Download Bank Deposit Slip Template

The new intrusion.


In 2000, as privacy scholars began to convene, anticipate, and
collectively fret over the mounting privacy troubles in the age of the
Internet, Michael Froomkin suggested that the community might have to
consider whether modern data collection practices “constitute an
invasive tort of some type.” (154) He recognized that, if privacy
law can address invasive collection techniques, that will relieve the
need for regulation to address problems downstream. (155) This Part
takes up Froomkin’s challenge. It will show how the intrusion tort
can be clarified and modernized to tackle the most troubling data
collection practices. (156)

A. Ubiquitous Data Exhaust

Recall the fictional General Motors spy from the Introduction who
followed Ralph Nader down every aisle of a store, taking note of every
product he examined or put, temporarily, into his cart, somehow managing
to collect all this information without being detected. (157) This
crudely describes the type of information collected by web tracking
technologies like cookies and web bugs. Websites are not particularly
unique in this regard; nearly all machines and gadgets produce data
about their users for some functional purpose. But since web tracking
incorporates most of the issues that arise from other forms of data
exhaust, an understanding of intrusion’s application to website
data provides an instructive template.

Suppose Arthur visits the website for the first time.
Pandora streams music based on bands that Arthur identifies as
“seeds.” Arthur is able to listen to the customized radio
station and create an account for free; Pandora’s business model
relies on advertising, which is serviced by DoubleClick (now a
subsidiary of Google). (158)

When Arthur types into his browser, his computer sends
packets of data through the network of networks that constitutes the
Internet until the packets reach their destination–Pandora’s
servers. Pandora’s servers reconstruct the packets into the request
message (essentially, “I want to see your home page”).

Pandora automatically sends a response to Arthur’s computer
containing three elements. First, the response includes the HTML or
Javascript code and other files like JPEGs of pictures so that
Arthur’s computer can build and display the webpage. Now,
Arthur’s computer will have everything he needs to view the page
except for the advertisements. Second, the response includes cookies
and, perhaps, action tags or web bugs, which are additional files stored
on Arthur’s computer that keep track of his online activities.
Third, the response includes an IP address link that directs
Arthur’s computer to communicate with DoubleClick’s server so
DoubleClick can send the files needed to fill in the ad space. When that
happens, DoubleClick places its own cookie on Arthur’s computer, if
he does not already have a DoubleClick cookie. (He probably does, in
which case the IP address link would also contain his unique DoubleClick
cookie ID.) DoubleClick will then send a targeted ad to Arthur.

The cookies–both Pandora’s and DoubleClick’s–record
limited categories of information, sometimes including the user’s
passwords and browsing histories. But most crucially, the cookies
contain a unique ID string of characters which will enable the
cookie-placing entity to look up details collected from previous visits
and stored on their own servers. For example, if Arthur had a
preexisting Pandora cookie, it may have recorded content that Arthur
typed into his browser to transmit to Pandora in past visits–his name
and password, or the names of the bands he used to seed his radio
station, for example. Cookies can be used to look up any content once
communicated between the user and the website, so if a user has provided
their name, e-mail address, search terms, or credit card information to
the website they are visiting, the website and the third party
intermediary advertisers may have logged the information so that it
could be associated later with the unique cookie ID.

Pandora can also store location information about the pages Arthur
visited within the Pandora website. This may be of limited interest in
the context of an online radio station website, but location information
is more consequential when one considers a cookie placed by WebMD (and
the cookies of its third party advertising affiliates). WebMD might
record that Arthur’s computer visited the site’s gonorrhea
page. Action tags (also known as “web bugs” or “clear
gifs”) work with cookies to record even more particularized
information, such as the user’s mouse movements across the website,
and keystrokes that were entered into fields on the webpage but never
actually sent (because the user deleted the content or decided not to
submit the information). The action tag is loaded directly onto the HTML
page as the user views it, though it is not visible, and it writes the
keystroke and mouse movement details onto the user’s cookie
profile. (159)

