92% of Americans believe that privacy is a right, but that is not the legal reality today in the United States. In the absence of rights-based medicalized data protection, many in the field of bioethics are turning to data democracy as a viable alternative. This privacy governance reform model safeguards the public’s “interests and entitlements in controlling its data” – it aims to better understand our murky viewpoints on medicalized data privacy. Although aware of substantial privacy concerns, we often readily share our personal information. In this “privacy paradox”, our actions clash with our reported views. The phenomenon complicates the democratic ideal and may lead to plainly undemocratic outcomes. Given that theories on data democracy fail to take Americans’ opinions into account in any sort of systematic or effective way, data democracy requires more grassroots action to solidify the public’s stances on medicalized data ownership, usage, and privacy.

None of the mechanisms for assessing public opinion that data democracy offers are completely democratic. Each vision of data democracy – regulatory, deregulatory, collective, and intermediary – has compromised principles and practical implications.

The regulatory data democracy model urges government (rather than corporate or institutional) action to address privacy issues. It promotes voting on medicalized data privacy, but as of yet, only 20 states have held privacy votes. Just one of these was put up for a statewide referendum; the remaining 19 were left to the state legislatures. This setup does not give a sufficiently precise measure of the American people’s views, and resulting laws are subject to federal preemption. Corporate and medical interest groups often lobby on privacy issues, and US regulators, by and large, operate according to an economic logic that leaves them partial to institutional concerns. That the argument for private right of action (the ability to sue companies for privacy violations) has stalled many medicalized data privacy bills is emblematic of the government’s neoliberal approach to this issue, which is partial to market deregulation and presents one of many undemocratic legal side effects. Efforts to prioritize public opinion under the regulatory model fall short because its representatives operate at a significant remove from Americans’ interests.

Deregulatory data democracy, which urges self-regulation within firms and organizations, applies to the three main sectors subject to US medical privacy regulation: healthcare, academic research, and corporations. Its proposed privacy-opinion-gathering methods here are consensus, consent, and behavioral analysis. Clinical ethics committees’ rigid consensus-based decision making is top-down and unaccountable and presents citizens with a falsely decisive expert opinion. In a society that prides itself on its diverse value systems, why respect a consensus or even regard it as possible? Small groups within institutions – with notably lacking lay representation – may further distort the decision.

In addition, the privacy paradox undermines consent and corporate behavioral analysis. American law gives us the option to opt out from data collection. 75% of Americans would like an opt-in setup, but as economics measures our opinions by our actions, skipping a pop-up or skimming the small print keeps the system running. The vast majority of polled Americans decline to pay more for additional medical privacy or incur any risks to keep their medical information private. Whether we make that decision to save ourselves time or otherwise calculate that the personal benefits of sharing data (improved medical care, access to social media or private medical services, et cetera) outweigh the risks, this economic way of thinking conditions much of our behavior and contrasts our stated convictions. Given how much corporate privacy policy is hidden from the public, whether our actions or opinions on sharing data with these institutions hold any meaning is uncertain.

The three sectors operate according to different legal definitions of consent. Health Insurance Portability and Accountability Act (HIPPA)’s broad consent and the Common Rule’s informed consent engender debates in healthcare about how much control Americans should have over their data. Any efforts to rewrite these definitions are another major sticking point in Congress. At the same time, 68% of patients prefer reducing medical costs to privacy, and research subjects have a high willingness to sacrifice their data security for research – especially when compensated or offered approved incentives. Given that many doctors are not aware of where patients’ data will end up (often in corporate data brokers’ hands), they may not be able to fully inform their charges. The legal third-party doctrine maintains that when our information is shared with a third party, we have no privacy rights over it anyways, so consent loses much of its meaning later on in our data’s lifespan.

Finally, the collective and intermediary data democracy proposals argue that data is not private property, nor something that the people must independently manage, but rather shared problems that the public can work together to address. These plans require intensive, organized involvement that can be exclusionary. Technology poses a barrier to entry, and the movement’s special invitation to tech hobbyists could discourage other participation. More privileged and scientifically literate members might skew representation, as may people with certain diseases or unusually strong privacy convictions. The reliance on data from wearables, platforms, and data aggregators may perpetuate faulty consent models’ ethical infringements.

The privacy-opinion-gathering setups in place vary by industry and data democracy model; this segmented state of affairs fails to provide a coherent and convincing example of how ideal preference collection might look.

Data democracy proposals do agree that Americans should be more informed about privacy, and each offers valuable tools to help the people advocate for their interests (see below).

Individuals already devoted to privacy organizing might target their efforts at getting a higher percent of the public involved in advocating for whatever system they favor. They can build networks to recruit more of the public and generate flows of information. Hopefully, by learning more about the current legal and economic privacy context individually, we might better recognize when “consent mechanisms” are colored by ideologies we disagree with. Just as our opinions may be unfounded, our behaviors are liable to manipulation by the various institutions with an interest in our data. We can inform ourselves. Although corporate openness and government-funded public information campaigns would be powerful, simple actions like installing an automatic opt-out extension on your browser or skimming the fine print at your doctor’s office lend more meaning to your – often carefully analyzed – behaviors.

That Americans are unaware and fail to coordinate and mobilize politically for medicalized data privacy cannot be the full explanation for their inaction. The privacy paradox calls into question whether we are simply apathetic. One thing is for certain: we agree nearly unanimously that privacy should be a right, and if this opinion is informed and genuine, it calls our current privacy framework into question and demands that we the people enter the conversation.