Professors Danielle Citron and Daniel Solove Examine Privacy Harms

By TAP Staff Blogger

Posted on March 16, 2021


“Privacy harm is a conceptual mess, obscured in a fog that significantly impedes U.S. privacy law from being effectively enforced.”
- from “Privacy Harms” by Professors Danielle Citron and Daniel Solove


In their new article, “Privacy Harms,” privacy experts and law professors Danielle Citron, University of Virginia, and Daniel Solove, George Washington University, discuss the legal challenges in holding privacy violators accountable for the harms they cause. Additionally, the authors “set forth a typology that explains why particular harms should be legally cognizable,” and they “show how concepts and doctrines in other areas of law can be applied in the context of privacy harms.”


Below are a few excerpts from “Privacy Harms” by Professors Danielle Citron and Daniel Solove.


Two Central Contributions from the Authors:


The first is the construction of a road map for courts to understand harm so that privacy violations can be tackled and remedied in a meaningful way. Privacy harms consist of various different types, which to date have been recognized by courts in inconsistent ways. We set forth a typology of privacy harms that elucidates why certain types of privacy harms should be recognized as cognizable.


The second contribution is providing an approach to when privacy harm should be required. In many cases, harm should not be required because it is irrelevant to the purpose of the lawsuit. Currently, much privacy litigations suffers from a misalignment of law enforcement goals and remedies. For example, existing methods of litigating privacy cases, such as class actions, often enrich lawyers but fail to achieve meaningful deterrence. Because the personal data of tens of millions of people could be involved, even small actual damages could put companies out of business without providing much of value to each individual. We contend that the law should be guided by the essential question: When and how should privacy regulation be enforced? We offer an approach that aligns enforcement goals with appropriate remedies.


Privacy Harms Are Often Intangible


In several ways, harm emerges as a key gatekeeper in privacy cases. Harm is an element of many causes of action. Courts struggle to recognize privacy harms because they often do not produce tangible financial or physical harm. Instead, privacy harms often involve intangible injuries, which courts address inconsistently and with considerable disarray. Many privacy violations involve broken promises or thwarted expectations about how people’s data will be collected, used, and disclosed. The downstream consequences of these practices are often hard to determine in the here and now. People might be flooded with unwanted advertising or email spam. Their expectations may be betrayed, resulting in their data being shared with third parties that may use it in detrimental ways –but precisely when and how is unknown.


For many privacy harms, the injury may appear small when viewed in isolation, such as the inconvenience of receiving an unwanted email or advertisement or the failure to honor your expectation that your data would not be shared with third parties. But when done by hundreds or thousands of companies, the harm adds up. Moreover, these small harms are dispersed among millions (and sometimes billions) of people. Over time, as numerous people are each inundated by a swarm of small harms, the overall societal impact can be significant. Yet, these types of injuries do not fit well into judicial conceptions of harm, which have an individualistic focus and heavily favor tangible physical and financial injuries that occur immediately.


Courts Have Injected Harm as a Gatekeeper in Privacy Cases


Courts, however, have wrought havoc on legislative plans for statutory damages in privacy cases by adding onerous harm requirements. In Doe v. Chao, for example, the Supreme Court held that a statutory damages provision under the federal Privacy Act of 1974 would only impose such damages if plaintiffs established “actual” damages. As a second punch, the Supreme Court held in Federal Aviation Administration v. Cooper that emotional distress alone was insufficient to establish actual damages under the Privacy Act. …


Courts have also injected harm as a gatekeeper to the enforcement of the law through modern standing doctrine. The U.S. Supreme Court has held that plaintiffs cannot pursue cases in federal court unless they have suffered an “injury in fact.” Specifically, in the privacy law context, in 2016, the Supreme Court in Spokeo v. Robins, concluded in a case involving the Fair Credit Reporting Act that courts could deny standing to plaintiffs seeking to recover under private rights of action in statutes. The court stated that even if a legislature granted plaintiffs a right to recover without proving harm, courts could require a plaintiff to prove harm to establish standing.


Due to judicial intervention, the requirement of privacy harm is inescapable. Even when law does not require proof of harm, courts exert their will to add it in, turning the enforcement of privacy law into a far more complicated task than it should be. Privacy harm is a conceptual mess, obscured in a fog that significantly impedes U.S. privacy law from being effectively enforced. Even when organizations have engaged in clear wrongdoing, privacy harm requirements often result in cases being dismissed.


When and How Should Various Privacy Laws Be Enforced?


A better understanding and recognition of privacy harms is only the first part of the equation. In addition to the issue of what should constitute cognizable privacy harm, we also examine the issue of when privacy harm should be required. In many cases, harm should not be required because it is irrelevant to the purpose of the lawsuit. The overarching question that the law should ask is: When and how should various privacy laws be enforced? This question brings into focus the underlying source of the law’s current malaise—the misalignment of enforcement goals and remedies. We propose an approach that aligns enforcement goals with appropriate remedies.


Concluding Thoughts


A well-calibrated legal response to privacy cases would permit socially beneficial personal data practices while requiring robust protections for the handling of personal data. Its primary focus should be on the deterrence of violations with the goal of encouraging widespread compliance. Compensation is important for individuals who have suffered significant harm.


Legal intervention should be designed to ensure that socially beneficial information practices continue. Our economy depends upon the collection and sharing of personal data. At the same time, personal data practices are inherently risky. Privacy law aims to ensure that personal data is used properly, that individuals have the ability to make decisions about their personal data, that there are meaningful guardrails and boundaries about how data is collected, used, or disclosed.


“Privacy Harms” Components


This Article has four parts:


Part I discusses when the law requires cognizable harm in order to enforce privacy regulation.


Part II sets forth a typology of privacy harms, explaining why each involves an impairment of important interests, how law tackles them, and why the law should do so.


Part III examines several challenges that make it difficult to recognize certain types of privacy harms.


Part IV examines when privacy harm should be required in privacy litigation and how the law should better align enforcement goals and remedies.


Read the full article: “Privacy Harms” by Professors Danielle Citron and Daniel Solove.


About the Authors


Danielle Citron is the Jefferson Scholars Foundation Schenck Distinguished Professor in Law at UVA, where she writes and teaches about privacy, free expression and civil rights. Her scholarship and advocacy have been recognized nationally and internationally. In 2019, Professor Citron was named a MacArthur Fellow based on her work on cyberstalking and intimate privacy. In 2018, she received the UMD Champion of Excellence award and in 2015, the United Kingdom’s Prospect Magazine named her one of the Top 50 World Thinkers and The Daily Record named her one of the Top 50 Most Influential Marylanders.


Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. Professor Solove teaches information privacy law, law and literature, criminal law, and criminal procedure. He is also the founder of TeachPrivacy, a privacy and cybersecurity training company. As an internationally-known expert in privacy law, Professor Solove has testified before Congress, has contributed to amicus briefs before the U.S. Supreme Court, and has served as a consultant or expert witness in a number of high-profile privacy cases involving Fortune 500 companies and celebrities. Additionally, he has been interviewed and quoted by the media in several hundred articles and broadcasts, including The New York Times, The Washington Post, The Wall Street Journal, USA Today, Chicago Tribune, the Associated Press, ABC, CBS, NBC, CNN, and NPR.