It seems innocent enough. Sign up for a grocery discount card and save every time you buy food. Or perhaps get a credit card with travel rewards. Yet, every time your card is scanned, it’s collecting information about you. Does that matter?
This is just a tiny microcosm of life in today’s digital world. No area of government, business, industry or law goes untouched by the latest technologies, whose benefits also come with risk. David Sella-Villa, assistant professor at the Joseph F. Rice School of Law, says the current system of privacy laws demands that a sense of “caveat emptor” accompany the choices we make with our data.
The rapid evolution of artificial intelligence further complicates risk, because a signature feature of AI is the belief that by processing new information, it will get better at its given task. These technologies also can impact unknowing third parties.
“My interest academically is what we learn about other people based on data…examining big data’s privacy implications for third parties,” he says.
A stork bot?
More than a decade ago, Target stores’ predictive analytics infamously predicted a teenage customer’s pregnancy, right down to her probable due date. You can imagine her father’s surprise when his teen daughter started receiving coupons and ads for baby products. The incident highlighted the degree to which companies track customers’ spending habits.
Analysts identified 25 products, seemingly innocuous purchases (such as unscented lotions, vitamin supplements, etc.), that contributed to a sort of pregnancy-prediction score — critical data, as new parents are a very lucrative market for retailers.
Examples can also be found in the automotive industry, which in recent years has installed trackers, sensors and other information-gathering tools in vehicles. In addition, the new self-driving cars use AI, presumably for safety reasons.
“Automated vehicles are safer than human drivers,” Sella-Villa says. “They learn, through these sensors, by studying other drivers’ behavior on the road. That seems reasonable enough so long as it’s only to make the car safer. But if that information is used for something else, you might say, ‘I didn’t sign up for that.’”
A champion for information security
While Sella-Villa joined USC in July 2024, he is no stranger to Columbia. Before making the move into academia, he served as chief privacy officer with the South Carolina Enterprise Privacy Office for three years. Prior to that, he was assistant general counsel advising the IT division at the SC Department of Administration.
Sella-Villa also worked out of state as general counsel to a small private aviation company. He holds the prestigious title of Fellow of Information Privacy, the highest designation bestowed by the International Association of Privacy Professionals.
“It was a dream come true to start my academic career at USC,” he says.
He already had a personal connection as a former state employee, but the USC role offered new opportunities. “Because this is a rapidly changing landscape, thinking about theory and technology, I realized I could probably do more to serve the people of South Carolina at USC than in my former role,” he says.
In state government, Sella-Villa assisted agencies in writing policies to incorporate privacy-enhancing technologies to support cybersecurity and train people on emerging privacy issues.
“My current role as a professor is an extension of what I started,” he says.
Business today is conducted online — from paying bills to purchasing everyday groceries. With online commerce has come the emergence of privacy-enhancing technologies (PET) such as third-party authentication, encryption, VPNs and more.
He believes younger people tend to have a more advanced privacy mindset than those who did not grow up with the internet — and that, in general, internet safety is improving.
“I think that the world, as we understand how privacy is structured, is getting safer all the time. It is harder and harder for bad actors to succeed. The bigger question that we don’t have solid answers for is what it means to be a person in society when lots of data about you is in the hands of people you don’t know.”
‘Privacy Theater’
Many Americans these days understand and accept that there is a transfer of data linked to any transaction. Few people read the lengthy terms of services policies they encounter, but those terms keep companies compliant with the law.
“Nobody has time to negotiate these long-term legal relationships when all they want is to check their email,” Sella-Villa says. “We aren’t doing a good job of answering the bigger questions of what happens to people when their data are later stolen.”
It may be possible to reconcile actual financial losses associated with data breaches or identity theft, Sella-Villa explains, but what about the emotional and psychological toll that can endure for years? How do such privacy breaches affect someone personally? Is it possible to put a price on that?
Sella-Villa theorizes that privacy culture evolves in phases, with each new phase materializing as people shift and adjust to a new reality.
“I think there is a lot of hope related to AI on that front,” he says. “In equal measure, there are a lot of concerns.”