Did you hear the story about the do-gooder tech company that is pushing new state “privacy” bills across the nation?

The pitch by that company, Hu-manity.co — which is so effective its Oregon bill was introduced with more than 40 co-sponsors — is that patients’ health information is being sold for big money without their consent and without providing them any compensation. The solution these bills propose is to prohibit such information from being sold without patients’ permission and without giving them a cut of the profits when their information is sold. Sounds like a big win for privacy and consumers.

Only it’s not. Beware the tech industry’s latest privacy Trojan Horse.

If these bills were purely designed to prevent the sale of patient’s personal information without their express permission, the ACLU would wholeheartedly support such “opt-in” privacy measures. But that is far from these bills’ goal.

Hu-manity.co’s real goal is to use state legislation to create a new way for data sellers to profit off of consumers’ personal information. The current bills being pursued are limited to medical patients, but future iterations are likely to cover a broader range of consumers.

Currently, profits on the sale of patient information are captured when the information is initially sold by a health care provider to a data broker, marketer, or other user and again if the information is resold. While the overall market for personal consumer information, which is predicted to hit $203 billion by 2020, is huge, it is also fairly saturated with existing data mining and selling companies.

Rather than compete with the high volume of companies in the existing market, Hu-manity.co is looking to create a new, less-populated niche from which to generate profits. And that is what is behind the company’s current multi-state legislative push.

Hu-manity.co’s strategy is to use legislation to artificially generate a robust market for “customer information sales agents” who will facilitate — and profit from — the sale of patients’ medical information. That is why Hu-manity.co’s legislation, after it mandates patient consent before selling their information, undermines its own privacy provisions by requiring all consent forms notify patients they can “elect to receive a share of any remuneration received” from the sale of their information — an election Hu-manity.co’s business model is designed to effectuate.  And whereas in the past, health care providers could sell patient information directly to data brokers, Hu-manity.co’s legislation effectively requires that health care providers use companies like itself to complete the transaction.

Turns out the big “P” in these bills is for “profit-shifting” not “privacy.”

The problem for Hu-manity.co is “please help us get rich at the expense of consumers’ privacy” is not a great legislative pitch. So the company instead is casting itself as deeply committed to advancing consumer privacy. In a creative maneuver worthy of George Costanza, even the company’s “humanity” name, and its framing of their work as addressing a “human rights” issue, suggests the company is a nonprofit or some other type of public-good focused entity. It is not.

Hu-manity.co is a for-profit company that promotes a data-as-property model — which even Forbes calls “discredited” and “a privacy nightmare rather than a privacy paradise” — in order to artificially generate market demand and substantial profits through government action.

Hu-manity.co argues that, insofar as patient data is already being sold, its legislation is merely designed to give consumers “ownership” of their data and a cut of the profits. But savvy bill readers will note that the proposed laws contain no defined percentage of the profits patients are entitled to, so they could receive mere pennies of Hu-manity.co’s revenue in return for giving up their privacy.

This lack of transparency and equity is enough to throw these bills’ motives into doubt, but there is a much bigger problem. Namely, that they will adversely and disproportionately impact the privacy of the most vulnerable consumers.

It is well-documented that a wealth-based digital divide exists when it comes to privacy. Wealthier persons are able to afford encrypted iPhones and private email accounts, while poorer persons must buy less secure Android phones and use free email services like Gmail, whose contents are tracked. Under these proposed bills, wealthier persons will easily be able to say no to selling their private information, while poorer persons, who are struggling to pay their bills, will have a far more difficult time refusing the additional income, even if it is small. 

Simply put, these proposed bills do not empower consumers; they take advantage of the most powerless consumers.

All people should be entitled to robust privacy protections, not just the wealthy. The privacy bills the ACLU supports are the type that ensure privacy is protected for all by default; legislatures should certainly enact protections requiring consent before medical information is sold — but without counterproductive strings attached. Hu-manity.co’s Trojan Horse bills are designed to create a new market in which companies, like theirs, act as sales agents to underinformed or financially strapped consumers, who the law will enable them to coax into selling their information.

The disturbing fact here is Hu-manity.co’s misleading sales pitch has been working on lawmakers who have a genuine commitment to privacy and protecting consumers. For those well-meaning elected officials, the ACLU has a simple message: You are being duped.

Hu-manity.co’s bills are being rolled out from coast to coast. By its own admission, the company is currently targeting Arizona, California, Georgia, Hawaii, Maryland, Massachusetts, Montana, New Jersey, Oregon, Pennsylvania, and Washington. Other states will likely follow. In each and every state they emerge, these bills must be rejected by legislators.

Stay informed

ACLU of Oregon is part of a network of affiliates

Learn more about ACLU National