Lawmakers, regulators, consumer advocates, and the business community have focused increasing attention on the policy issues that arise at the intersection of privacy, technology, and commerce. Yet the law governing what businesses can do with consumer data remains unsettled and unclear. The United States has no dedicated and comprehensive privacy law, relying instead on a patchwork of general consumer protection laws and industry-specific regulations like HIPAA. The FTC has created what scholars have called a “common law of privacy” through its enforcement actions and published guidance, but how privacy law applies to business practices often remains uncertain.
This Article uncovers a large new trove of privacy law, elaborating the jurisprudence of privacy with reports submitted to courts in which hundreds of millions of consumers’ private information has been put up for sale. A unique provision of bankruptcy law requires the appointment of a privacy expert when consumer information is put up for sale, to report on the sale’s legality. These expert reports constitute an unrecognized but substantial body of privacy law. The Article presents and analyzes reports submitted from 2005 to 2020—a hand-collected dataset gathered from 141 court dockets. The reports dramatically increase what is known about how the “common law of privacy” applies in practice to sales of consumer data in a legal forum, and what the future of privacy law may hold.
The reports generally advocate a pro-transactional view and permit sales to proceed in spite of existing privacy promises so long as the purchasers’ use of consumer data will be roughly consistent with the sellers’. They rely on aspects of the traditional “notice and choice” regime that has guided privacy law, but they also include substantive consideration of the reasonable expectations that consumers may have formed or of the sensitivity of the information to be transferred. Thus, the reports reflect privacy law’s shift beyond strictly consent-based contractarian models and toward more substantive and context-based approaches.
The reports also speak to the institutional context of regulation of commerce in consumer information. On the one hand, the reports impose significant limits on companies selling private data, which suggests that expert oversight and supervision mechanisms, such as the legal regime that generated these reports, can play an important role in privacy regulation on the ground. But the reports are, on the whole, timid and formulaic, hewing closely to existing precedent and showing little inclination to adapt or develop it even when novel circumstances might justify a change in course. This hesitancy indicates that privacy law’s continuing development requires leadership from federal and state policymakers.
Replication code for this paper is available on JREG’s Dataverse account.