Law Commons^™

Redefining The Injury-In-Fact: Treating Personally Identifying Information As Bailed Property, Austin Headrick

Georgia Law Review

There is a long-existing circuit split among federal courts of appeals as to whether an individual has standing under Article III of the United States Constitution when their personally identifying information (PII) is stolen from an entity to which they entrusted it such as a hospital or bank. Federal courts disagree as to whether an individual whose PII has been stolen—without more—has suffered an injury-in-fact, a necessary element of standing. The disagreement between the courts centers on whether the injury-in-fact has already occurred at the time the PII is stolen or whether the injury occurs once the PII has been …

“Statistics Are Human Beings With The Tears Wiped Away”: Utilizing Data To Develop Strategies To Reduce The Number Of Native Americans Who Go Missing, Lori Mcpherson, Sarah Blazucki

Seattle University Law Review

On New Year’s Eve night, 2019, sixteen-year-old Selena Shelley Faye Not Afraid attended a party in Billings, Montana, about fifty miles west of her home in Hardin, Montana, near the Crow Reservation. A junior at the local high school, she was active in her community. The party carried over until the next day, and she caught a ride back toward home with friends in a van the following afternoon. When the van stopped at an interstate rest stop, Selena got out but never made it back to the van. The friends reported her missing to the police and indicated they …

Passcodes, Protection, And Legal Practicality: The Necessity Of A Digital Fifth Amendment, Ethan Swierczewski

Catholic University Journal of Law and Technology

No abstract provided.

Illusory Privacy, Thomas Haley

Indiana Law Journal

For decades, regulators, consumer advocates, and privacy theorists have grappled with one of privacy’s most important questions: how to protect private information that consumers unwittingly give away with the click of an “I accept” button. Reform efforts remain mired in a morass of text, focusing on the increasing volume and complexity of firms’ terms of service and privacy policies. This Article moves beyond such existing approaches. By analyzing terms of service and privacy policies from hundreds of top websites—which this Article calls “platform terms”—this Article demonstrates that the prevailing “notice and consent” paradigm of privacy regulation cannot provide meaningful protection. …

The New Bailments, Danielle D'Onfro

Scholarship@WashULaw

The rise of cloud computing has dramatically changed how consumers and firms store their belongings. Property that owners once managed directly now exists primarily on infrastructure maintained by intermediaries. Consumers entrust their photos to Apple instead of scrapbooks; businesses put their documents on Amazon’s servers instead of in file cabinets; seemingly everything runs in the cloud. Were these belongings tangible, the relationship between owner and intermediary would be governed by the common-law doctrine of bailment. Bailments are mandatory relationships formed when one party entrusts their property to another. Within this relationship, the bailees owe the bailors a duty of care …

Legislating Data Loyalty, Woodrow Hartzog, Neil Richards

Faculty Scholarship

Lawmakers looking to embolden privacy law have begun to consider imposing duties of loyalty on organizations trusted with people’s data and online experiences. The idea behind loyalty is simple: organizations should not process data or design technologies that conflict with the best interests of trusting parties. But the logistics and implementation of data loyalty need to be developed if the concept is going to be capable of moving privacy law beyond its “notice and consent” roots to confront people’s vulnerabilities in their relationship with powerful data collectors.

In this short Essay, we propose a model for legislating data loyalty. Our …

The Surprising Virtues Of Data Loyalty, Woodrow Hartzog, Neil M. Richards

Faculty Scholarship

Lawmakers in the United States and Europe are seriously considering imposing duties of data loyalty that implement ideas from privacy law scholarship, but critics claim such duties are unnecessary, unworkable, overly individualistic, and indeterminately vague. This paper takes those criticisms seriously, and its analysis of them reveals that duties of data loyalty have surprising virtues. Loyalty, it turns out, can support collective well-being by embracing privacy’s relational turn; it can be a powerful state of mind for reenergizing privacy reform; it prioritizes human values rather than potentially empty formalism; and it offers solutions that are flexible and clear rather than …

Biometric Data Regulation And The Right Of Publicity: A Path To Regaining Autonomy Over Our Commodified Identity, Lisa Raimondi

University of Massachusetts Law Review

This Note explores how a right of publicity action might be used to address present day concerns regarding biometric data ownership rights where an individual’s likeness can essentially be bought and sold. As social networking and use of the internet has grown, so has the opportunity for people to engage with others and share their lives. However, that opportunity also comes with risk. More and more, people are required to accept the terms of use and privacy policies detailing how their biometric data will be collected and stored if they want to download and use certain technological applications. Most of …

