is acquired, disclosed, and used.

My thesis is that cyberspace threatens information privacy in extraordinary ways, and without much thought or collective deliberation, we may be in the process of surrendering our privacy permanently as we enter the next century.

Some people do not understand what the big deal is about privacy. They assume that privacy is important only for those who have something to hide. This view is misguided. Let me articulate why individuals should enjoy meaningful control over the acquisition, disclosure, and use of their personal information.

Use of personal data.

Personal data are often misused. For example, personal data can be used to commit identity theft, in which an impostor creates fake financial accounts, runs up enormous bills, and disappears leaving only a wrecked credit report behind. Personal data, such as home addresses and telephone numbers, can be used to harass and stalk. Personal data, such as one’s sexual orientation, can be used to deny employment because of unwarranted prejudice.

Disclosure of personal data.

Sometimes, even if such data will not be "used" against us, its mere disclosure may lead to embarrassment. In any culture, certain conditions are embarrassing even when they are not blameworthy. Take impotency for example. In most cases, impotency will not affect whether one receives a job, a loan, or a promotion. In this sense, the data will not be misused in the allocation of rewards and opportunities. However, the mere disclosure of this medical condition would cause intense embarrassment for most men.

In addition to causing embarrassment, the inability to control the disclosure of personal data can hamper the building of intimate relationships. We construct many intimacies not only by sharing experiences but also by sharing secrets about ourselves, details not broadcast to a mass audience. If we have information privacy, we can regulate the outflow of such private information to others. By reducing this flow to a trickle (for example, to your boss), we maintain aloofness; by releasing a more telling stream (for example, to your former college roommate living afar) we invite and affirm intimacy. If anyone could find out anything about us, secrets would lose their ability to help construct intimacy.

Acquisition of personal data.

Finally, consider the fact that personal information is acquired by observing who we are and what we do. When such observation is nonconsensual and extensive, we have what amounts to surveillance, which is in tension with human dignity. Human beings have dignity because they are moral persons—beings capable of self-determination, with the capacity to reflect upon and choose personal and political projects. Extensive, undesired observation interferes with this exercise of choice because we act differently when we are being watched. Simply put, surveillance leads to self-censorship. When we do not want to be surveilled, it disrespects our dignity to surveil us nonetheless, unless some important social justification exists. This insult to individual dignity has social ramifications. It chills out-of-the-mainstream behavior. It corrodes private experimentation and reflection. It threatens to leave us with a bland, unoriginal polity, characterized by excessive conformity.

So now that we know why privacy matters, we must ask what difference does cyberspace make? My claim is that cyberspace makes broad societal surveillance possible and, if we do nothing, likely. To see the greater threat that cyberspace poses, imagine the following two visits to a mall—one in real space, the other in cyberspace.

In real space, you drive to a mall, walk its corridors, peer into numerous shops, and stroll through the aisles of inviting stores. You walk into a bookstore and flip through a few magazines. Finally, you stop at a clothing store and buy a friend a scarf with a credit card. In this narrative, numerous persons interact with you and collect information along the way. For instance, while walking through the mall, fellow visitors visually collect information about you, if for no other reason than to avoid bumping into you. But such information is general, e.g., it does not pinpoint the geographical location and time of the sighting, is not in a format that can be processed by a computer, is not indexed to your name or any unique identifier, and is impermanent, residing in short-term human memory. You remain a barely noticed stranger. One important exception is the credit card purchase.

By contrast, in cyberspace, the exception becomes the norm: Every interaction may soon be like the credit card purchase. The best way to grasp this point is to take seriously, if only for a moment, the metaphor that cyberspace is an actual place, a virtual reality. In this alternate universe, you are invisibly stamped with a bar code as soon as you venture outside your home. There are entities called "road providers" (your Internet Service Provider), who supply the streets and ground you walk on, who track precisely where, when, and how fast you traverse the lands, in order to charge you for your wear on the infrastructure. As soon as you enter the cyber-mall’s domain, the mall tracks you through invisible scanners focused on your bar code. It automatically records which stores you visit, which windows you browse, in which order, and for how long. The specific stores collect even more detailed data when you enter their domain. For example, the cyber-bookstore notes which magazines you skimmed, recording which pages you have seen and for how long, and notes the pattern, if any, of your browsing. It notes that you picked up a health magazine featuring an article on Viagra, read for seven minutes a newsweekly detailing a politician’s sex scandal, and flipped ever-so-quickly through a tabloid claiming that Elvis lives. Of course, whenever any item is actually purchased, the store, as well as the credit, debit, or virtual cash company that provides payment through cyberspace, takes careful notes of what you bought—in this case, a silk scarf, red, expensive, a week before Valentine’s Day.