The creators of Web browsers (like Microsoft’s Explorer,
Mozilla’s Firefox, and Google’s Chrome) implement a number of
industry standards developed by the Internet Engineering Task Force. The
standards are referred to as Requests for Comments (“RFCs”) to
show the Task Force’s commitment to consensus, adaptation, and
non-stasis. The RFCs specify that information recorded on one
party’s cookie must be encrypted, cannot be observed by others, and
must not contain malicious code (designed to inspect or tamper with the
computer user’s files). Though the RFCs are technically industry
self-regulation and, in theory, a new browser could ignore the
standards, the RFCs have the force of network effects. If a browser does
not implement one or more of the RFCs, it could have compatibility
problems with other servers and users on the Internet and fail to
function properly. Some of the RFCs are also supported by public law. If
a third-party website or entity attempted to access a cookie without the
authorization of the computer user or the website that placed the
cookie, this act would presumably violate the Stored Communications Act.
(160) And if a cookie was programmed with malicious code designed to
vandalize the computer user’s files, the cookie would violate the
Computer Fraud and Abuse Act. (161)

While web tracking technologies are capable of capturing granular
detail about computer users, the details are often accessed to improve
visitors’ experiences. These are benefits web users have come to
expect. For example, the cookie can store the Arthur’s login
information and password, and it can recall which pages on the site
Arthur has viewed so that the hyperlinks appear in a different color.
Even mouse and keylogging data can be aggregated across a site’s
users and analyzed to assess whether the information architecture of the
site is causing confusion or inefficiency.

The cookie databases of third party intermediaries like DoubleClick
cannot claim to have the same aim of helping the user’s experience,
and they record the same types of details. Moreover, they capture data
during the interactions the user has with all of the intermediary’s
affiliated websites. Thus, DoubleClick’s cookie has far more
information about Arthur than Pandora’s cookie. DoubleClick has all
of the information on Pandora’s cookie, as well as all the
information on Toys R Us’s cookie, as well as all the information
on the New York Times’ cookie, and so forth. A quick session of
websurfing could increase the detail in the DoubleClick cookies
significantly because of DoubleClick’s aggregation of market power.
Neil Richards has characterized these “uber-databases” as
inherently problematic. (162) The vast scale differences between what
was once known about people and what can be known about them today is
also at the heart of Paul Ohm’s critique of the accretion of
information in our personal “databases of ruin.” (163) But it
is not analytically rigorous to say that a difference in scale is a
difference in kind. Without a coherent theory of harm, accretion is
merely a description of the information ecosystem we live in today and
not, necessarily, a threat.

Offensive observations, on the other hand, are fully realized
privacy harms as soon as they occur. A legal challenge that focuses on
these harms has the most likelihood of success.

B. Failed Attempts

So far, every legal challenge to Web tracking has tried to
force-fit the facts into federal statutory schemes that were designed to
prevent something else. (164) Attempts to recover using the Computer
Fraud and Abuse Act (CFAA) falter on the $5000 damages and economic loss
requirement–a threshold chosen by Congress to ensure that only the most
malicious incidents of hacking are ensnared by federal criminal and
civil liability. (165) Challenges based on the Wiretap Act fail because
the website tracking the user is a party to the communication. Even the
website’s third party intermediaries, such as DoubleClick, fall
outside the scope of the Wiretap Act because of the one-party consent
rule; so long as one party to the conversation consents to a recording
or interception, the statute’s prohibitions do not apply. (166)
Since Pandora authorizes DoubleClick to access its communications with
Arthur, DoubleClick’s data capture has the same legal consequences
that Pandora’s does. (167)

The plaintiffs’ bar has not made a serious attempt to deter
web tracking through tort law. State causes of action were alleged in
major web tracking cases like In re DoubleClick and Avenue A, but after
the federal courts dismissed the statutory claims and withdrew ancillary
jurisdiction over the state claims, (168) the cases evaporated. The
state claims were never fully litigated–probably a reflection of the
trial lawyers’ confidence in the likelihood of winning based on a
novel interpretation of privacy torts. Recent lawsuits against Google,
Clearspring Technologies, and Disney that challenge the use of flash
cookies and respawning cookies attempt to use the same ill-fitting
federal statutes rejected in DoubleClick and Pharmatrak and will
probably duplicate their fate. (169)

With a careful understanding of the intrusion tort, and the
interests it is meant to protect, state courts are in the best position
to address the perils of web tracking. Courts can identify circumstances
in which we should be able to expect seclusion while surfing the World
Wide Web, even if the web is considered to be public. Next, the Article
describes how they should do so.

