Professors Hartzog and Richards Advocate for Data Loyalty in Privacy Legislation

By Woodrow Hartzog and Neil Richards

Posted on July 25, 2022


We are at a critical juncture in the data privacy debate. Like the choice of where to lay roads, the privacy rules we choose now will be with us for decades, if not centuries. If lawmakers are going to create data loyalty rules, it is essential they get them right.
- from “We’re So Close to Getting Data Loyalty Right,” written by Professors Woodrow Hartzog and Neil Richards


Privacy law scholars Woodrow Hartzog, Boston University, and Neil Richards, Washington University in St. Louis, have been exploring the concept of data loyalty for a number of years. In their article, “Legislating Data Loyalty,” (Notre Dame Law Review, 2022) Professors Hartzog and Richards explain that “Data loyalty is the simple idea that the organizations we trust should not process our data or design their tools in ways that conflict with our best interests.”


In a recent article written for IAPP Perspectives, Professors Hartzog and Richards examine several recently proposed bills to update privacy law in the United States. They write that the American Data Privacy and Protection Act, H.R.8152 (ADPPA) is “the most significant bipartisan privacy legislation introduced in more than a decade, and it represents a sincere attempt to move beyond the ineffective ‘notice and choice’ approach to privacy that has been the hallmark of U.S. legislators since the days of dial-up modems.”


Below are excerpts from “We’re So Close to Getting Data Loyalty Right,” written by Professors Woodrow Hartzog and Neil Richards (IAPP Perspectives, June 14, 2022):


Proposed Privacy Legislation


Done correctly, duties of loyalty would change a company’s business incentives away from manipulative and exploitative practices toward long-term, sustainable and mutually beneficial information relationships between people and companies. Lawmakers seem to be converging on data loyalty as the foundation for a federal privacy framework. Sen. Brian Schatz's, D-Hawaii, Data Care Act, Cantwell’s earlier Consumer Online Privacy Rights Act, and, even in practice, the Kids Online Safety Act from Sens. Richard Blumenthal, D-Conn., and Marsha Blackburn, R-Tenn., are all anchored by duties of loyalty. State lawmakers have also keyed in on data loyalty as a defining value for U.S. privacy frameworks. Lawmakers in New York and Massachusetts have proposed privacy rules built around the concept of data loyalty. California is close to passing legislation around an Age-Appropriate Design Code that references a version of loyalty in its introductory findings. Even The Washington Post has explicitly called for U.S. privacy legislation built around the idea of data loyalty.


As academics working on the concept of data loyalty, we’re thrilled by this development. In a series of articles over the past few years, we’ve argued data loyalty is the critical missing piece to America’s regulatory tool kit for privacy. We think data loyalty can bring substance to America’s privacy identity and meaningfully check the excesses of surveillance capitalism while preserving the benefits of information relationships. All the bills that incorporate duties of loyalty into privacy frameworks are moving us closer to holding data collectors meaningfully accountable. They are so close to fully realizing the potential of data loyalty as the anchor of U.S. privacy law. Unfortunately, the ADPPA and other recently proposed bills that contain a duty of loyalty are insufficient.


Where Current Bills Fall Short


To be clear, we think the ADPPA and all the bills that propose a duty of loyalty are commendable steps in the right direction and a vast improvement over relying on disclosures and data subject rights to anchor privacy legislation. But all these proposals arrive with diminished duties of loyalty. The current federal proposals either focus on a narrow aspect of loyalty, such as data minimization, or they unnecessarily saddle loyalty rules with harm requirements.


For example, Title I of the ADPPA is subtitled “Duty of Loyalty,” but Section 101 clarifies that this duty is really that of “data minimization,” prohibiting companies from collecting, processing or transferring covered data beyond what is “reasonably necessary, proportionate, and limited to” provide a requested service, a reasonable anticipated communication or an explicitly permitted purpose. We have argued strong data minimization rules are a key part of data loyalty. But data minimization is merely one aspect of acting in the best interests of trusting parties. Data loyalty rules should also cover manipulation, breaches of confidentiality, wrongful discrimination, and reckless and extractive engagement models. Data minimization rules only indirectly confront many of these issues.


Other proposals, such as Cantwell’s COPRA, offer broader duties of loyalty but then hamper the effectiveness of the duty by requiring a showing of some kind of harm other than the disloyalty itself. For example, in addition to a duty of data minimization, the latest version of COPRA also includes a prohibition on deceptive and harmful data practices as part of its duties of loyalty. A report on drafts of COPRA notes “Cantwell’s bill defines harmful data practices to include practices that cause or are likely to cause financial, physical, or reputational injury, or offensive intrusion upon solitude or seclusion of an individual, where such intrusion would be offensive to a reasonable person.” The Data Care Act imposes somewhat similar harm requirements for a breach of data loyalty.


Data Loyalty Rules to Consider


We think five separate areas call for [such] specific rules. First, there is "Collection," the act of collecting, recording and deciding to keep data about a person. Strong data minimization rules would fall in this category. Second, there is "Personalization," the act of treating people differently based on personal information or characteristics. Strict anti-discrimination and anti-subordination rules along with prohibitions on certain kinds of cross-contextual behavioral advertisements like those targeted in the California Consumer Privacy Act would be responsive to this context. Third, there is "Gatekeeping," the extent to which trusted entities allow third parties to access people and their data. Robust data security, confidentiality and deidentification rules would be appropriate here.


The fourth context is "Influence," where companies leverage technologies to exert sway over people to achieve results. Here, anti-dark patterns rules would be helpful. We recommend adopting a rule based on the Consumer Financial Protection Bureau’s prohibition on abusive trade practices, which prohibits taking unreasonable advantage of uniformed trusting parties, the inability of people to protect themselves from exposure, or the reasonable reliance by trusting parties that an organization is acting in their interests. Finally, there is "Mediation," which concerns the way organizations design their platforms to facilitate people interacting with each other. Here we recommend creating anti-harassment and disinformation design rules. These subsidiary rules would not solve all problems of data and platform power, but they would engage with problem areas in a specific enough way to resist inevitable efforts to dilute the general loyalty obligation.


Concluding Thoughts


As technology companies become ever more intertwined with our lives, as they know our secrets and vulnerabilities even more than our lawyers and doctors do, it’s time to give them the kinds of mature duties those professionals have thrived under for centuries. As the pending bills have recognized, it’s time for a duty of data loyalty. All we ask is that when we impose data loyalty duties, we do them the right way so we can build the kind of trust in our digital society that we deserve — in a way that is good for everyone in the long term. Lawmakers are a stone’s throw away from fully realizing the potential for data loyalty. Let’s help them get it right as we make a historic push for privacy.


Read the full article on IAPP’s Perspectives page: “We’re So Close to Getting Data Loyalty Right,” written by Professors Woodrow Hartzog and Neil Richards.


Neil Richards is the Koch Distinguished Professor in Law at Washington University School of Law, where he co-directs the Cordell Institute for Policy in Medicine & Law. He is an internationally-recognized expert in privacy law, information law, and freedom of expression. He writes, teaches, and lectures about the regulation of the technologies powered by human information that are revolutionizing our society.


Woodrow Hartzog is Professor of Law at Boston University School of Law. Professor Hartzog’s scholarship and advocacy focuses on privacy and technology law. His research focuses on the complex problems that arise when people, organizations, and governments use powerful new technologies to collect, analyze, and share human information. He is an internationally recognized expert in the area of privacy, media, and robotics law.


Articles Written by Professors Hartzog and Richards Advocating for Data Loyalty:
(presented in alphabetical order)