A DUTY OF LOYALTY FOR PRIVACY LAW.

• Author: Richards, Neil

ABSTRACT

Data privacy law fails to stop companies from engaging in self-serving, opportunistic behavior at the expense of those who trust them with their data. This is a problem. Modern tech companies are so entrenched in our lives and have so much control over what we see and click that the self-dealing exploitation of people has become a major element of the internet's business model.

Academics and policymakers have recently proposed a possible solution: require those entrusted with people 's data and online experiences to be loyal to those who trust them. But many have concerns about a duty of loyalty. What, exactly, would such a duty of loyalty require? What are the goals and limits of such a duty? Should loyalty mean obedience or a pledge to make decisions in people's best interests? What would the substance of the rules implementing the duty look like? And what would its limits be?

This Article suggests a duty of loyalty for personal information that answers these objections and represents a promising way forward for privacy law. We offer a theory of loyalty based upon the risks of digital opportunism in information relationships that draws upon existing--and in some cases ancient--precedent in other areas of American law. Data collectors bound by this duty of loyalty would be obligated to act in the best interests of people exposing their data and online experiences, up to the extent of their exposure. They would be prohibited from designing digital tools and processing data in a way that conflicts with trusting parties ' best interests. We explain how such a duty could be used to set rebuttable presumptions of disloyal activity and to act as an interpretive guide for other duties. And we answer a series of objections to our proposed duty, including that it would be vague, be too narrow, entrench surveillance capitalism, create a problem of conflicting duties, and spell the end of surveillance-based "targeted advertising. " The duty of loyalty we envision would certainly be a revolution in data privacy law. But that is exactly what is needed to break the cycle of self-dealing and manipulation ingrained in both the current internet and our society as a whole. This Article offers one pathway for us to get there.

TABLE OF CONTENTS INTRODUCTION I. CORPORATE DATA OPPORTUNISM A. Profiling and Sorting B. Nudging C. Manipulation II. THE NEED FOR A DUTY OF LOYALTY IN PRIVACY LAW A. Privacy Law Misses Opportunism B. A Duty of Care Is Not Enough III. A THEORY OF LOYALTY FOR INFORMATION RELATIONSHIPS A. Existing Loyalty Proposals B. The Mission of a Duty of Loyalty for Privacy C. The Substance of a Duty of Loyalty for Privacy 1. Rules to Compel or Constrain Behavior 2. Rebuttable Presumptions of Disloyal Activities 3. Guidance and Support for Other Duties IV. IMPLEMENTING A DUTY OF LOYALTY IN PRIVACY LAW A. When the Duty of Loyalty Should Arise 1. When Trust Is Invited 2. From People Made Vulnerable by Exposure 3. And When Trust Is Given B. Possible Loyalty Frameworks 1. General and Ad-Hoc Relational Duties 2. Rules Encouraging Loyal Behavior 3. Remedies V. POTENTIAL OBJECTIONS A. Loyalty Is Too Vague B. The Problems of Conflicting Loyalties C. The Problem Is Broader than Just Data Collectors D. Fiduciary Models Risk Entrenching the Status Quo E. The End of Targeted Ads? CONCLUSION INTRODUCTION

It wasn't supposed to be like this. When the internet emerged in the mid-1990s, it was heralded as an unprecedented technology of human empowerment, creating a place where human beings could meet, learn, and express themselves, transforming our society for the better. (1) It was also hailed as a realm of privacy, in which those empowered humans could read, connect, and communicate on their own terms, safely cocooned in bubbles of anonymity where, as the famous New Yorker cartoon put it, "no one knows you are a dog." (2)

Of course, a quarter of a century on, it hasn't quite worked out that way. The internet of the 2020s certainly provides many helpful services, but it has also become the greatest assemblage of corporate and government surveillance in human history. The internet allows unprecedented expression, but it is also plagued by hate speech, misinformation, and electoral manipulation. And where the internet promised human empowerment, all too often the tools of data science and behavioral science have been used to nudge behavior and to manufacture consent to boilerplate terms that no one reads. Far too frequently, corporate promises of empowerment have instead delivered manipulation, disempowerment, and distrust. (3)

