Privacy laws have never seemed stronger. New international, national, state, and local laws have been passed with the promise of greater protection for consumers. Courts across the globe are reclaiming the law’s power to limit collection of our data. And yet, our privacy seems more in danger now than ever, with frequent admissions of nefarious data use practices from social media, mobile apps, and e-commerce websites, among others. Why are privacy laws, seemingly more comprehensive than ever, not working to protect our privacy? This article explains why.
Based on original primary source research – interviews with engineers, privacy professionals, and vendor executives; product demonstrations; webinars, blogs, industry literature; and more – this Article argues that privacy law is failing to deliver its promised protections in part because the responsibility for fulfilling legal obligations is being outsourced to engineers at third-party technology vendors who see privacy law through a corporate, rather than substantive, lens. This phenomenon is placing privacy law in the middle of a process of what scholars have called legal endogeneity: mere symbols of compliance are standing in for real privacy protections. Toothless trainings, audits, and paper trails, among other symbols, are being confused for actual adherence to privacy law, which has the effect of undermining the promise of greater privacy protection for consumers.
Waldman, Ari Ezra, Privacy Law’s False Promise (February 21, 2019). Washington University Law Review, volume 97, no 3, 2019.