Taking Trust Seriously in Privacy Law

Privacy and Security

Article Snapshot


Woodrow Hartzog and Neil Richards


Stanford Technology Law Review, Vol. 19, No. 3, pp. 431-472, 2016


The digital economy requires trust whenever personal information is shared with Internet Service Providers (ISPs), doctors, banks, search engines, and others. Current privacy regulations focus on consent or financial harm, and do not promote trust.

Policy Relevance

Privacy law should be reframed to promote trust. Online entities that collect personal information should have fiduciary duties to consumers.

Main Points

  • Modern privacy law fails to foster trust; privacy discussions tend to be pessimistic, focused on "creepiness," or highlighting prevention of harm.
    • “Creepiness” is too malleable a concept and will result in focus only on information practices of which consumers are aware.
    • Preventing financial harm is important but should not be the sole focus of privacy law.
    • “Notice and choice” overstates consumers’ power to make choices.
  • Privacy protections can be a positive force, generating deeper and more sustainable information relationships and corporate profits.
  • Without trust, people share less information or provide false information.
    • If people do not trust a firm, they are more likely to switch to a competitor.
    • The privacy legal regime encourages firms to take a short-term view of the value of data, seeking a quick buck through data mining.
  • Privacy rules have the potential to build the trust necessary for digital society to flourish, focusing on creating strong social bonds and sustainable, profitable relationships.
  • Privacy law should be modelled partly on fiduciary law, an ancient common law concept; fiduciaries such as doctors and lawyers have duties of care, loyalty, and confidentiality to consumers.
  • The Fair Information Practices (FIPs) and related principles should incorporate trust as a guiding principle.
    • Confidentiality should be reframed as a duty of Discretion.
    • Transparency should be reframed as a duty of Honesty.
    • Security is more complete when framed as a duty of Protection.
  • The concept of Loyalty, borrowed from fiduciary law, should be a foundational value for privacy law; after an entity has been entrusted with personal information, the concept of loyalty should the entity’s “self-dealing” using that information.
    • Personal information obtained from a user should not be used against her interests.
    • Consent to terms in a contract agreement no one reads is disloyal and illegitimate.


Get The Article

Find the full article online

Search for Full Article