Information fiduciaries have emerged as a major part of the discussion of privacy regulation. In a nutshell, the information fiduciaries approach aims to apply aspects of fiduciary law to the companies that collect and use our personal data. As one court explained the fiduciary relationship: “A fiduciary relationship is one founded on trust or confidence reposed by one person in the integrity and fidelity of another. Out of such a relation, the laws raise the rule that neither party may exert influence or pressure upon the other, take selfish advantage of his trust, or deal with the subject matter of the trust in such a way as to benefit himself or prejudice the other except in the exercise of utmost good faith.” Mobile Oil Corp. v. Rubenfeld, 339 N.Y.S.2d 623, 632 (1972).
The earliest proponent of the idea of viewing companies as information fiduciaries was the late Ian Kerr in 2001, who noted that “some service provider-user relationships display all of the constituent elements of a fiduciary relationship.” See Ian Kerr, The Legal Relationship Between Online Service Providers and Users, 35 Can. Bus. L.J. 419 (2001).
In 2004, in my book, The Digital Person: Technology and Privacy In the Information Age (NYU Press 2004) (Amazon) (free digital copy on SSRN), argued that concepts from the law of fiduciary relationships should be applied to situations involving data privacy. (pp. 101-104). I contended that “the law should hold that companies collecting and using our personal information stand in a fiduciary relationship with us.” I contended that “If our relationships with the collectors and users of our personal data are redefined as fiduciary ones, then this would be the start of a significant shift in the way the law understands their obligations to us. The law would require them to treat us in a different way—at a minimum, with more care and respect. By redefining relationships, the law would make a significant change to the architecture of the information economy.” (p. 104).
At the time I wrote, I wasn’t aware that Ian Kerr had written about information fiduciaries a few years before me. Although I knew him quite well, he was too modest to tell me about his earlier article. I was drawn to information fiduciaries more for conceptual than doctrinal reasons. I recalled the famous quote from Judge Cardozo from the corporations class I took in law school. Judge Cardozo declared: “Many forms of conduct permissible in a workaday world for those acting at arm’s length, are forbidden to those bound by fiduciary ties. A trustee is held to something stricter than the morals of the market place. Not honesty alone, but the punctilio of an honor the most sensitive, is then the standard of behavior.” Meinhard v. Salmon, 164 N.E. 545, 546 (N.Y. 1928). The concept that jumped out at me was that when unequal power relationships are involved, the law recognizes (at least sometimes) that a more robust system of morality beyond the “morals of the marketplace” should govern.
In the years after my book, many scholars began talking about information fiduciaries, starting with Jack Balkin in 2016 in his article, Information Fiduciaries and the First Amendment, 49 U.C. Davis L. Rev. 1183 (2016). Balkin embraced the idea of information fiduciaries and argued that the First Amendment provides greater regulatory leeway: “Because of their special power over others and their special relationships to others, information fiduciaries have special duties to act in ways that do not harm the interests of the people whose information they collect, analyze, use, sell, and distribute. These duties place them in a different position from other businesses and people who obtain and use digital information. And because of their different position, the First Amendment permits somewhat greater regulation of information fiduciaries than it does for other people and entities.”
A few years later, Lina Khan and David Pozen wrote a strong critique of the information fiduciaries approach in A Skeptical View of Information Fiduciaries, 133 Harv. L. Rev. 497 (2019). Unfortunately, Khan and Pozen didn’t engage with my work (as well as other work from before Balkin). They took the idea far too literally, not understanding that the notion of information fiduciaries has conceptual power for developing privacy law. My proposal, at least, was not to directly apply fiduciary law — I aimed to draw from fiduciary law certain conceptual ideas for regulating privacy and evolve and adapt fiduciary law to this task.
Many works have been written that discuss information fiduciaries, and I’ve included a bibliography of articles on the topic that I find to be helpful at the end of this post.