All these data generated in cyberspace are detailed, computer-processable, indexed to the individual, and permanent. While the mall example may not concern data that appear especially sensitive, the same extensive data collection can take place as we travel through other cyberspace domains—for instance, to research health issues and politics; to communicate to friends, businesses, and the government; and to pay our bills and manage our finances. Moreover, the data collected in these various domains can be aggregated to produce telling profiles of who we are, as revealed by what we do and with whom we associate. The very technology that makes cyberspace possible also makes detailed, cumulative, invisible observation of ourselves possible. One need only sift through the click streams generated by our cyber-activity.

It turns out that few laws limit what can be done with this data collected in cyberspace. Unlike Europe, the United States has no omnibus privacy law covering the private sector’s processing of personal information. Instead, U.S. law features a legal patchwork that regulates different types of personal information in different ways, depending on how it is acquired, by whom, and how it will be used. To be sure, there are numerous statutes that govern specific sectors, such as consumer credit, education, cable programming, electronic communications, videotape rentals, motor vehicle records, and the recently enacted Children’s Online Privacy Protection Act. But it turns out that in toto, information collectors can largely do what they want.

Let me restate the problem. All cyber-activity, even simply browsing a Webpage, involves a "transaction" between an individual and potential information collectors. These collectors not only include the counterparty to the transaction but also intermediaries (transaction facilitators) that support the electronic communications (telephone company, cable company, Internet service provider) and sometimes payment (credit card company, electronic cash company). In these transactions, personal information is inevitably generated as either necessary or incidental by-products. Privacy enthusiasts insist that the individual owns this data; information collectors vigorously disagree. What shall be done?

Perhaps the market might solve the problem. One might reasonably view personal information as a commodity, whose pricing and consumption can and should be governed by the laws of supply and demand. Through offers and counteroffers between individual and information collector, the market will move the correctly priced personal data to the party that values it most. Economists love this approach because it appears to be economically efficient. The private sector loves this approach because it staves off regulation. Regulators love this approach for the same reason in the current antiregulatory environment.

The problem is that in practice, individuals and information collectors do not negotiate express privacy contracts before engaging in each transaction. Although privacy notices have become more frequent on Webpages, it is a stretch to say that there is a "meeting of the minds" on privacy terms each time an individual browses a Webpage. What is necessary, then, is a clear articulation of the default rules governing personal data collected in a cyberspace transaction, when parties have not agreed explicitly otherwise.

There are two default rules that society might realistically adopt. First, there is the status quo’s "plenary" default rule: Unless the parties agree otherwise, the information collector may process the personal data anyway it likes. Second, there is the "functionally necessary" default rule: Unless the parties agree otherwise, the information collector may process the personal data only in functionally necessary ways. This rule allows the information collector to process personal data on a need-only basis to complete the transaction in which the information was originally collected.

A one-size-fits-all default rule is efficient for some transactions but inefficient for others. Those parties for whom the default is inefficient will either contract around the rule—"flip"—or they will "stick" with the rule and accept the inefficiencies. Thus, the social cost of a default rule equals the sum of the transaction costs of contracting around the rule—the ‘flip cost"—plus the inefficiency cost of not contracting around the rule even when it would be more efficient to do so—the "stick cost." We seek the rule that minimizes social costs.

If we implement the plenary rule, most parties will stick because it is hard for a consumer to flip out of the default rule. First, she would face substantial research costs to determine what information is being collected and how it is used. That is because individuals today are largely clueless about how personal information is processed through cyberspace. Sometimes, they are deceived by the information collectors themselves, as the Federal Trade Commission recently charged against the Internet Service Provider, Geocities. Second, the individual would run into a collective action problem. Realistically, the information collector would not entertain one person’s idiosyncratic request to purchase back personal information because the costs of administering such an individually tailored program would be prohibitive. Therefore, to make it worth the firm’s while, the individual would have to band together with other like-minded individuals to renegotiate the privacy terms of the underlying transaction. These individuals would suffer the collective action costs of locating each other, then coming to a mutually acceptable proposal to deliver to the information collector, —all the while discouraging free riders.

By contrast, the "functionally necessary" rule would not be sticky at all. With this default, if the firm valued personal data more than the individual, then the firm would have to buy permission to process the data in functionally unnecessary ways. Note, however, two critical differences in contracting around this default. First, unlike the individual who has to find out how information is processed, the collector need not bear such research costs since it already knows what its information practices are. Second, the collector does not confront collective action problems. It need not seek out other like-minded firms and reach consensus before coming to the individual with a request. This is because an individual would gladly entertain an individualized, even idiosyncratic, offer to purchase personal information.

