Legislating Data Loyalty

Article Source: Notre Dame Law Review Reflection, Vol. 97, pp. 356-384, 2022
Publication Date:
Time to Read: 3 minute read
Written By:

Search for the full article on Bing



A duty of loyalty focusing on the relationships between data collectors and data subjects would reinvigorate American privacy law. The law should include a general duty not to act against users’ interests.


Policy Relevance:

A duty of loyalty would prevent manipulation of consumers.


Key Takeaways:
  • American privacy law is outdated; policymakers are now considering whether tech companies should be bound by a duty of loyalty to those from whom they collect data.
  • Data loyalty is based on the idea that the entities we trust to collect our data should not process the data or design systems in ways that conflict with our best interests; this idea is similar to the idea of loyalty in fiduciary law.
    • The duty of loyalty would stop firms from using data to manipulate consumers and others.
    • The duty of loyalty cannot easily be avoided.
    • The duty of loyalty would build trust and benefit both parties.
  • Privacy laws are typically structured in three ways, as follows:
    • Laws in the United States and Europe mainly focus on regulating the data itself.
    • Some rules are structural, addressing monopoly power or requiring hiring of privacy officers.
    • A third option would be to focus the law on relationships, creating rules similar to the confidentiality requirements imposed on doctors and lawyers.
  • Loyalty rules would prohibit self-dealing; this would revolutionize privacy law in the United States, which assumes that any data extraction model is valid if certain procedures are followed.
  • Presently, the requirement that entities give users notice and choice when data is collected is a checkbox compliance exercise; a duty of loyalty would require firms to offer meaningful information about data practices, and a choice of reasonable alternatives that do not conflict with the trusting users' best interests.
  • Courts have denied standing to American plaintiffs suing for violations of privacy rules, because the plaintiff cannot show a sufficiently concrete injury; a duty of loyalty would solve this problem, because disloyalty has long been recognized by courts as a legally sufficient injury.
  • Lawmakers should implement a duty of loyalty on two levels.
    • First, they should enact a broad prohibition on data practices or system design that significantly conflict with the trusting parties’ best interests.
    • Second, they should enact rules that articulate specific prohibitions and duties to be applied in particular contexts.
  • When the interests of data subjects conflict, the data collector should act reasonably, fairly, or impartially, so as to safeguard the interests of the reasonable user.
  • Entities use "dark patterns," confusing or difficult interface elements (such as hard-to-see cancel buttons) to nudge people towards behaviors they would not otherwise choose; with a legal duty of loyalty, rules could address the most dangerous dark patterns directly.



Neil Richards

About Neil Richards

Neil Richards is the Koch Distinguished Professor in Law at Washington University School of Law, where he co-directs the Cordell Institute for Policy in Medicine & Law. He is an internationally-recognized expert in privacy law, information law, and freedom of expression. He writes, teaches, and lectures about the regulation of the technologies powered by human information that are revolutionizing our society.

Woodrow Hartzog

About Woodrow Hartzog

Woodrow Hartzog is Professor of Law at Boston University School of Law. Professor Hartzog’s scholarship and advocacy focuses on privacy and technology law. His research focuses on the complex problems that arise when people, organizations, and governments use powerful new technologies to collect, analyze, and share human information. He is an internationally recognized expert in the area of privacy, media, and robotics law.