Here are some of the most important points, in my opinion, about information fiduciaries:
Conceptual, Not Just Doctrinal. My intent in invoking information fiduciaries was not to merely apply existing law. Instead, it was to draw from the conceptual underpinnings of fiduciary law to develop the law to fit situations involving privacy. Fiduciary law has already embraced certain privacy issues, such as breach of confidentiality tort cases. But I think the common law can develop in even broader directions if courts use even a small amount of imagination. Beyond the common law, information fiduciary concepts can be incorporated into privacy statutes.
Beyond Companies. Information fiduciaries need not be limited to companies. Any powerful person or entity should be deemed to be an information fiduciary, including government agencies and non-profit institutions, such as schools and hospitals.
Open-Ended Recognition of Relationships. In terms of the types of relationships that are deemed to be fiduciary ones, the law is open-ended. Courts use factors to recognize many different types of relationships as being fiduciary ones. It’s not a fixed list. As Ethan Leib aptly observes: “[N]o typology of the fiduciary could be complete without recognizing a few central features: the concept is self-consciously open, flexible, and adaptable to new kinds of relationships—and those relationships trade upon high levels of trust and leave one party in a position of domination, inferiority, or vulnerability.” Ethan J. Leib, Friends as Fiduciaries, 86 Wash. U. L. Rev. 665, 672 (2009).
Open-Ended Recognition of Duties. Although there are several common fiduciary duties, courts have recognized other fiduciary duties suitable to the relationship and context. As Lauren Scholz observes: “Fiduciary duties vary, based on the nature of the relationship between the fiduciary and entrustor. They may include duty of loyalty, duty of care, duty of disclosure and honesty, duty of confidentiality, and a heightened duty of good faith.” Lauren Henry Scholz, Fiduciary Boilerplate: Locating Fiduciary Relationships in Information Age Consumer Transactions, 46 J. Corp. L. 144 (2020).
Duty of Loyalty. A key duty of information fiduciaries is a duty of loyalty – to look out for the best interests of the individuals whose data one is collecting and using. Neil Richards and Woodrow Hartzog have written extensively about this in nearly a billion articles. I’ve listed a few in the bibliography below. They argue: “[L]oyalty would manifest itself primarily as a prohibition on designing digital tools and processing data in a way that conflicts with a trusting party’s best interests. Data collectors bound by such a duty of loyalty would be obligated to act in the best interests of the people exposing their data and engaging in online experiences, but only to the extent of their exposure.” Neil Richards & Woodrow Hartzog, A Duty of Loyalty for Privacy Law, 99 Wash. U. L. Rev. 961 (2021).
Duty of Confidentiality. Another key duty for fiduciaries is confidentiality. This duty forms the basis of countless cases involving breach of confidentiality, a tort with roots in fiduciary relationships. In some of the classic cases involving doctors breaching patient confidentiality, the doctor-patient relationships is analogized to a fiduciary one. See McCormick v. England, 494 S.E. 2d 431 (S.C. Ct. App. 1997). Neil Richards and I wrote about the breach of confidentiality tort in Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).
Duty of Disclosure and Honesty. There are also duties to disclose pertinent information and to be transparent about any potential conflicts of interest. Currently, there is an enormous conflict of interest with surveillance capitalism — companies want to use personal data to monetize, even when particular uses are not in the best interests of the individuals. Privacy notices rarely approach the heightened disclosure demands of the fiduciary; these notices are not really forthcoming about the risks to individuals or the interests of the companies. Instead, they are vague meaningless statements that are long on text and lean on informative details.
Third-Party Liability. A key feature of fiduciary law is liability on third parties for inducing breaches of fiduciary duties. Although this facet of information fiduciaries is tremendously powerful, it remains under-examined. For example, in Hammonds v. Aetna Casualty & Surety Co., 243 F. Supp. 793 (D. Ohio 1965), an insurance company was held liable for inducing a doctor to breach his patient’s confidentiality. A robust law of information fiduciaries could open up liability for companies that purchase data from other companies or that scrape data online. Even further, companies that create surveillance technologies that facilitate fiduciaries breaching trust could potentially be liable. The Restatement of Torts provides: “A person who knowingly assists a fiduciary in committing a breach of trust is himself guilty of tortious conduct.” Restatement (Second) of Torts Sec. 874 comment (c). Data brokers that sell data to the government or companies to improperly pry into the private lives of individuals might be subject to liability. Companies such as Clearview AI that market facial recognition systems to many law enforcement entities could potentially be liable. Companies that develop and market technologies to enable the government to analyze its repositories of personal data might be liable. If developed conceptually and doctrinally, this dimension of fiduciary law has immense potential.
