Data Controllers as Data Fiduciaries: Theory, Definitions & Burdens of Proof

44 Pages Posted: 25 Apr 2023 Last revised: 27 Jan 2024

Date Written: April 17, 2023


As more U.S. states have begun to pass consumer privacy laws, there are growing calls for federal data privacy regulation to ease the burden of compliance with various, sometimes conflicting, state laws. However, scholars and lawmakers are divided on how best to balance robust privacy protections with privacy laws to which businesses can realistically comply. Two prominent regulatory models have emerged from scholarly debate. The Rights/Obligations Model grants consumers various rights and imposes obligations on businesses. This model has been trending in U.S. states, which have mirrored language from the European Union’s General Data Protection Regulation (GDPR) by imposing different obligations on “data controllers” and “data processors.” However, there are shortcomings to this model that limit consumer rights and their ability to vindicate those rights. The Fiduciary Model has also received attention from lawmakers and scholars as an alternative model of regulation. The Fiduciary Model addresses gaps in the Rights/Obligations Model, but prominent critics have voiced skepticism about the workability of the Fiduciary Model.

This paper’s contributions are threefold. First, this paper examines the distinction between “data controllers” and “data processors” in the GDPR and whether those terms are likely to apply in a functionally similar way in new U.S. state consumer privacy laws. As companies strategize about how to comply with laws from a multitude of jurisdictions—and as states incorporate identical language into their own laws—understanding the similarities and differences between how such laws are applied will be crucial. Second, this paper furthers the debate about the workability of the Fiduciary Model by proposing that “data controllers,” as defined in the GDPR and U.S. state laws, should be considered “data fiduciaries.” This definition offers two benefits: (1) defining data fiduciaries as data controllers provides a workable definition that corresponds with fiduciary theory, and (2) harmonizing U.S. and GDPR law. Finally, this paper will argue that companies subject to state consumer privacy laws should be considered “data controllers” by default and bear the burden of rebutting this presumption. This presumption reinforces the substantive policy behind consumer privacy law, accounts for the probability that parties violating consumer privacy laws will most likely be data controllers, and allocates the burden to the party with superior access to the evidence.

Keywords: consumer privacy; data fiduciaries; data controllers; data processors; GDPR; definitions; burdens of proof

Suggested Citation

Reid, Amanda and Wilson, Noelle, Data Controllers as Data Fiduciaries: Theory, Definitions & Burdens of Proof (April 17, 2023). 95 U. Colo. L. Rev. 175 (2024), Available at SSRN:

Amanda Reid (Contact Author)

UNC Chapel Hill ( email )

Carroll Hall
Campus Box 3365
Chapel Hill, NC 27514-3365
United States
919.962.3037 (Phone)

Noelle Wilson


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics