Legislating Data Loyalty

Privacy and Security

Article Snapshot


Woodrow Hartzog and Neil Richards


Notre Dame Law Review Reflection, Vol. 97, pp. 356-384, 2022


A duty of loyalty focusing on the relationships between data collectors and data subjects would reinvigorate American privacy law. The law should include a general duty not to act against users’ interests.

Policy Relevance

A duty of loyalty would prevent manipulation of consumers.

Main Points

  • American privacy law is outdated; policymakers are now considering whether tech companies should be bound by a duty of loyalty to those from whom they collect data.
  • Data loyalty is based on the idea that the entities we trust to collect our data should not process the data or design systems in ways that conflict with our best interests; this idea is similar to the idea of loyalty in fiduciary law.
    • The duty of loyalty would stop firms from using data to manipulate consumers and others.
    • The duty of loyalty cannot easily be avoided.
    • The duty of loyalty would build trust and benefit both parties.
  • Privacy laws are typically structured in three ways, as follows:
    • Laws in the United States and Europe mainly focus on regulating the data itself.
    • Some rules are structural, addressing monopoly power or requiring hiring of privacy officers.
    • A third option would be to focus the law on relationships, creating rules similar to the confidentiality requirements imposed on doctors and lawyers.
  • Loyalty rules would prohibit self-dealing; this would revolutionize privacy law in the United States, which assumes that any data extraction model is valid if certain procedures are followed.
  • Presently, the requirement that entities give users notice and choice when data is collected is a checkbox compliance exercise; a duty of loyalty would require firms to offer meaningful information about data practices, and a choice of reasonable alternatives that do not conflict with the trusting users' best interests.
  • Courts have denied standing to American plaintiffs suing for violations of privacy rules, because the plaintiff cannot show a sufficiently concrete injury; a duty of loyalty would solve this problem, because disloyalty has long been recognized by courts as a legally sufficient injury.
  • Lawmakers should implement a duty of loyalty on two levels.
    • First, they should enact a broad prohibition on data practices or system design that significantly conflict with the trusting parties’ best interests.
    • Second, they should enact rules that articulate specific prohibitions and duties to be applied in particular contexts.
  • When the interests of data subjects conflict, the data collector should act reasonably, fairly, or impartially, so as to safeguard the interests of the reasonable user.
  • Entities use "dark patterns," confusing or difficult interface elements (such as hard-to-see cancel buttons) to nudge people towards behaviors they would not otherwise choose; with a legal duty of loyalty, rules could address the most dangerous dark patterns directly.

Get The Article

Find the full article online

Search for Full Article