Power. At the core, the law of fiduciary relationships is about power — unequal power relationships that warrant special treatment under the law. This power asymmetry is increasingly present in the relationships between large organizations that gather and use personal data about people. It is cliché today to say that “information is power,” but if it so cliché, then it is not too controversial to recognize that amassing massive quantities of personal data about people gives organizations a massive amount of power over people. In my forthcoming book, ON PRIVACY AND TECHNOLOGY (Oxford Univ. Press 2025), I write: “Overall, the concern animating the law of fiduciary relationships is power. Today, many corporate, governmental, and other entities have enhanced their power over us by collecting and using vast quantities of personal data. Imposing fiduciary duties on these entities would significantly help protect individuals. Fiduciary law is one of the law’s wisest creations—a recognition that with great power should come great responsibility. Policymakers should use this body of law in more relationships involving digital technologies.”
Excerpt on Information Fiduciaries from The Digital Person
Here’s the except on information fiduciaries from The Digital Person: Technology and Privacy In the Information Age (NYU Press 2004) (pp. 101-104):
Our relationships with the collectors and users of our personal information thus need to be redefined. Consider another set of relationships—those between us and our doctors and lawyers. Here, the law imposes a number of obligations on doctors and lawyers to focus on our welfare. Indeed, the patient-physician relationship has been likened by courts to a fiduciary one. A fiduciary relationship is a central facet of the law of trusts. Trustees stand in a fiduciary relationship to beneficiaries of the trust. The trustee has been entrusted with the beneficiary’s money, and because of this position of special trust, the trustee owes certain special duties to the beneficiary. . . .
The types of relationships that qualify as fiduciary ones are not fixed in stone. As one court has noted, courts “have carefully refrained from defining instances of fiduciary relations in such a manner that other and perhaps new cases might be excluded.” Examples of recognized fiduciary relationships include those between stockbrokers and clients, lawyers and clients, physicians and patients, parents and children, corporate officers and shareholders, and insurance companies and their customers.
Fiduciaries have a duty to disclose personal interests that could affect their professional judgment as well as a duty of confidentiality. For example, doctors who disclose a patient’s confidential medical information have been successfully sued by patients for breach of confidentiality. Likewise, banks and schools have been held to be obliged to keep personal information confidential.
I posit that the law should hold that companies collecting and using our personal information stand in a fiduciary relationship with us. This is a radical proposal. Although the concept of a fiduciary relationship is an open-ended and developing one, the concept has not been extended nearly as far as I propose. Generally, courts examine a number of factors to determine the existence of a fiduciary relationship: “[T]he degree of kinship of the parties; the disparity in age, health, and mental condition; education and business experience between the parties; and the extent to which the allegedly subservient party entrusted the handling of . . . business affairs to the other and reposed faith and confidence in [that person or entity].” Most of the factors look at disparities in power and knowledge, and these lean in favor of finding a fiduciary relationship between us and the collectors and users of our data. The last factor, however, understands the relationship as one in which something has been explicitly entrusted to the trustee. This will work in the context of companies that we do business with, for we entrust them with our personal data. But it will be a significant expansion of the concept of fiduciary relationships to extend it to third-party companies that gather our information without having done business with us. We don’t entrust anything to these companies; they often take our data surreptitiously, without our consent. Nevertheless, the law is flexible and in the past has responded to new situations. The law should grow to respond here, since all of the other factors for recognizing a fiduciary relationship seem to counsel so strongly for the need to impose fiduciary obligations for the collectors and users of our personal information.
If our relationships with the collectors and users of our personal data are redefined as fiduciary ones, then this would be the start of a significant shift in the way the law understands their obligations to us. The law would require them to treat us in a different way—at a minimum, with more care and respect. By redefining relationships, the law would make a significant change to the architecture of the information economy. (pp. 100-104).
