Document Type

Article

Publication Date

2023

Abstract

U.S. privacy law is in a renewed moment of regulatory possibility, with both Congress and the states considering sweeping consumer privacy laws. These new proposals to enact “omnibus” privacy protections could be couched as an antidote to the current U.S. privacy regime: a patchwork of sectoral privacy laws stitched atop the background of FTC consumer contract enforcement. However, this Essay maintains that a one-size-fits-all approach cannot successfully capture both privacy’s value and its variability. Yet, it is clearly the case that the present- day sectoral regime in the United States suffers from significant shortcomings. These shortcomings allow behaviors that seem clearly to violate privacy to flourish, effectively gouging meaningful oversight from sectoral privacy laws. We call these “regulatory dodges.” Understanding and addressing these dodges is essential to preserving the value of contextual privacy protection. We first focus on specific health (the Health Insurance Portability and Accountability Act of 19961 (“HIPAA”)) and financial (the Gramm-Leach-Bliley Act2 (“GLBA”)) privacy regulations to elucidate two illustrative types of regulatory dodges. We then use the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act3 (“CCPA”) (as amended by the Consumer Privacy Rights Act) to illustrate why omnibus regulation may not solve these problems. We conclude with proposals for designing more contextually sensitive, gap-free privacy law.

Comments

Reproduced with permission of Harvard Journal of Law and Technology.

Download


Share

COinS