Daniel J. Solove and Woodrow Hartzog, The FTC and the New Common Law of Privacy
Comment by: Gerald Stegmaier & Chris Jay Hoofnagle
Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2312913
Workshop draft comment:
One of the great ironies about information privacy law is that the primary regulation of privacy in the United States is not really law and has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite over fifteen years of FTC enforcement, there is no meaningful body of case law to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their decisions regarding privacy practices. Those involved with helping businesses comply with privacy law – from chief privacy officers to inside counsel to outside counsel – parse and analyze the FTC’s settlement agreements, reports, and activities as if they were pronouncements by the High Court.
In this article, we contend that the FTC’s privacy jurisprudence is the functional equivalent to a body of common law, and we examine it as such. The FTC has said quite a lot through its actions and settlement agreements. And FTC privacy jurisprudence is the broadest and most influential regulating force on information privacy in United States – more so than nearly any privacy statute and any common law tort. The statutory law regulating privacy is diffuse and discordant, and the common law torts fail to regulate the majority of activities concerning privacy. Despite the central governing role of the FTC’s privacy activity, it has not received much scholarly attention.
In Part I of this article, we discuss how the FTC’s actions function practically as a body of common law for privacy. In the late 1990s, it was far from clear that the body of law regulating privacy policies would come from the FTC and not from traditional contract and promissory estoppel. Though privacy policies often have all the indicia of enforceable promises, they have rarely been utilized as contracts. On the few occasions when contract law is invoked for privacy policies, it usually fails. We explore how and why the current state of affairs developed. In Part II, we examine the principles that emerge from this body of law. These principles extend far beyond merely honoring promises. We discuss how these principles compare to principles in other legal domains, such as contract law. In Part III, we explore the implications of these developments and the ways that this body of law could develop.
Paul M. Schwartz & Daniel J. Solove, The PII Problem: Privacy and a New Concept of Personally Identifiable Information
Comment by: Rick Kunkel
Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1909366
Workshop draft abstract:
Personally identifiable information (PII) is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. The basic assumption behind the applicable laws is that if PII is not involved, then there can be no privacy harm. At the same time, there is no uniform definition of PII in information privacy law. Moreover, computer science has shown that the very concept of PII can be highly malleable.
To demonstrate the policy implications of the failure of the current definitions of PII, this Article examines current practices of behavioral marketing. In their use of targeted technologies, companies direct offerings to specific consumers based on information collected about their characteristics, preferences, and behavior. Behavioral marketing has enormous implications for privacy, yet the present regulatory regime with PII as the cornerstone has proven incapable of an adequate response. Behavioral marketers are able to engage in their targeting practices without the use of what most laws consider to be PII. Despite this fact, behavioral marketing causes privacy problems that should be addressed. Other practices not involving PII as traditionally formulated also lead to problems. Since PII defines the scope of so much privacy regulation, the concept of PII must be rethought. In this Article, we argue that PII cannot be abandoned; the concept is essential as a way to define regulatory boundaries. Instead, we propose a new conception of PII, one that will be far more effective than current approaches.
This Article proceeds in four steps. First, we develop a typology of PII that shows three basic approaches in United States law to defining this term. As part of this typological work, the Article traces the historical development of the jurisprudence of PII and demonstrates that this term only became important in information privacy law in the late 1960s with the rise of the computer’s data processing. Second, we use behavioral marketing, with a special emphasis on food marketing to children, as a test case for demonstrating the severe flaws in the current definitions of PII. Third, we discuss broader policy concerns with PII as it is conceptualized today. Finally, this Article develops an approach to redefining PII based on the rule-standard dichotomy. Drawing on the law of the European Union, we propose a new concept of PII that protects information that relates either to an “identified” or “identifiable” person. We conclude by showing the merits of this new approach in the context of behavioral marketing and in meeting the other policy concerns with the current definitions of PII.
Daniel Solove & Neil Richards, Rethinking Free Speech and Civil Liability
Comment by: Raymond Ku
Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1355662
Workshop draft abstract:
One of the most important and unresolved quandaries of First Amendment jurisprudence involves when civil liability for speech will trigger First Amendment protections. When speech results in civil liability, two starkly opposing rules are potentially applicable. Since New York Times v. Sullivan, the First Amendment requires heightened protection against tort liability for speech, such as defamation and invasion of privacy. But in other contexts involving civil liability for speech, the First Amendment provides virtually no protection. According to Cohen v. Cowles, there is no First Amendment scrutiny for speech restricted by promissory estoppel and contract. The First Amendment rarely requires scrutiny when property rules limit speech.
Both of these rules are widely-accepted. However, there is a major problem – in a large range of situations, the rules collide. Tort, contract, and property law overlap significantly, so formalistic distinctions between areas of law will not adequately resolve when the First Amendment should apply to civil liability. Surprisingly, few scholars and jurists have recognized or grappled with this problem.
The conflict between the two rules is vividly illustrated by the law of confidentiality. People routinely assume express or implied duties not to disclose another’s personal information. Does the First Amendment apply to these duties of confidentiality? Should it? More generally, in cases where speech results in civil liability, which rule should apply, and when? The law currently fails to provide a coherent test and rationale for when the Sullivan or Cohen rule should govern. In this article, Professors Daniel J. Solove and Neil M. Richards contend that the existing doctrine and theories are inadequate to resolve this conflict. They propose a new theory, one that focuses on the nature of the government power involved.