C. A New Intrusion

The intrusion tort is applicable to many contexts, but we will
continue to use web tracking to explore its form and function, making
only the occasional detour to consider how the tort could work with GPS
data, security footage, and other personal data.

1. The Elements

Intrusion can benefit from some conceptual clarification before it
is applied to new contexts. Even in real space, intrusion has only two
aspects to its design: there must be an observation, and that
observation must be highly offensive to a reasonable person. (170)

A new restatement of the tort might look something like this:

XXOne who intentionally observes another is subject to liability to
the other if the observation would be highly offensive to a reasonable

As in real space, not every observation is offensive. Information
that is voluntarily shared with an individual or the public can be
observed without offense by that individual, in the case of the former,
and by any individual in the case of the latter. The offensiveness
element winds up turning on whether the observed could have and should
have expected their information to be exposed to the observer. If a
piece of information was not voluntarily exposed, liability will attach
to any observation.

Identifying an “observation” is a surprisingly difficult
and uncharted task. Recall that the creation and capture of data does
not, on its own, mean that observation has taken place. In the classic
intrusion cases, one human being observed another when they
shouldn’t have. Today many challenging privacy problems have little
to no human involvement.

An observation requires personal information to be recognized in
some meaningful way. If a human being reads a line of data about
somebody and comprehends its context, knowing whom the data is
describing, then the data is “observed.” But we should not
limit the definition of observation to events involving human cognition.
Algorithmic and automated processes can violate a sense of seclusion,
too. Suppose, for example, the website WebMD collects the IP addresses
of web users who visit its page on depression and automatically submits
them to a reverse-lookup service to obtain names and mailing addresses.
Next, the WebMD program automatically transmits the names and mailing
addresses to a business affiliate which, without allowing any employee
to open the file, uses the data to fill out a form letter reading,
“Dear Mr. Smith, I understand you have been coping with depression.
Our offices are here to help….” Business practices are
increasingly automated. While human recognition is sufficient to create
an observation, it is not necessary. (171) Thus, we must determine for
the first time what constitutes machine observation. The results map
quite neatly onto the Fair Information Practices concept of purpose

The “offensiveness” and “observation” elements
are explored in more detail below. This constitutes a first attempt to
mark rough boundaries for each of the two elements. Given the
significance of the legal rights protected by a new intrusion and the
competing interests in information, the framework sketched out here
leaves open the exact definitions of “offensiveness” and
“observation”. These will be fertile areas for future

We start with “offensiveness” because, although it might
seem ancillary to the observation element, it actually provides a
helpful prerequisite sorting mechanism. We need not worry about what it
means to observe data if the data has been voluntarily exposed. The
function of the right to seclusion, as Part I has described, is to hash
out a compromise between an individual’s interests in privacy and
others’ interests in information. The contours of our right to
seclusion are determined by the “offensiveness” element.
Observations penetrate that seclusion.

a. Offensive Observations of Unexposed Data

During the consideration of an intrusion claim, juries and
lawmakers will have to decide whether the defendant’s observation
is sufficiently offensive to trigger liability. Put another way, the
fact-finder must decide whether a computer user was justified in
expecting seclusion. This requires the fact-finder to determine whether
an observation would interfere with solitary exercises that are
important to personal development and self-determination.

Some observations have long been treated as per se inoffensive, and
there is no reason to believe the case law should be reversed.
Transaction data created in the course of a purchase, for example, is
precisely the sort of information the user has willingly exposed to the
entity in order to purchase goods or services. (172) Likewise, most
communications of content made by a computer user in order to interact
with a company are willing exposures. (173) If Arthur tells Pandora that
he wants to hear Astrud Gilberto, it would not strike ordinary jurors as
offensive that Pandora knows, and remembers, that he requested Pandora
to serve up bossa nova music. The analogy to the brick and mortar world
is instructive. A skilled waiter remembers the preferences and ordering
habits of regular customers. Since organizations routinely maintain
business records, it is not particularly disconcerting that a company
can access information voluntarily submitted by the user in the course
of obvious interaction. For these types of transaction data,
restrictions on future dissemination and use would have to be justified
on some other ground. (174)

This is not to say that transaction data is a total free-for-all. A
third party can still intrude on the transaction data if he has accessed
the data without permission from either the user or the transaction
company; a hacker is no different from the snoop who peeks at a
person’s medical records without permission from the patient or the
health provider. (175) But the website itself can observe with impunity
the transaction records it maintains.