Now, the task is to compare the costs of the equilibrium generated by each default rule. For the "plenary" equilibrium, the cost of the default rule is approximately the stick cost because few parties will flip. By contrast, for the "functionally necessary" equilibrium, the cost of the default rule is approximately the flip cost; almost all parties who care to flip will flip. Which cost is higher? We lack the data to be confident in our answer. However, we do know that given how seriously many individuals feel about their privacy, the stick cost of the plenary rule will not be trivial. Many individuals who care deeply about their privacy will not be able to get it. By contrast, the flip cost of the functionally necessary rule will be small because cyberspace makes communications cheap. The information collector can ask in a simple dialog box whether the individual will allow some unnecessary use of personal data, in exchange for some benefit. What is more, this inequality will increase over time. As information processing becomes more sophisticated, people will feel less in control of their personal information; accordingly they will value control more (making the cost of "sticking" greater). Simultaneously, the cost of communication will decrease as cyberspace improves (making the cost of "flipping" less).

In conclusion, I think it is more likely than not that a functionally necessary rule will be less costly to society than the plenary rule we currently have. Putting economic efficiency aside, the functionally necessary rule also better respects human dignity by respecting an individual’s desire not to be surveilled.

Congress should adopt a Cyberspace Privacy Act (the "Act"), that implements the "functionally necessary" default rule for all personal information collected in cyberspace. This rule is more efficient and more respectful of human dignity. Parties are, of course, free to contract around the default rule. The full proposed statute is available online at http://www.law.ucla.edu/faculty/kang/scholars, but here is a quick summary:

• First, a person who acquires personal data in the course of a cyberspace transaction must provide clear notice about what will be done with that information.

• Second, a person will not process personal information in a manner functionally unnecessary to the transaction without the prior consent of the individual.

• Third, an individual will have reasonable access to and rights of correction of personal data.

• Fourth, personal data that is no longer functionally necessary to the cyberspace transaction will be generally destroyed unless there is some legitimate pending request or the individual has given consent otherwise.

• Fifth, if compelled by court order or a dire emergency to the individual’s own welfare, personal data may be disclosed as necessary.

• Finally, a person who violates this Act may be sued in federal court for civil damages. Moreover, the Federal Trade Commission will have administrative authority to enforce the Act.

Politically moderate, the proposed legislation should enjoy broad appeal. The private sector should not oppose the Act because it does not choke off electronic commerce in cyberspace. Although the Act constrains certain forms of advertising based on detailed data collection, and the sharing of data with third parties, these constraints can be lifted simply by obtaining the customer’s consent. Moreover, the Cyberspace Privacy Act would promote consumer confidence in—and thereby encourage— electronic commerce. Multinational corporations working in Europe might have an independent reason to accept the Act. By applying the Act to data received from the European Union, these corporations could credibly assert that they have begun to adopt adequate privacy protections necessary to maintain transborder flows under the recent European Union Data Protection Directive. Finally, the Act does not violate the First Amendment. In structure, the proposed Act does not differ materially from the privacy provisions of the Cable Act or the Video Privacy Protection Act. Neither act has been successfully challenged on First Amendment grounds.

A vision protective of information privacy in cyberspace will be singularly hard to maintain. Cyberspace’s essence is the processing of information in ways and at speeds unimaginable just years ago. To retard this information processing juggernaut in the name of privacy seems antitechnology, even antiprogress. It cuts against the hackneyed cyber-proclamation that information wants to be free. Nevertheless, this intentional application of friction to personal information flows is warranted. If profit-seeking organizations are instituting such friction in the name of intellectual property, individuals should not be chastised for doing the same in the name of privacy.

Historically, privacy issues have been an afterthought. Technology propels us forward, and we react to the social consequences only after the fact. But the amount of privacy we retain is—to use a decidedly low-tech metaphor—a one-way ratchet. Once we ratchet privacy down, it will be extraordinarily difficult to get it back. More disturbingly, after a while, we might not mind so much. It may dawn on us too late that privacy should have been saved along the way.

Jerry Kang is a law professor at UCLA, where he teaches courses in Civil Procedure, Communications Law and Policy, Cyberspace Privacy, and Asian American Jurisprudence. This article draws from his most recent publication, "Information Privacy in Cyberspace Transactions," 50 Stan. L. Rev. 1193-1294 (1998). He can be reached at http://www.law.ucla.edu/faculty/kang, or kang@law.ucla.edu.