Periods For Profit And The Rise Of Menstrual Surveillance, Michele E. Gilman

All Faculty Scholarship

Menstruation is being monetized and surveilled, with the voluntary participation of millions of women. Thousands of downloadable apps promise to help women monitor their periods and manage their fertility. These apps are part of the broader, multi-billion dollar, Femtech industry, which sells technology to help women understand and improve their health. Femtech is marketed with the language of female autonomy and feminist empowerment. Despite this rhetoric, Femtech is part of a broader business strategy of data extraction, in which companies are extracting people’s personal data for profit, typically without their knowledge or meaningful consent. Femtech can oppress menstruators in several …

Cloudy With A Chance Of Government Intrusion: The Third-Party Doctrine In The 21st Century, Steven Arango

Catholic University Law Review

Technology may be created by humans, but we are dependent on it. Look around you: what technology is near you as you read this abstract? An iPhone? A laptop? Perhaps even an Amazon Echo. What do all these devices have in common? They store data in the cloud. And this data can contain some of our most sensitive information, such as business records or medical documents.

Even if you manage this cloud storage account, the government may be able to search your data without a warrant. Federal law provides little protection for cloud stored data. And the Fourth Amendment may …

"Times They Are A Changin'" - Can The Ad Tech Industry Survive In A Privacy Conscious World?, Meaghan Donahue

Catholic University Journal of Law and Technology

The "ad tech ecosystem" is a web of interconnected technologies and intermediaries that facilitate targeted advertising based on consumer data, and supports the free internet while providing users with promotional content relevant to their interests. However, in recent years, lawmakers and consumer advocates have highlighted the dangers associated with the unregulated use of consumer data for advertising purposes, prompting a flurry of legislative action at both the state and federal levels. These various laws and proposed bills impose new challenges on the ad tech industry--threatening to fundamentally change the way the business operates. However, through innovation and creative thinking, the …

Meaningful Choice: A History Of Consent And Alternatives To The Consent Myth, Charlotte A. Tschider

Faculty Publications & Other Works

Although the first legal conceptions of commercial privacy were identified in Samuel Warren and Louis Brandeis’s foundational 1890 article, The Right to Privacy, conceptually, privacy has existed since as early as 1127 as a natural concern when navigating between personal and commercial spheres of life. As an extension of contract and tort law, two common relational legal models, U.S. privacy law emerged to buoy engagement in commercial enterprise, borrowing known legal conventions like consent and assent. Historically, however, international legal privacy frameworks involving consent ultimately diverged, with the European Union taking a more expansive view of legal justification for processing …

Legal Opacity: Artificial Intelligence’S Sticky Wicket, Charlotte A. Tschider

Faculty Publications & Other Works

Proponents of artificial intelligence (“AI”) transparency have carefully illustrated the many ways in which transparency may be beneficial to prevent safety and unfairness issues, to promote innovation, and to effectively provide recovery or support due process in lawsuits. However, impediments to transparency goals, described as opacity, or the “black-box” nature of AI, present significant issues for promoting these goals.

An undertheorized perspective on opacity is legal opacity, where competitive, and often discretionary legal choices, coupled with regulatory barriers create opacity. Although legal opacity does not specifically affect AI only, the combination of technical opacity in AI systems with legal opacity …

Ai's Legitimate Interest: Towards A Public Benefit Privacy Model, Charlotte A. Tschider

Faculty Publications & Other Works

Health data uses are on the rise. Increasingly more often, data are used for a variety of operational, diagnostic, and technical uses, as in the Internet of Health Things. Never has quality data been more necessary: large data stores now power the most advanced artificial intelligence applications, applications that may enable early diagnosis of chronic diseases and enable personalized medical treatment. These data, both personally identifiable and de-identified, have the potential to dramatically improve the quality, effectiveness, and safety of artificial intelligence.

Existing privacy laws do not 1) effectively protect the privacy interests of individuals and 2) provide the flexibility …

Law Library Blog (January 2021): Legal Beagle's Blog Archive, Roger Williams University School Of Law

Law Library Newsletters/Blog

No abstract provided.