This paper offers and examines one potential solution to some of these problems: imposing a duty of loyalty on companies that collect and process human information. Duties of loyalty are used in other areas of law as obligations to refrain from self-dealing. They are typically placed on trusted parties such as lawyers and other professionals, agents, guardians, and corporate directors. (4) But they have not yet been imposed as part of privacy law. In articles in 2016 and 2017, we suggested that loyalty is the key component in generating trust in modern "information relationships," ones in which human information changes hands, often as part of the delivery of a service such as search engine results. (5) Other scholars have proposed treating data collectors as "information fiduciaries." (6) This academic work has influenced lawmakers to the extent that a duty of loyalty has now become a serious option for national privacy reform. Leading federal privacy bills pending before Congress from both parties include proposed duties of loyalty, though they vary significantly in scope, specificity, and justification. (7)

All this work is both promising and important, but it fails to answer one critical question: what, exactly, would a duty of loyalty in privacy law require from those entrusted with our personal information? This is a crucially important question because without a sense of what a duty of loyalty would require, it will be impossible to evaluate whether one is a good idea, much less to implement a duty of loyalty in privacy law. To date, no scholarship has sufficiently answered this question--a question with challenging descriptive and normative dimensions. Thus, any account of a duty of loyalty must offer normative reasons for having the duty in the first place, specifying the values served by imposing such a duty of loyalty on companies in the context of what we have elsewhere called "information relationships." (8)

Lawmakers imposing a duty of loyalty must also make a separate normative decision about how robust these rules should be. Traditional fiduciary duties can be very demanding. Duties of this kind would offer maximum protection to data subjects in information relationships. But they could also make a company's ability to collect and use that data quite costly, particularly at scale. It is possible to imagine other kinds of loyalty duties that are simultaneously substantial but also less demanding than a full fiduciary obligation. This raises the question of whether robust fiduciary duties should apply to all data collectors or only the most powerful ones. How might the duty of loyalty be crafted to balance the well-being of people and the benefits of safe and sustainable information exchanges?

A satisfying account of duty of loyalty must also describe the boundaries of what the duty covers. For descriptive help, some lessons can be drawn from both the existing law of fiduciaries and the other relationships of trust that compel a duty of loyalty. But the relationship between people and their doctors, guardians, and financial advisors is quite different from the relationships between people and Facebook, Google, and TikTok. (9)

In this Article, we propose a duty of loyalty for privacy law that answers each of these normative and descriptive questions. We offer a theory based on the risks of opportunism that arise when people trust others with their personal information and online experiences. Put simply, under our approach, loyalty would manifest itself primarily as a prohibition on designing digital tools and processing data in a way that conflicts with a trusting party's best interests. Data collectors bound by such a duty of loyalty would be obligated to act in the best interests of the people exposing their data and engaging in online experiences, but only to the extent of their exposure.

Our basic claim is simple: a duty of loyalty framed in terms of the best interests of digital consumers is coherent and desirable and should become a basic element of U.S. data privacy law. Such a duty of loyalty would compel loyal acts and also constrain conflicted, self-dealing behavior by companies. It would shift the default legal presumptions surrounding a number of common design and data processing practices. It would also act as an interpretive guide for government actors and data collectors to resolve ambiguities inherent in other privacy rules. A duty of loyalty, in effect, would enliven almost the entire patchwork of U.S. data privacy laws. And it would do it in a way that is consistent with U.S. free expression goals and other civil liberties. A duty of loyalty along the lines we suggest might seem like a radical step for American privacy law, but we think it would be a necessary and important one if our digital transformation is to live up to its great but unfulfilled promises of human well-being and flourishing.

Our Article proceeds in five parts. Part I briefly describes the problem. We explain how the failures of American privacy law have enabled corporate opportunism and manipulation of consumers using human information. This has been a particular problem in the context of "personalized" technologies that promise to know us so that they can better satisfy our needs and wants. Insufficiently constrained by the law, companies can deploy a potent cocktail of techniques derived...