U.S. privacy law confronts a renewed moment of possibility. Following the European Union’s enactment of the General Data Protection Regulation (“GDPR”),4 numerous states are debating and enacting sweeping consumer privacy laws, with Congress considering similar proposals.5 These new “omnibus” laws are often favorably contrasted with the current patchwork of sectoral privacy laws stitched atop the backdrop of the Federal Trade Commission’s (“FTC’s”) consumer protection enforcement.6 A one-size-fits-all omnibus approach is insufficient, however, to capture privacy’s contextual variability, which is keyed not to individual preferences and “consent” but to disparate social spheres. Privacy regulation must embody contextual privacy norms that promote the functions, goals, and values of particular social domains.
Omnibus regulation alone is likely to be overly broad in some cases and overly narrow in others. Sectoral privacy regulations can complement omnibus laws by instantiating the plurality of information-sharing norms in different settings and relationships. The present U.S. sectoral regime has significant shortcomings, however, and intuitively apparent privacy violations are rampant. Companies leverage these shortcomings to dodge the spirit and letter of sectoral laws and thus violate contextual integrity. Addressing these “regulatory dodges” is essential to enhancing the efficacy of sectoral privacy protection.
As long as there has been law, some have sought to evade it. Corporate actors do so to minimize their regulatory costs and gain competitive advantage. Technologies and business practices invariably evolve in the shadow of governing legal rules.7 We do not purport to (re)discover age-old concepts of regulatory arbitrage and evasion. Instead, we analyze how regulatory dodges emerge in a domain significantly transformed by digital technologies. This analysis can help us design better privacy laws.
Information assets are like stem cells: they can grow into a variety of commercially exploitable insights across a range of distinct commercial sectors, endowing companies with “predictive power” they can use across various settings.8 Information companies are flexible business entities; they can morph from providing advertising insights to health insurance profiles to financial services relatively seamlessly (with perhaps a strategic merger or acquisition).9 As a result, the digital economy is particularly vulnerable to regulatory dodge.
Regulatory avoidance is also particularly troubling in the digital economy. Information and communication serve important infrastructural roles for commercial and non-commercial life. Dodges may introduce significant, network-wide competition concerns. Lax privacy rules for information infrastructures may threaten entities in other industries that rely on them. In such networked scenarios, it is difficult to trace adverse effects back to a particular instance of inappropriate flows of data. Given these challenges of opacity and structural accountability, individuals are especially reliant on effective regulation to protect them from information harm.
We first focus on specific health (the Health Insurance Portability and Accountability Act of 199610 (“HIPAA”)) and financial (the Gramm-Leach-Bliley Act11 (“GLBA”)) privacy regulations to elucidate two illustrative types of regulatory dodge. We then use the GDPR and the California Consumer Privacy Act12 (“CCPA”) (as amended by the Consumer Privacy Rights Act) to illustrate why omnibus regulation may not solve the problems. We conclude with proposals for designing more contextually sensitive, gap-free privacy law.