Data As The New Oil: A Slippery Slope Of Trade Secret Implications Greased By The California Consumer Privacy Act, Megan Marie Miller

Cybaris®

Following the European model of the General Data Protection Regulation (GDPR), the state of California implemented the California Consumer Privacy Act (CCPA) on January 1, 2020. The CCPA allows any California consumer to demand to see all of the information that a company has saved on them; consumers can also request a full list of all the third parties that their data is shared with, sold to, and for what commercial purpose. This paper reviews the implications of a new law on the disclosure of trade secrets like client lists and algorithms that manipulate consumers’ data. Ultimately, the issue comes …

What Is Privacy? That’S The Wrong Question, Woodrow Hartzog

Faculty Scholarship

Privacy has never had a precise meaning. But in the early 1900s, the concept took on new life as a term of art in legal frameworks. The result has been a bit of a mess, as no singular definition has been adequate for all purposes. Daniel Solove, perhaps the most influential privacy scholar of our day, wrote at the turn of the millennium that privacy was “a concept in disarray.”

In this short essay reflecting upon Solove’s impact on the modern study of information privacy, I argue that the chaos and futility of competing conceptualizations of privacy is why Solove’s …

The Covid-19 Pandemic And The Technology Trust Gap, Johanna Gunawan, David Choffnes, Woodrow Hartzog, Christo Wilson

Faculty Scholarship

Industry and government tried to use information technologies to respond to the COVID-19 pandemic, but using the internet as a tool for disease surveillance, public health messaging, and testing logistics turned out to be a disappointment. Why weren’t these efforts more effective? This Essay argues that industry and government efforts to leverage technology were doomed to fail because tech platforms have failed over the past few decades to make their tools trustworthy, and lawmakers have done little to hold these companies accountable. People cannot trust the interfaces they interact with, the devices they use, and the systems that power tech …

A Duty Of Loyalty For Privacy Law, Neil M. Richards, Woodrow Hartzog

Faculty Scholarship

Data privacy law fails to stop companies from engaging in self-serving, opportunistic behavior at the expense of those who trust them with their data. This is a problem. Modern tech companies are so entrenched in our lives and have so much control over what we see and click that the self-dealing exploitation of people has become a major element of the internet’s business model.

Academics and policymakers have recently proposed a possible solution: require those entrusted with people’s data and online experiences to be loyal to those who trust them. But many have concerns about a duty of loyalty. What, …

Trading Privacy For Promotion? Fourth Amendment Implications Of Employers Using Wearable Sensors To Assess Worker Performance, George M. Dery Iii

Northwestern Journal of Law & Social Policy

This Article considers the Fourth Amendment implications of a study on a passive monitoring system where employees shared data from wearables, phone applications, and position beacons that provided private information such as weekend phone use, sleep patterns in the bedroom, and emotional states. The study’s authors hope to use the data collected to create a new system for objectively assessing employee performance that will replace the current system which is plagued by the inherent bias of self-reporting and peer-review and which is labor intensive and inefficient. The researchers were able to successfully link the data collected with the quality of …

Forging A Path Towards Meaningful Digital Privacy: Data Monetization And The Ccpa, Rebecca Harris

Loyola of Los Angeles Law Review

The California Consumer Privacy Act (CCPA) was passed in response to a number of newsworthy data breaches with widespread impacts, and which revealed how little digital privacy consumers actually have. Despite the large market for consumer data, individual consumers generally do not earn money when their personal data are sold. Further, consumers have very little control over who collects their data, what information is collected, and with whom it is shared. To place control back in the hands of the consumer, affirmative consent should be required to collect and sell consumer’s data, and consumers should have the ability to sell …

Inescapable Surveillance, Matthew Tokson

Utah Law Faculty Scholarship

Until recently, Supreme Court precedent dictated that a person waives their Fourth Amendment rights in information they disclose to another party. The Court reshaped this doctrine in Carpenter v. United States, establishing that the Fourth Amendment protects cell phone location data even though it is revealed to others. The Court emphasized that consumers had little choice but to disclose their data, because cell phone use is virtually inescapable in modern society.

In the wake of Carpenter, many scholars and lower courts have endorsed inescapability as an important factor for determining Fourth Amendment rights. Under this approach, surveillance that people cannot …

Untangling The Privacy Law Web: Why The California Consumer Privacy Act Furthers The Need For Federal Preemptive Legislation, Jordan Yallen

Loyola of Los Angeles Law Review

No abstract provided.

The Limits And Possibilities Of Data-Driven Antitrafficking Efforts, Jennifer Musto Ph.D.

