The future of privacy law and regulation in the United States could be shifting from the notice and consent regime to that of a duties-based framework. There is evidence that the notice and consent framework is not working for consumers, and with ever-growing technological capabilities, this problem will continue to grow in the future. The basic concept of the duties-based framework is that consumers transfer data to companies, which will perform a service on the data, and the companies will have to conform to the duties delegated to them by law. Multiple duties-based frameworks exist for data privacy and security, but three recently proposed frameworks are particularly relevant as Congress and the Biden Administration consider a national privacy framework: The Data Care Act of 2018, the Consumer Online Privacy Rights Act, and a Brooking Institution white paper on privacy legislation.
In his article Privacy’s Constitutional Moment and the Limits of Data Protection, Woody Hartzog analyzes Senator Brian Schatz’s (D-HI) Data Care Act of 2018 and argues that the U.S. should move our privacy paradigm away from the notice and consent framework to one of strict duties. He explains how the notice and consent framework has been failing consumers and argues that the duties-based system can address more issues than the notice and consent regime, while still offering a flexible approach to privacy that consumers can trust. He examines the European Union’s General Data Protection Regulation (“GDPR”) and U.S. sectorial laws and concludes that these laws have built in limitations, are too focused on the individual and consent, and not focused enough on relationships and power, thus having an inherent vulnerability which should lead to its disuse.
Hartzog uses the duties-based framework presented in the Data Care Act as a springboard for his idea of a successful federal law that would address: “(1) corporate matters; (2) trustworthy relationships; (3) data collection and processing; and (4) personal data’s externalities.” 1 Senator Schatz defines the duties of care, loyalty, and confidentiality in his law, which Hartzog incorporates into his framework. Senator Schatz defines the duty of care in privacy as requiring providers to reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information. 2 To meet the duty of care, an ad tech company employing the National Institute of Standards and Technology (“NIST”) or the International Organization for Standardization (“ISO”) would satisfy the requirement for providing security in additional to following state of federal data breach notification standards.
Hartzog defines the duty of loyalty as the hallmark of fiduciary duties and requires a strict commitment to “refrain from self-dealing and a firm prioritization of the trustors’ interests over the interests of the entrustee.” 3 Similarly, Hartzog refers to the Schatz bill, which defines the duty as, “not [using] individual identifying data in ways that harm users.” 4 Hartzog explains the duty of loyalty would require that: An online service provider may not use individual identifying data, or data derived from individual identifying data, in any way that–(A) will benefit the online service provider to the detriment of an end user; and (B) (i) will result in reasonably foreseeable and material physical or financial harm to an end user; or (ii) would be unexpected and highly offensive to a reasonable end user. 5
Navigating this framework for an ad-tech company that does not come into contact with consumers is a rather easy duty to satisfy conceptually, but depending on the interpretation of the impacts, it could pose real challenges for ad-tech businesses. The duty of loyalty essentially does not bar the use of data but requires smart use of consumer data. Data can be responsibly passed through the stack as long as it does not harm the user, is not used in an offensive way, and is not to the detriment of the consumer. Notice may need to be altered to provide for consumer expectations, but the use of data for digital advertising could possibly be achieved. That is, consumer data could be used as long as it is safeguarded and the consumer is aware of its use. For digital advertising, consumer data is used to the benefit of the consumer because it provides for ad-supported free and low-cost content, as long as the data is not misused or the advertising practices do not provide harms to the consumer.
Hartzog’s duties framework appears to impose stronger privacy regulations than current laws like GDPR, however, the inherent ambiguity of duties could be a cause of concern for these ad-tech companies. The ad-tech industry could likely survive under a duties-based regime, but the key to survival is the interpretation of any legal outcomes and responsible data stewardship. At the same time, new duties-based regulations could impose heavy compliance and legal burden on the ad-tech industry, and it could therefore cause many smaller companies to exit the market.
Consumer Online Privacy Rights Act
Senator Maria Cantwell (D-WA) introduced the Consumer Online Privacy Rights Act (“COPRA”) in 2019 to try and address the privacy issues in American law. COPRA is divided into three parts: (1) privacy rights (§§ 101-110); (2) oversight (§§ 201-202); and (3) enforcement (§§ 301-304). The bill contains ambiguous definitions of the duties of care and loyalty as there is no defined duty of care.
