The New Privacy Law
24 Pages Posted: 1 Jun 2021 Last revised: 6 Nov 2021
Date Written: May 30, 2021
We are in a second wave of privacy law. The first wave was characterized by privacy policies, self-regulation, and notice and choice. But in the last three years, nine proposals for comprehensive privacy legislation have been introduced in the United States Congress and 42 have been introduced in the states. From the perspective of practice, almost all of these proposals are roughly the same—they require individuals to exercise control rights and rely on internal corporate compliance for ongoing monitoring. This second wave of privacy law is undoubtedly different from the first, but how? This essay provides a new taxonomy to understand changes in U.S. privacy law, distinguishing between two “waves” along three metrics: their practices, theories of governance, and underlying ideologies. A first wave was characterized by privacy policies, self-regulation, and limited regulatory enforcement. Its practices were focused on notice, its governance was self-regulatory, and its ideology was laissez faire. A second wave almost uniformly relies on internal corporate compliance structures to manage data collection, processing, and use. Its practices are focused on compliance, its governance is managerial, and its underlying ideology is neoliberal. This taxonomy offers privacy law scholars a new way to understand and critique the current state of the field. The essay concludes with four research questions for scholars to pursue.
Suggested Citation: Suggested Citation