Privacy Experts Neil Richards and Woodrow Hartzog’s New Paper: “A Duty of Loyalty for Privacy Law”

By TAP Staff Blogger

Posted on August 28, 2020


The Internet of 2020 certainly provides many helpful services, but it at the cost of becoming the greatest assemblage of corporate and government surveillance in human history. The Internet allows unprecedented expression, but it is also plagued by hate speech, misinformation, and electoral manipulation. And where the Internet promised human empowerment, all too often the tools of data science and behavioral science have been used to nudge behavior and manufacture consent to disempowering data practices and boilerplate terms. Far too frequently, corporate promises of empowerment have instead delivered manipulation, disempowerment, and distrust.
- “A Duty of Loyalty for Privacy Law” by Neil Richards and Woodrow Hartzog


Privacy law professors Neil Richards, Washington University School of Law, and Woodrow Hartzog, Northeastern University School of Law, have been writing about the importance of trust within data-exchange relationships for a number of years.


In “Taking Trust Seriously in Privacy Law,” Professors Hartzog and Richards argue that privacy law should be reframed to promote trust. This vision of privacy protections can be a positive force, generating deeper and more sustainable information relationships and corporate profits. Furthermore, in “Privacy's Trust Gap,” Professors Hartzog and Richards point out that the way we have traditionally thought about privacy in terms of individual protections creates a trust gap. The professors advocate that the best solution for problems of privacy in the digital society is to use law to create incentives to build sustainable, trust-promoting information relationships.


Now, in their recent paper, “A Duty of Loyalty for Privacy Law,” Professors Richards and Hartzog propose imposing a duty of loyalty on companies that collect and process human information. The theory of loyalty they recommend is based upon “the risks of digital opportunism in information relationships.” The professors explain that data collectors bound by this duty of loyalty would be obligated to act in the best interests of people exposing their data and online experiences; and the collectors would be prohibited from designing digital tools and processing data in a way that conflicts with the trusting peoples’ best interests.


Below are a few excerpts from “A Duty of Loyalty for Privacy Law” by Neil Richards and Woodrow Hartzog.


A Theory of Loyalty and U.S. Privacy Law


We offer a theory based on the risks of opportunism that arise when people trust others with their personal information and online experiences. Data collectors bound by a duty of loyalty would be obligated to act in the best interests of the people exposing their data and engaging in online experiences, but only to the extent of their exposure. Loyalty would manifest itself primarily as a prohibition on designing digital tools and processing data in a way that conflicts with a trusting parties’ best interests.


Our basic claim is simple: a duty of loyalty framed in terms of the best interests of digital consumers should become a basic element of U.S. data privacy law. A duty of loyalty would compel loyal acts and also constrain conflicted, self-dealing behavior by companies. It would shift the default legal presumptions surrounding a number of common design and data processing practices, and it would act as an interpretive guide for government actors and data collectors to resolve ambiguities inherent in other privacy rules. A duty of loyalty, in effect, would enliven almost the entire patchwork of U.S. data privacy laws. And it would do it in a way that is consistent with U.S. free expression goals and other civil liberties. A duty of loyalty along the lines we suggest would be a radical step for American privacy law, but we think it would be a necessary and important one if our digital transformation is to live up to its great promises of human wellbeing and flourishing.


The Problem: Corporate Opportunism with Consumers’ Data


We explain how corporate opportunism around human information has been enabled by American privacy law’s failure to stop exploitation. This has enabled rampant opportunism and manipulation, particularly in the context of “personalized” technologies promise to know us so that they can better satisfy our needs and wants. Insufficiently constrained by the law, companies can deploy a potent cocktail of techniques derived from cognitive and behavioral science to “nudge” or otherwise influence the choices we make. But these highly-capitalized tech companies have not acted like the benevolent choice architects some had hoped they might become. Technologies – and choice architecture – advertised as serving consumers have instead become weaponized, serving consumers themselves up to the companies and their commercial and political advertiser clients.


The Purpose of a Duty of Loyalty


We first explore the purpose of a duty of loyalty, which is for the entrustee to protect the interests of the trusting party. In practice, the duty of loyalty has taken two forms in American law. When the trusting party is relatively sophisticated and able to communicate their values and desires and the function of the relationship is to rely upon the entrustee’s expertise in decision making, loyalty means obedience. That is, the trustee must typically follow the instructions of the trusting parting regardless of the likely consequences. But where trusting parties are more vulnerable, or their instructions are harder to discern, loyalty means promoting the best interests of the trusting parties. Both approaches have their virtues and vices, but given the nature of the digital landscape, the relative unsophistication of most digital consumers, and the technical, legal, and economic power differentials between consumers and platforms, we suggest that the “best interests” form of loyalty is best to protect consumers and rid them of the burdens of privacy self-management and other “privacy work.”


Implementing a Duty of Loyalty for Data Collectors


First, we explore when a duty of loyalty should arise. We argue that it should apply when four factors are met: (1) when trust is invited within the context of an information relationship; (2) by one with a large power and information disparity over another; (3) that has control over the disadvantaged party’s mediated experiences and data; and (4) and the weaker party exposes themselves relying their trust will be kept. Next, we explore possible frameworks for a duty of loyalty, including a general duty of loyalty for all activities of certain large and powerful data processors, some context-specific ad hoc duties of loyalty, and specific rules designed to encourage behavior that is loyal in practice.


In Conclusion


A duty of loyalty for privacy has the potential to change how platforms do business. It could also build trust in our digital society in ways that existing models of privacy protection have failed to achieve. It is worth noting, as we conclude, that though we are privacy scholars, we lack the hubris to suggest that privacy law alone can solve all the problems of our digital transformation. We have argued elsewhere that if we want to build a digital future which is just, fair, and promotes human flourishing, many bodies of law must be brought to bear, and where necessary, transformed.


A sea change is exactly what is needed to deal with the unprecedented power and incentives for self-dealing in our modern digital world. A duty of loyalty would disrupt the surveillance-based advertising model, but Internet companies have long touted the virtues of disruption. Indeed, the digital ad model itself disrupted advertising by newspapers, a disruption that has itself endangered the sustainability of a free press. But, fundamentally, the promise of the Internet was neither surveillance nor was it “more relevant ads.” The promise of the Internet was human flourishing – putting people first, promoting democracy, and protecting them from exploitation and vulnerability. A duty of loyalty for privacy law would be an important step back in that direction.


Read the full article: “A Duty of Loyalty for Privacy Law” by Neil Richards and Woodrow Hartzog (July 3, 2020)


Neil Richards is the Thomas and Karole Green Professor of Law at Washington University School of Law, where he co-directs the Cordell Institute for Policy in Medicine & Law. His work focuses on privacy, technology, free speech, and constitutional law. Professor Richards is an internationally-recognized expert in privacy law, information law, and freedom of expression.


Woodrow Hartzog is Professor of Law and Computer Science at Northeastern University School of Law and holds a joint appointment in the College of Computer and Information Science department. His research focuses on the complex problems that arise when personal information is collected by powerful new technologies, stored, and disclosed online. Professor Hartzog is an internationally recognized expert in the area of privacy, media, and robotics law.