Individuals who aren’t able to bike to work or who use plastic water bottles aren’t the population that’s primarily responsible for global warming—Exxon, Shell, and their peer companies are, along with the lobbyists who press their interests and the politicians who listen to them and take their money. Similarly, blaming individuals for structural privacy failures, even as a part of illustrating how badly reforms are needed, is a far too common posture, and needs to be rooted out of privacy discussions for good.

Recently, the New York Times published an illuminating series of articles examining the surreptitious collection of location-tracking data, based on a file of such data that traced the movements of over 12 million Americans over several months. The file illustrated the patterns of people from all walks of life, and in all parts of their lives, such as a senior Department of Defense official and his wife attending the Women’s March, the comings and goings of kids at the local high school in Pasadena, and another man visiting a hospital regularly with his wife until she died. The series provides an important glimpse into a far-reaching problem that deeply impacts people’s lives, whether they realize it or not: powerful companies are able to cheaply, opaquely, and profitably track you, learn things about you, share that information with other entities, and use this data to make decisions about you, almost always without your informed consent or ability to stop it from happening.

Yet even as it demonstrates location tracking’s invasiveness and describes shady corporate practices in appropriately critical terms, the first piece of the series often frames the problem of pervasive privacy violations as failures of individual foresight. The authors describe how we “shed” data, instead of explaining that companies furtively take it from us, and end on the elegantly ominous conclusion that “the greatest trick technology companies ever played was persuading society to surveil itself.” The piece correctly criticizes how the system operates, but also blames every complicit schmuck who’s gullible enough to walk around with a smartphone in their pocket for allowing it to exist, rather than focusing on the companies that built and maintain it or the policymakers who fail to dismantle it.

The piece blames every complicit schmuck who’s gullible enough to walk around with a smartphone in their pocket.

The subsequent articles have done a better job of eschewing that framing, and my objective is not to beat up on two thoughtful reporters for a rhetorical slip while they’re devoting much-needed scrutiny to a profoundly important issue. But the series is illustrative of a much larger problem. Privacy rights in the United States struggle not only from inadequate legal protections, but because the companies that profit from our data have been far too effective at convincing policymakers, journalists, and the rest of us that their violations of our privacy are our fault.

In some ways, the tendency to blame individuals simply reflects the mistakes of our existing privacy laws, which are built on a vision of privacy choices that generally considers the use of technology to be a purely rational decision, unconstrained by practical limitations such as the circumstances of the user or human fallibility. These laws are guided by the idea that providing people with information about data collection practices in a boilerplate policy statement is a sufficient safeguard. If people don’t like the practices described, they don’t have to use the service.

But as researchers have repeatedly demonstrated and anyone using digital services in 2019 can recognize, people are often unable to absorb the information that companies supply or make corresponding changes to their behavior. First of all, the explanations of data collection practices that companies provide generally aren’t all that informative. In an illustration of how ill-matched the idea of privacy policies are with reality, a 2008 study found it would take the average American 40 minutes a day to read every privacy policy they encountered, at a cost of up to $5,038 a year in lost productivity. These policies are also generally written in complex legalese that most people don’t understand (as the Times piece helpfully notes).