Some of the things we updated:
- We reordered the piece to discuss earlier on our theory of when harm should be required.
- We added a discussion of why recognizing privacy harm is important.
- We rethought the typology to add top-level categories and subcategories. We had received feedback from a number of people that the typology was unwieldy because we had too many categories and many seemed to overlap. Our new structure now has 7 top-level categories.
- We added short descriptions of each type of harm at the beginning of each section.
- We added commentary about the recent Supreme Court case on standing, TransUnion v. Ramirez.
- We added a diagram of the harms, which is above.
There are other changes, too, but the ones above are the most relevant ones. We’re still editing the piece, so we welcome additional feedback. The piece will be published in 2022.
You can read the latest draft here.
The requirement of harm has significantly impeded the enforcement of privacy law. In most tort and contract cases, plaintiffs must establish that they have suffered harm. Even when legislation does not require it, courts have taken it upon themselves to add a harm element. Harm is also a requirement to establish standing in federal court. In Spokeo v. Robins and TransUnion v. Ramirez, the U.S. Supreme Court ruled that courts can override congressional judgment about cognizable harm and dismiss privacy claims.
Caselaw is an inconsistent, incoherent jumble, with no guiding principles. Countless privacy violations are not remedied or addressed on the grounds that there has been no cognizable harm.
Courts struggle with privacy harms because they often involve future uses of personal data that vary widely. When privacy violations result in negative consequences, the effects are often small – frustration, aggravation, anxiety, inconvenience – and dispersed among a large number of people. When these minor harms are suffered at a vast scale, they produce significant harm to individuals, groups, and society. But these harms do not fit well with existing cramped judicial understandings of harm.
This article makes two central contributions. The first is the construction of a typology for courts to understand harm so that privacy violations can be tackled and remedied in a meaningful way. Privacy harms consist of various different types, which to date have been recognized by courts in inconsistent ways. Our typology of privacy harms elucidates why certain types of privacy harms should be recognized as cognizable.
The second contribution is providing an approach to when privacy harm should be required. In many cases, harm should not be required because it is irrelevant to the purpose of the lawsuit. Currently, much privacy litigation suffers from a misalignment of enforcement goals and remedies. We contend that the law should be guided by the essential question: When and how should privacy regulation be enforced? We offer an approach that aligns enforcement goals with appropriate remedies.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals.