The Great Regulatory Dodge

U.S. privacy law is in a renewed moment of regulatory possibility, with both Congress and the states considering sweeping consumer privacy laws. These new proposals to enact "omnibus" privacy protections could be couched as an antidote to the current U.S. privacy regime: a patchwork of sectoral privacy laws stitched atop the background of FTC consumer contract enforcement. However, this Essay maintains that a one-size-fits-all approach cannot successfully capture both privacy's value and its variability. Yet, it is clearly the case that the present-day sectoral regime in the United States suffers from significant shortcomings. These shortcomings allow behaviors that seem clearly to violate privacy to flourish, effectively gouging meaningful oversight from sectoral privacy laws. We call these "regulatory dodges." Understanding and addressing these dodges is essential to preserving the value of contextual privacy protection. We first focus on specific health (the Health Insurance Portability and Accountability Act of 1996 1 ("HIPAA")) and financial (the Gramm-Leach-Bliley Act 2 ("GLBA")) privacy regulations to elucidate two illustrative types of regulatory dodges. We then use the General Data Protection Regulation ("GDPR") and the California Consumer Privacy Act 3 ("CCPA") (as amended by the Consumer Privacy Rights Act) to illustrate why omnibus regulation may not solve these problems. We conclude with proposals for designing more contextually sensitive, gap-free privacy law.

Keywords: privacy, contextual integrity, privacy regulation, sectoral privacy regulation

Suggested Citation: Suggested Citation

Strandburg, Katherine J. and Viljoen, Salome and Nissenbaum, Helen F., The Great Regulatory Dodge (May 16, 2024). 37 Harvard J. Law & Tech, 1231 (2023), U of Michigan Public Law Research Paper No. 24-030, Available at SSRN: https://ssrn.com/abstract=4852257 or http://dx.doi.org/10.2139/ssrn.4852257