News, Developments, and Insights

high-tech technology background with eyes on computer display

The Limitations of Privacy Rights

Limitations of Privacy Rights - Daniel Solove 02

I have posted a draft of my new article, The Limitations of Privacy Rights, on SSRN where it can be downloaded for free.  The article critiques the effectiveness of individual privacy rights generally, as well as specific privacy rights such as the rights to information, access, correction, erasure, objection, data portability, automated decisionmaking, and more.

Here’s the abstract:

Individual privacy rights are often at the heart of information privacy and data protection laws. The most comprehensive set of rights, from the European Union’s General Data Protection Regulation (GDPR), includes the right to access, right to rectification (correction), right to erasure, right to restriction, right to data portability, right to object, and right to not be subject to automated decisions. Privacy laws around the world include many of these rights in various forms.

In this article, I contend that although rights are an important component of privacy regulation, rights are often asked to do far more work than they are capable of doing. Rights can only give individuals a small amount of power. Ultimately, rights are at most capable of being a supporting actor, a small component of a much larger architecture. I advance three reasons why rights cannot serve as the bulwark of privacy protection. First, rights put too much onus on individuals when many privacy problems are systematic. Second, individuals lack the time and expertise to make difficult decisions about privacy, and rights cannot practically be exercised at scale with the number of organizations than process people’s data. Third, privacy cannot be protected by focusing solely on the atomistic individual. The personal data of many people is interrelated, and people’s decisions about their own data have implications for the privacy of other people.

The main goal of providing privacy rights aims to provide individuals with control over their personal data.  However, effective privacy protection involves not just facilitating individual control, but also bringing the collection, processing, and transfer of personal data under control. Privacy rights are not designed to achieve the latter goal; and they fail at the former goal.

After discussing these overarching reasons why rights are insufficient for the oversized role they currently play in privacy regulation, I discuss the common privacy rights and why each falls short of providing significant privacy protection. For each right, I propose broader structural measures that can achieve its underlying goals in a more systematic, rigorous, and less haphazard way.

Download Article

Continue Reading

Privacy Papers for Policymakers Event

FPF Privacy Papers for Policymakers 2022

I’m honored and thrilled that my article with Professor Danielle Keats Citron, Privacy Harms102 B.U. Law Review — (forthcoming 2022) has been selected for recognition by the Future of Privacy Forum in the Privacy Papers for Policymakers Competition.

Maneesha MithalThe Privacy Papers for Policymakers Event takes place on February 10, 2022 from 1 PM to 3 PM Eastern Time.  The event will be virtual. Here are details about the event:

The winning authors will join FPF to present their work at a virtual event with policymakers from around the world, academics, and industry privacy professionals. The event will be held on February 10, 2022, from 1:00 – 3:00 PM EST. The event is free and open to the general public. To register for the event, please click here.

We were honored to be joined by Colorado Attorney General Phil Weiser, who will provide the keynote address. Thank you to Honorary Co-Hosts Congresswoman Diana DeGette, Co-Chair of the Congressional Privacy Caucus.

It is a privilege to be included among a wonderful group of winning articles.

Our article, Privacy Harmswill be covered in a session with myself and Danielle Citron. Maneesha Mithal will moderate. Maneesha, who had a long and terrific career at the FTC, has recently joined Wilson Sonsini as a partner.

You can download our article here. The article develops an approach for when the law should require a showing of privacy harm and when harm shouldn’t be required. The article also develops a typology of privacy harms, which is summarized in the figure below.

Typology of Privacy Harms - Citron and Solove 06

Continue Reading

TROPT Event: Foundational Privacy Conceptions

Foundational Privacy Conceptions

I’ll be speaking about foundational privacy conceptions in a fireside chat with Prof. Woodrow Harzog and moderated by Lourdes Turrecha at The Rise of Privacy Tech (TROPT) Data Privacy Day event (2 PM ET on Jan 26, 2022).

TROPT is the main event focusing on the privacy tech landscape, where innovators, investors, engineers, and experts come together.

I’m thrilled to able to share with you a full comp to register to attend any part of the event.

Please use my free comped link to register to attend my talk (Jan 26 at 2 PM ET) and the rest of this great event.

The event will be virtual this year.

Continue Reading

Privacy in 2022: The Year Ahead

Privacy in 2022

In this free webinar, Prof. Daniel Solove discusses with a panel of experts the privacy issues to watch out for this year. Speakers include:

The webinar will be held on Thursday, January 20, 2022 at 2 PM Eastern Time.

 Sign up for Privacy in 2022


Continue Reading

2021 Highlights: Writing and Webinars


Highlights 2021 Prof Solove Scholarship


Nothing to Hide: The False Tradeoff
Between Privacy and Security

I posted the full text of my book, NOTHING TO HIDE: THE FALSE TRADEOFF BETWEEN PRIVACY AND SECURITY (Yale University Press 2011) on SSRN for free.

Privacy Harms 

Typology of Privacy Harms - Citron and Solove 06Privacy Harms (with Danielle Keats Citron) forthcoming 102 B.U. Law Review __ (2022). You can download the latest draft for free on SSRN.

Continue Reading

2021 Highlights: New Privacy Training Courses

Highlights 2021 - New Privacy Training Courses

Here are the highlights of my new privacy training courses from 2021.

Privacy Training


CPRA (10 min and 15 min)

Data Mapping

Data Mapping Training

Dark Patterns

Dark Patterns Training Course

Global Privacy and Data Protection (non-illustrated version) (25 min)

General Privacy Awareness Course

Privacy and Data Security combo (25 min)

Module Privacy and Data Security 01

See more Privacy Training Courses.


Continue Reading

Automating Privacy Incident and Breach Response: An Interview with Andy Lunsford

Automating Privacy Incident and Breach Response

Privacy law compliance and data breach response involve tasks of great complexity and scale that can quickly overwhelm an organization’s privacy team. Technologies have emerged to automate these tasks, but there are many decisions to make about which tasks to automate and which solutions to use.

I recently had a chance to chat with Andy Lunsford is CEO and Founder of BreachRx, a technology company that automates privacy incident and breach response. Prior to founding BreachRx, Andy spent 15 years working in privacy law and large-scale commercial litigation. Andy has a BA from Washington and Lee University, a JD from the University of Arkansas, and an MBA from the Wharton School of the University of Pennsylvania.

Continue Reading

Cartoon: Nothing to Hide

Cartoon Nothing to Hide 02 small

Here’s a cartoon about the nothing-to-hide argument. One of the most common arguments of those unconcerned about government surveillance or privacy invasions is “I’ve got nothing to hide.”

I wrote a book addressing this argument and other faulty arguments made in the debate about privacy versus security. Recently, I posted the full text of my book, NOTHING TO HIDE: THE FALSE TRADEOFF BETWEEN PRIVACY AND SECURITY (Yale University Press 2011) on SSRN for free.

Continue Reading