To read more, including the many citations in this passage, check out my book, The Digital Person. I’ve posted the entire book online for free. You can download it here.
Bibliography on Information Fiduciaries
Lindsey Barrett, Confiding in Con Men: U.S. Privacy Law, the GDPR, and Information Fiduciaries, 42 Seattle U. L. Rev. 1057 (2019).
Jack M. Balkin, Information Fiduciaries and the First Amendment, 49 U.C. Davis L. Rev. 1183 (2016).
Jack M. Balkin, The Fiduciary Model of Privacy, 133 Harv. L. Rev. F. 11 (2020).
Jack M. Balkin & Jonathan Zittrain, A Grand Bargain to Make Tech Companies Trustworthy, Atlantic (Oct. 3, 2016).
Lindsey Barrett, Confiding in Con Men: U.S. Privacy Law, the GDPR, and Information Fiduciaries, 42 Seattle U. L. Rev. 1057 (2019).
Kiel Brennan-Marquez, Fourth Amendment Fiduciaries, 84 Fordham L. Rev. 611 (2015).
Ariel Dobkin, Information Fiduciaries in Practice: Data Privacy and User Expectations, 33 Berkeley Tech. L.J. 1 (2018).
Woodrow Hartzog & Neil Richards, Trusting Big Data Research, 66 DePaul L. Rev. 579 (2017).
Claudia Haupt, Platforms as Trustees: Information Fiduciaries and the Value of Analogy, 134 Harv. L. Rev. F. 34 (2020).
Jessica Litman, Information Privacy/Information Property, 52 Stan. L. Rev. 1283 (2000)
Alicia Solow-Niederman, Beyond the Privacy Torts: Reinvigorating a Common Law Approach for Data Breaches, 127 Yale L.J.F. 614 (2018).
David E. Pozen & Lina M. Khan, A Skeptical View of Information Fiduciaries, 133 Harv. L. Rev. 497 (2019).
Neil M. Richards & Woodrow Hartzog, A Duty of Loyalty for Privacy Law, 99 Wash. U. L. Rev. 961 (2021).
Neil M. Richards & Woodrow Hartzog, Taking Trust Seriously in Privacy Law, 19 Stan. Tech. L. Rev. 431 (2016).
Neil M. Richards & Woodrow Hartzog, Privacy’s Trust Gap: A Review, 126 YALE L.J. 1180 (2017).
Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).
Christopher W. Savage, Managing the Ambient Trust Commons: The Economics of Online Consumer Information Privacy, 22 Stan. Tech. L. Rev. 95 (2019).
Lauren Henry Scholz, Fiduciary Boilerplate: Locating Fiduciary Relationships in Information Age Consumer Transactions, 46 J. Corp. L. 144 (2020).
DANIEL J. SOLOVE, THE DIGITAL PERSON: TECHNOLOGY AND PRIVACY IN THE INFORMATION AGE (2004).
Daniel J. Solove & Neil M. Richards, Rethinking Free Speech and Civil Liability, 109 Colum. L. Rev. 1650 (2009).
ARI EZRA WALDMAN, PRIVACY AS TRUST: INFORMATION PRIVACY FOR AN INFORMATION AGE (2018).
Ari Ezra Waldman, Privacy as Trust: Sharing Personal Information in a Networked World, 69 U. Mia. L. Rev. 559 (2015).
Ari Ezra Waldman, Privacy, Sharing, and Trust: The Facebook Study, 67 Case W. Res. U. L. REV. 193 (2016).
Richard S. Whitt, Old School Goes Online: Exploring Fiduciary Obligations of Loyalty and Care in the Digital Platforms Era, 36 Santa Clara High Tech. L.J. 75 (2019).
* * * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 150 courses. He is also the co-organizer of the Privacy + Security Forum events for privacy professionals.
Subscribe to Solove’s Free Newsletter
Pre-Order Prof. Solove’s forthcoming book,
ON PRIVACY AND TECHNOLOGY
Prof. Solove’s Privacy Training
