“Data governance” is an empty term, like a Rorschach inkblot just waiting to be filled with meaning. Tech companies take advantage of this ambiguity to craft narratives about their data-governance capabilities to fit their audience and purpose. On one hand, tech companies brag about their data-governance capabilities when it fits their business model (for example, to advertisers) and public image (for example, to their customers). On the other hand, tech companies claim that meaningful data governance is challenging or impossible when accountability is demanded. In this Article, we argue that tech companies systematically misrepresent or selectively ignore their data-governance capabilities. To demonstrate our point, we present two case studies showing how tech companies adopt inconsistent and self- serving positions when it comes to the treatment of consumers’ personal information. First, we show examples where tech companies actively identify children to deliver personalized advertising and content recommendations but disclaim the knowledge or ability to identify children when legal obligations attach. Second, we show how tech companies commonly claim they do not know whether the information collected by their tracking tools is protected health information (PHI) under HIPAA, even though standard techniques enable such classification. We conclude this article by arguing for a more sustained critique and skepticism of the concept and implementation of data governance. Lawmakers could better scrutinize what constitutes reasonable efforts under existing data protection rules, they could better tailor new rules to the data governance capabilities of tech companies, and finally, lawmakers could better scrutinize the use of the term “data governance” as an efficacy claim within the law of consumer protection.