COPRA defines the duty of loyalty in two parts. First, a company should not “engage in a deceptive data practice or a harmful data practice.” Second, it should not “process or transfer covered data in a manner that violates any provision of this Act.” 6 While similar to the Hartzog framework, the COPRA definition is slightly narrowed to focus on data practices. The bill narrows the scope by defining a deceptive data practice as “an act or practice involving the processing or transfer or covered data in a manner that constitutes a deceptive act or practice in violation of section 5(a)(1) of the [FTC] Act.” 7 Likewise, the scope of harmful data practice is narrowed by defining such practices as those that are likely to cause, “financial, physical, or reputational injury.” 8 COPRA further defines harmful data practices as those that cause physical or offensive intrusion upon the solitude of an individual. 9 That conception of harmful data practices is a way in which COPRA attempts to codify the tort of intrusion into privacy law. Finally, COPRA leaves the definition of harmful data practices quite vague by including “other substantial injuries” in the third prong of its definition. 10 Since this uncertainty poses a high probability for litigation, it is impractical for businesses and would likely be a barrier to innovation.
The Brookings Institution offers a middle ground in their privacy law orientated white paper and accompanying legislative text (“Brookings Framework”). 11 The Brookings Framework seeks to take a more practice approach to balance business innovation with the duties of loyalty and care.
The Brookings Framework proposes adding the duties of care and loyalty to any privacy law. It defines the duty of loyalty as: [R]equire covered entities to implement reasonable policies and practices to protect individual privacy “appropriate to the size and complexity of the covered entity and volume, nature, and intended use of the covered data processed,” limit data processing to “necessary [and] proportionate” purposes, consistent with COPRA … and communicate data practices “in a fair and transparent manner.” 12
The Brookings Framework defines the duty of care by modifying COPRA’s §101(b)(2) definition of “harmful data practices” by including in the definition, “discrimination in violation of federal anti-discrimination laws or anti-discrimination laws of any State or political subdivision thereof applicable to the covered entity.” 13 The Brookings Framework would also include a prohibition of covered entities processing data in a way that could reasonably be foreseen as causing harm. 14
The Brookings Framework includes a duty of loyalty that limits what companies can do with data, and it relegate activities to those that are “reasonably necessary, proportionate, and limited.” 15 In an industry conscious move, the Brookings Framework proposes that laws include the duty of care language that allows companies to collect and use data for improving services, both for products requested and those that would be reasonably anticipated within the context of the covered entity’s relationship with the individual. 16 For the duty of loyalty, they propose that laws build upon the concept of “reasonably anticipated in the context of the covered entity’s relationship with the individual.” The Brookings Framework suggests enlarging that conceptualization into a set of baseline duties toward individuals. 17 Another element they would add to the duty of loyalty is an “obligation to communicate policies and practices for processing and transferring covered data ‘in a fair and transparent manner.’ 18 Finally, adding to the duty of care, the Brookings Framework suggests having a harmful data practices section, which would encompass civil rights laws and would include in the list of harms the violation of state and federal anti-discrimination laws. 19 In general, the Brookings Framework approach seeks to add much-needed specificity. For ad-tech companies, this approach would be beneficial, compared to other approaches discussed above that would result in an open-ended legal framework subject to interpretation by regulators or the courts.
By pursuing the Brookings Framework, the U.S. can effectively balance consumer protections with business needs.
Woodrow Hartzog & Neil Richards, Privacy’s Constitutional Moment and the Limits of Data Protection, 61 B.C. L. Rev. 1687, 40 (2020).
2. Press Release, Office of United States Senator Brian Schatz, Schatz Leads Group of 15 Senators in Introducing New Bill to Help Protect People’s Personal Data Online (Dec. 12, 2018), https://www.schatz.senate.gov/press-releases/schatz-leads-group-of-15-se…
3. Hartzog, supra note 1, at 47.
4. Schatz, supra note 2.
5. Hartzog, supra note 1, at 49.
6. Consumer Online Privacy Rights Act, S.2968, 116th Cong. § 101(a) (2019).
7. Id. at § 101(b)(1).
8. Id. at § 101(b)(2)(A).
9. Id. at § 101(b)(2)(B).
10. Id. at § 101(b)(C).
11. Cameron F. Kerry et. al., Bridging the Gaps: A Path Forward to Federal Privacy Legislation, Governance Studies at Brookings, June 2020.
12. Id. at 6.
15. Id. at 28.
16. Id. at 29.
18. Id. at 30.
19. Id. at 31.