Skip to content

Privacy Legislation, not Common Law Duties


Harold Feld (@haroldfeld) is Senior Vice President of Public Knowledge.

NB: This post is part of the “Skepticism About Information Fiduciaries” symposium. Other contributions can be found here.

The United States has the distinction among developed nations of lacking a comprehensive consumer privacy protection law. To fill this gap, Professor Jack Balkin proposes the creation of a new class of common law fiduciaries subject to a heightened duty of care when entrusted with a party’s personal information. In addition to providing an answer to possible First Amendment problems that could arise from limiting the ability of businesses to collect personal information and use the collected information for targeted advertising, Balkin argues that courts may expand traditional fiduciary duties to this new class of “information fiduciaries” in the accordance with traditional common law principles. This would overcome the current failure of Congress and nearly all state legislatures to address the increasingly urgent problem of personal privacy in the digital economy.

Balkin’s information fiduciary proposal, while attractive in addressing some businesses that rely on collection of personal information for targeted advertising, does not do nearly enough to protect personal privacy given the unavoidable size of our information footprint. Further, an examination of existing First Amendment case law shows no clear advantage for identification of a new common law fiduciary relationship over privacy legislation. Finally, the recent passage of the California Consumer Privacy Act (CCPA) has galvanized interest in passing comprehensive privacy legislation both on a federal level and among the other states – whereas no court has yet to identify an “information fiduciary” under the common law.

The value of Balkin’s fiduciary framework, I argue, resides not in providing an enforceable legal relationship but providing a framework for privacy legislation. The existing frameworks – the Privacy Principles adopted by the Organization for Economic Co-operation and Development (OECD) in 1980 which rely heavily on notice and consent and the property framework introduced by Louis Brandeis in “The Right To Privacy” (both of which I discuss in this privacy white paper) – have significant limitations. Balkin’s proposed fiduciary framework provides a model for legislation that recognizes that the nature of the relationship between information collectors and aggregators requires imposing additional duties and restrictions to adequately protect consumers, while still enabling commerce and facilitating competition.

‘Information Fiduciaries’ Covers Too Small a Class of Entities

Fiduciary relationships are the exception, rather than the rule. They arise out of the unique relationship between the provider of a service and the individual receiving the service. Balkin argues that companies such as Google Search and Facebook meet the requirements to find a common law duty as “information fiduciaries.” Even assuming Balkin is right, however, the modern collection and commercial exploitation of personal information goes well beyond Google, Facebook or similar companies that collect information in exchange for providing services.

Unfortunately for consumers, information collection and storage has become trivially easy. Nearly everything from your car to your thermostat to your child’s toys to your more ‘adult’ toys now collects your personal information. Your cable operator monitors what shows you watch and what devices you use on your broadband network. An entire secondary market in personal information exists where “information brokers” (also called data brokers) buy this information and aggregate it into massive personal profiles. Analysis of “big data” is sufficiently sophisticated that even a bricks-and-mortar business such as Target can tell if you’re pregnant based on your purchases. None of these businesses fall into the kind of special relationship that would support classifying them as “information fiduciaries.” By contrast, the CCPA does reach all of these businesses and how they use personal information.

No Clear First Amendment Advantage

A chief selling point for creating information fiduciaries via the common law is that courts would analyze newly identified fiduciary duties differently than they have treated legislative privacy regulations. Balkin argues that, assuming the Supreme Court would find that regulating information collection is a form of speech regulation, a judicial finding of a common law duty would have a better chance of surviving First Amendment scrutiny than privacy legislation. His argument is based on a theory of the First Amendment with which I happen to agree: that the First Amendment is designed to protect primarily public-oriented speech rather than regulate private commercial relationships. But Balkin does not explain why regulation of private commercial speech based on a statute is less likely to survive First Amendment scrutiny that regulation based on a common law relationship. We have numerous regulations of private, contractual speech, such as warranty requirements and disclosure requirements, that have not raised First Amendment concerns. Many states incorporate into state law legal ethics codes, or other professional ethics codes that govern speech between the professional and the customer. Nothing indicates that courts have analyzed the First Amendment implications differently for common law obligations as opposed to statutory obligations.

To the extent legislation raises First Amendment concerns, precedent shows how to construct a suitable record to survive First Amendment scrutiny. The case law surrounding Section 222 of the Communications Act (47 U.S.C. §222), the “Customer Proprietary Network Information (CPNI) rules, shows that the federal interests of protecting consumers from unwanted (and potentially dangerous) communications, see NCTA v. FCC, 555 F.3d 996 (D.C. Cir. 2009), or the interest in promoting competition, see Verizon California, Inc. v. FCC, 555 F.3d 270 (D.C. Cir. 2009), satisfy the commercial speech test. These interests should similarly sustain broader privacy legislation against future First Amendment scrutiny.

A Useful Framework for Privacy Legislation

Professor Balkin’s information fiduciary proposal may find its greatest contribution in how we conceptualize privacy and create a workable framework for strong privacy regulation. Existing frameworks have proven deficient in providing adequate consumer protection, and create potentially dangerous analogies. Recent experience with the European Union’s General Data Protection Regulation (GDPR), which like many other global statutes, rely on the OECD Privacy Principles adopted by OECD in 1980, has demonstrated repeatedly that even “opt out” rather than “opt in” notice requirements cannot adequately protect consumer privacy interests. The Brandeisian framework of privacy as Locke-ian property right, creates its own problems. In particular, the analogy to “property” has created the distraction of trying to find ways to monetize personal privacy (to give people “rights” to “their data”) and return some of the economic surplus to consumers. California’s Governor Newsom, for example, has proposed modifying the California Consumer Privacy Act to allow for this sort of monetization by creating a “data dividend.”

Balkin’s information fiduciary framework provides a conceptualization that is far better suited to regulating intangible information than property rights. Fiduciary duties extend beyond a one-time transaction, and in some (but not all) are considered unwaivable. Often they impose a duty of care and create obligations that extend long after the commercial relationship ceases, or even in perpetuity. The fiduciary framework likewise addresses the basis for the “mutuality” framework developed by the OECD. As the OECD recognized, the collection and organization of personal information is a necessary part of modern commerce and good governance. Additionally, the information collector or aggregator contributes important labor that can assist not merely in commercial exploitation, but in research or other positive public interest goals. The traditional fiduciary relationship takes the interest of the collecting party into account as well, including the interest of the information collector in exploiting the data for legitimate purposes.

The underlying and familiar common law legal concepts such as a duty of care and a duty of confidentiality provide a reasonable starting point for legislative drafting. But we should not confuse the value of the information fiduciary concept as a framework to guide legislation as a substitute for actual legislation. Further, even when used a framework for drafting, the traditional limits on fiduciary regulation should not prevent legislation from extending much further where needed to adequately protect consumers or competition. The goal should be for the information fiduciary concept to inform the legislative process, not for the legislative process to enshrine the information fiduciary concept.