The tort of intrusion upon seclusion offers the best theory to target legitimate privacy harms in the information age. This Article introduces a new taxonomy that organizes privacy regulations across four key stages of information flow--observation, capture (the creation of a record), dissemination, and use. Privacy scholars typically propose placing constraints on the dissemination and re-use of personal information, and these dominant models are at the heart of President Obama's Consumer Privacy Bill of Rights. But these restrictions conflict with the First Amendment and other important shared values. Instead, observation is the most promising stage for legal intervention.
Intrusion imposes liability for conduct--offensive observations. The tort is theoretically coherent and constitutionally sound because an individual's interests in seclusion co-exist comfortably with society's interests in data dissemination. This puts intrusion in stark contrast with other privacy models, where the alleged harm is a direct consequence of an increase in knowledge. The classic intrusion tort can adapt sensibly to new technologies when it is reduced to two essential elements: (1) an observation, (2) that is offensive. This approach vindicates privacy law's historical roots in torts and offers a path to principled privacy regulation.
Before Ralph Nader became a household name for his expose of the American automobile industry, Unsafe at Any Speed, General Motors caught wind of the project and mounted an ill-fated intimidation campaign. (1) GM's agents interviewed Nader's friends and acquaintances to gather information that might be embarrassing for the activist--"his political, social,... and religious views,... sexual proclivities,... and [odd] personal habits." (2) GM hired people to shadow Nader incessantly. At one point, an agent followed Nader into a bank and got sufficiently close to see the exact denomination of bills Nader received from the teller. (3) GM also arranged for young women to proposition him with the hopes of entrapping him into an affair. (4) Nader sued the car manufacturer. The New York Court of Appeals found the surveillance practices of GM's agents could be intrusive and tortious. (5) In assessing GM's conduct, the court famously opined that "[a] person does not automatically make public everything he does merely by being in a public place." (6)
The tort of intrusion imposes liability on anyone "who intentionally intrudes ... upon the ... seclusion of another ... if the intrusion would be highly offensive to a reasonable person." (7) The interest protected by the tort is the right to respite from observation and judgment so that, when we do participate socially, we can be more engaged and ethical participants. (8) Importantly, liability for intrusion has nothing to do with the content of the information discovered. When GM's spy leaned in to observe the exact denominations of bills that Nader was receiving from the bank teller, it constituted an intrusion regardless of whether Nader received twenty dollars, two thousand dollars, or a kitten. (9) The tort's focus on behavior, as opposed to content, allows intrusion to coexist comfortably with the First Amendment and other core liberal values that safeguard information exchange. The intrusion tort penalizes conduct--offensive observations--not revelations.
Intrusion has great, untapped potential to address privacy harms created by advances in information technology. Though the tort is associated with conduct in real space, its principles apply just as well to operations in the era of Big Data. Suppose GM's agents followed Nader into a large retail store. There, they observed not only Nader's general movement throughout the store, but his specific shopping habits. Suppose they made note of every product Nader browsed, even if he did not put them in his shopping cart. They recorded that he replaced the box of (generically branded) Colossal Crunch with Cap'n Crunch after seeing that the name brand cereal was on sale. And, inexplicably, they knew he decided to come to the store after seeing an advertisement in a newspaper he had been reading earlier in the day. Outlandish as this scenario would be in the physical world, it is entirely consistent with common practices in e-commerce.
Mind-boggling quantities of personal data are logged and collected every time we use our iPhones, tablets, and other gadgets. As companies have increasing access to our data exhaust--data detailing what we have looked at, where we have been, and what we have bought--scholars have become understandably concerned that the information economy has thrust consumers into a new frontier with very little rule of law or consensus of ethics to guide the treatment of personal data.
Contemporary privacy scholarship shuns the old common law privacy torts, contending they are not relevant in the era of ubiquitous computing. (10) Instead, privacy scholars aim to give consumers control over the information that describes them. Paul Schwartz advocates for a right to limit the dissemination of our personal information through quasi-property rights and, in some circumstances, to claw it back from the companies that have it. (11) Joel Reidenberg argues that the United States should pass comprehensive data privacy legislation comparable to the European Union's Data Protection Directive. (12) And anticipating a First Amendment challenge to expansive privacy laws, Neil Richards argues that policymakers can (and should) regulate personal information the way they regulate any other commodity. (13) Efforts by the legal academy and consumer advocates have inspired lawmakers, including the Obama Administration, to put forward new laws creating property interests in our personal information. (14) President Obama's Consumer Bill of Rights aims to give consumers "the right to control personal information about themselves." (15) But these laws and proposals create rigid restrictions on the dissemination and re-use of accurate information without fully accounting for the significant social costs of propertizing facts.
This Article makes two contributions to the scholarly discourse--one organizational and one normative. First, it develops a new taxonomy that tracks the flow of data. Personal information passes through four distinct states where regulation can apply: observation, capture (when a record is created), dissemination, and use. While existing taxonomies organize the theories of information privacy across the harms experienced, (16) the framework introduced here flips the orientation. First it determines how information can be regulated, and then it analyzes the nature of the harm. By focusing on the practical effects of regulation, the competing interests in privacy and information flow can be evaluated in a consistent manner.
Second, the Article employs the taxonomy to make normative claims about the current and future state of American privacy law among private actors. (17) Popular privacy proposals, though politically expedient, will undermine the public's interests in innovation and knowledge-production. In contrast, regulation targeting information flow at its source--at the point of observation--can be significantly expanded without running into conceptual pitfalls.
The intrusion tort is the quintessential example of a restriction on observation. (18) This Article proposes an expansion of the intrusion tort to fit the modern technological landscape. Intrusion should provide recourse not for the creation of personal data, which is a necessary byproduct of well-functioning technologies, but for the observation of that data. Since the intrusion tort is conceptually adaptable to changing technology, legal enforcement of the right to seclusion can expand sensibly, outlawing the most disconcerting data practices without imposing unrealistic demands on industry and regulatory enforcement agencies. (19)
A valuable side effect of this project is its vindication of American privacy law's origins in tort. (20) Because the contours of tort law are designed in reference to broader societal interests rather than the interest of a single particular victim, tort is in the best position to address new information problems. It can target and deter practices that eventually reveal themselves to be truly harmful without taking a premature position on how much data is "too much." (21) The Article joins a new wave of pragmatic privacy scholarship bringing precision and rigor to the discourse. (22) It does not recycle the First Amendment critiques of Eugene Volokh (23) or the skepticism of Richard Posner. (24) Rather, it recognizes that if privacy proposals continue to eschew rigorous analysis and to ignore countervailing commitments to the free flow of facts, they will dilute the salience of concrete problems.
We proceed in four Parts. Part I introduces the taxonomy and shows why the dominant, property-based privacy law approach has floundered. Part II articulates the virtues of regulating personal information at the source of information flow--the point of observation. The tort of intrusion is already conceptually flexible and is poised to be adapted to new types of invasive observations. Part III shows how intrusion can be applied to modern settings such as Web tracking technologies and GPS. Part IV shows why American law will have difficulty crafting principled regulations on information flow after a legitimate, legal observation has been made.
PERSONAL INFORMATION PROBLEMS
This Article starts from the assumption that true personal information can cause problems. That is, the subjects described by accurate personal information can suffer losses that satisfy Ruth Gavison's definition of "actionable violations of privacy" because they are predictable in advance and undesirable for society. (25)
This Part organizes the potential risks and harms caused by personal information into a model...