Georgia State University Law Review

An examination of technology in the countertrafficking space reveals recurring tensions between law enforcement and rights-based approaches. It also illuminates assumptions, such as the one that posits more law enforcement-focused, nonstate-actor-supported data-driven efforts are necessary to securing justice for people in trafficking situations. However, a closer look at how technology is used and by whom also invites us to ask different questions and to leverage the power of our all-too-human creative potential in thinking about how to value and prioritize data ethics, transparency, and accountability in future countertrafficking work.

Gdpr And The Importance Of Data To Ai Startups, James Bessen, Stephen Michael Impink, Lydia Reichensperger, Robert Seamans

Faculty Scholarship

What is the impact of the European Union’s General Data Protection Regime (“GDPR”) and data regulation on AI startups? How important is data to AI product development? We study these questions using unique survey data of commercial AI startups. AI startups rely on data for their product development. Given the scale and scope of their business models, these startups are particularly susceptible to policy changes impacting data collection, storage and use. We find that training data and frequent model refreshes are particularly important for AI startups that rely on neural nets and ensemble learning algorithms. We also find that firms …

Symposium: The California Consumer Privacy Act, Margot Kaminski, Jacob Snow, Felix Wu, Justin Hughes

Publications

This symposium discussion of the Loyola of Los Angeles Law Review focuses on the newly enacted California Consumer Privacy Act (CPPA), a statute signed into state law by then-Governor Jerry Brown on June 28, 2018 and effective as of January 1, 2020. The panel was held on February 20, 2020.

The panelists discuss how businesses are responding to the new law and obstacles for consumers to make effective use of the law’s protections and rights. Most importantly, the panelists grapple with questions courts are likely to have to address, including the definition of personal information under the CCPA, the application …

Saving America’S Privacy Rights: Why Carpenter V. United States Was Wrongly Decided And Why Courts Should Be Promoting Legislative Reform Rather Than Extending Existing Privacy Jurisprudence, David Stone

St. Mary's Law Journal

Privacy rights are under assault, but the Supreme Court’s judicial intervention into the issue, starting with Katz v. United States and leading to the Carpenter v. United States decision has created an inconsistent, piecemeal common law of privacy that forestalls a systematic public policy resolution by Congress and the states. In order to reach a satisfactory and longlasting resolution of the problem consistent with separation of powers principles, the states should consider a constitutional amendment that reduces the danger of pervasive technologyaided surveillance and monitoring, together with a series of statutes addressing each new issue posed by technological change as …

Privacy Law Issues In Public Blockchains: An Analysis Of Blockchain, Pipeda, The Gdpr, And Proposals For Compliance, Noah Walters

Canadian Journal of Law and Technology

Proponents of blockchain proclaim that the technology’s greatest innovation is trust. Blockchain create trust by serving as an indispensable ledger (a central point of truth), for all stakeholders to a transaction. Instead of companies managing and reconciling records of the same transaction in privately held databases, both sides of a transaction are recorded simultaneously on a shared ledger — the blockchain. As a result, the crypto economic environment is characterized by the decentralized coordination of business processes and transactions. Proponents of crypto-economics regard decentralized coordination as an opportunity for new forms of economic innovation, forms designed to increase value for …

Digital Colonialism: The 21st Century Scramble For Africa Through The Extraction And Control Of User Data And The Limitations Of Data Protection Laws, Danielle Coleman

Michigan Journal of Race and Law

As Western technology companies increasingly rely on user data globally, extensive data protection laws and regulations emerged to ensure ethical use of that data. These same protections, however, do not exist uniformly in the resource-rich, infrastructure-poor African countries, where Western tech seeks to establish its presence. These conditions provide an ideal landscape for digital colonialism.

Digital colonialism refers to a modern-day “Scramble for Africa” where largescale tech companies extract, analyze, and own user data for profit and market influence with nominal benefit to the data source. Under the guise of altruism, large scale tech companies can use their power and …

Privacy Statements Under The Gdpr, Mike Hintze

Seattle University Law Review

The need to include specific types of information in a privacy statement is a GDPR compliance obligation that does not get as much attention as some other GDPR requirements. Perhaps that is because privacy statements have been much maligned in recent years. They are too long and full of legalese. Nobody reads them. They are part of a notice and consent approach to privacy that puts an unrealistic burden on consumers to make informed choices. But despite these well-known criticisms, the GDPR doubles down on privacy statements. In fact, gauging by the roughly fourfold increase in privacy statement requirements compared …