A Duty of Loyalty for Privacy Law

It wasn’t supposed to be like this. When the Internet emerged in the mid-1990s, it was heralded as an unprecedented technology of human empowerment; a place where human beings could meet, learn, and express themselves, transforming our society for the better. It was also hailed as a realm of privacy, in which those empowered humans could read, connect and communicate on their own terms, safely cocooned in bubbles of anonymity where, as the famous New Yorker cartoon put it, ‘no one knows you are a dog.’ 

Of course, a quarter of a century on, that’s not quite how it has worked out. The Internet of 2020 certainly provides many helpful services, but at the cost of becoming the greatest assemblage of corporate and government surveillance in human history. Where the Internet promised human empowerment, all too often the tools of data science and behavioral science have been used to nudge behavior and manufacture consent to disempowering data practices and boilerplate terms. Far too frequently, corporate promises of empowerment have instead delivered manipulation, disempowerment, and distrust.

Our paper ‘A Duty of Loyalty for Privacy Law’ examines one potential solution to these problems: imposing a duty of loyalty on companies that collect and process human information. Duties of loyalty are used in other areas of law as an obligation to refrain from self-dealing. They are typically placed on trusted parties such as lawyers and other professionals, agents, guardians, and corporate directors. But they have not been imposed as part of privacy law. This is just beginning to change. In articles in 2016 and 2017, we suggested that loyalty is the key component in generating trust in modern ‘information relationships,’ ones in which human information changes hands, often as part of the delivery of a service such as search engine results. Other scholars like Jack Balkin have proposed treating data collectors as ‘information fiduciaries.’ Influenced by this academic work, a duty of loyalty is now a serious option for national privacy reform in the United States. 

In our article, we propose a duty of loyalty for privacy law. We offer a theory based on the risks of opportunism that arise when people trust others with their personal information and online experiences. Data collectors bound by a duty of loyalty should be obligated to act in the best interests of the people exposing their data and engaging in online experiences, but only to the extent of their exposure. Loyalty would manifest itself primarily as a prohibition on designing digital tools and processing data in a way that conflicts with trusting parties’ best interests.

Our basic claim is simple: a duty of loyalty framed in terms of the best interests of digital consumers should become a basic element of US data privacy law. A duty of loyalty would compel loyal acts and also constrain conflicted, self-dealing behavior by companies. It would shift the default legal presumptions surrounding a number of common design and data processing practices, and it would act as an interpretive guide for government actors and data collectors to resolve ambiguities inherent in other privacy rules. A duty of loyalty would enliven the whole patchwork of US data privacy laws. And it would do it in a way that is consistent with the First Amendment and other civil liberties. 

Our article proceeds in five parts. Part I briefly describes the problem. We explain how corporate opportunism around human information has been enabled by American privacy law’s failure to stop exploitation. This has enabled rampant opportunism and manipulation, particularly in the context of ‘personalized’ technologies that promise to know us so that they can better satisfy our needs and wants. Technologies advertised as serving consumers have instead become weaponized, serving consumers themselves up to the companies and their commercial and political advertiser clients. 

Part II offers a theory with which to understand and solve these problems: a duty of loyalty for data collectors. We suggest that loyalty in this context means promoting the best interests of the trusting parties. This is the best way to protect consumers and rid them of the burdens of privacy self-management and other ‘privacy work.’ In this section, we also highlight the core mandate of a duty of loyalty, which would be a prohibition on all technological design and data processing that conflicts with the trusting parties’ best interests with respect to their exposure. 

Part III justifies our duty of loyalty for privacy law, explaining how and why the existing American framework regulating trafficking in human information fails to comprehend—much less, effectively regulate—the problems of profiling, sorting, nudging, and manipulation that plague the digital environment. Put simply, a legal model grounded in ‘notice and choice’ cannot prevent data-based manipulation when notice is fictional and choice can be manufactured by the tools of data and behavioral science. We can do better with a duty of loyalty.

Part IV is about implementation. It explains how and why a properly crafted duty of loyalty can mitigate opportunism, fill critical gaps in the US regulation of tech companies, and embolden a relational approach to privacy law. Part V addresses a few potential objections to a duty of loyalty for data collectors. We confront arguments about the scope of the duty being too vague, the problem of conflicting loyalties, and the high cost of compliance. These objections are certainly worth addressing head-on in law and policy, but we draw inspiration from how the law has handled similar objections in related areas to deal with these issues.

A duty of loyalty along the lines we suggest would be a radical step for American privacy law, but we think it would be a necessary and important one if our digital transformation is to live up to its great promises of human well-being and human flourishing.

Neil Richards is the Koch Distinguished Professor in Law at Washington University School of Law.

Woodrow Hartzog is Professor of Law and Computer Science at Northeastern University School of Law.