What about the detailed web tracking data? Has a visitor
voluntarily exposed the precise HTML pages accessed within the domain,
or the search terms used to find a page within the domain, or the items
browsed in an online store, or the movements of a user’s mouse?
Ultimately, the answers will require juries or lawmakers to forge a rule
based on expectations that are reasonable in context. The specific
expectations of a particular plaintiff are not determinative; after all,
hidden security cameras are designed to thwart expectations of
surveillance, but they are not, categorically, offensive when the
observed is in a so-called public space. (176) The “public” is
a social construction, but it is one on which intrusion law has rested.

A number of factors could persuade a fact-finder or rule-maker that
web tracking cookie data has been exposed to the websites. Americans
might have a sophisticated understanding about the revenue models for
free web content and may not want to disturb them by recognizing a right
to seclusion that conflicts with Internet usage, or they might
affirmatively prefer tailored advertising. But it is plausible if not
probable that rule-makers charged with the task of delineating the
boundary between private and public spheres would agree that, without
explicit consent, observations of detailed web tracking are overzealous
and exploitative.

Illustration 1. Carol purchases a book on Amazon. Amazon records
the date and time of Carol’s transaction, the items Carol
purchased, and Carol’s method of payment. Carol’s purchase
information has

been exposed. Amazon’s observation of this data cannot be

Illustration 2. Ben browses a few books on Amazon but decides not
to purchase anything. Amazon records the identities of the products that
Ben has browsed. Ben’s browsing information has not been exposed.
Amazon’s observation of this data will be offensive.

The approach set forward here aligns the definition of seclusion
with the larger goals of privacy. Sometimes this comes at the cost of
abstraction. It requires us to draw distinctions between actions that
are not very different technologically. The distinction between data
transmitted in the course of a purchase with Amazon and data transmitted
when the visitor loads a page for nose hair trimmers makes little
difference in terms of the HTTP messages exchanged between the
user’s computer and Amazon’s servers, but the conceptual
distinction is great.

The New Intrusion’s non-technical approach to defining
seclusion is more of a strength than a limitation. The Internet has
caused doctrinal quagmires in other areas of the law–is content stored
in a computer’s Random Access Memory (RAM) considered a
“copy” for the purposes of copyright infringement? And do the
contents of emails, which technically are revealed to Internet service
providers, fall within the third party doctrine exception to the Fourth
Amendment? In both cases, the most recent, better reasoned approaches
have treated RAM copies as something other than a “copy,”
(177) and the body of an e-mail as private, unexposed “inside the
envelope” information, even though these treatments are divorced
from the technical realities. The New Intrusion can be similarly
pragmatic. Because we are more interested in how the Web seems to work
than how it actually works, judges and juries are in a good position to
decide what sorts of seclusion we instinctively expect to have while
browsing the web or using our gadgets.

Seclusion is only hall the story. Nothing prevents a website from
collecting unexposed tracking data; indeed, Hypertext Transfer Protocol
(HTTP) code must be transmitted to a website in order to load a
particular page; although the data privacy literature often refers to
“data collection,” this collection is more accurately a
failure to expunge data. The motive for separating the concepts of
observation and capture was to allow websites and technology to use
captured data to function more efficiently. High functionality often
requires automated processing of historical data. But a device-user who
has not voluntarily exposed her data should be able to expect that her
data will not be observed.

b. Observation in the Digital Age

What is an observation? When do we feel we are being studied? Human
recognition of a person’s data is a sufficient condition, but as
the Web MD auto-generated letter example shows, it is not necessary one.

A natural starting point is to designate all data access as
observation. While conceptually clean, this definition quickly leads to
a dead end. Data is generated in the first place to be accessed for some
purpose. A Web user’s request to a website’s server to deliver
an HTML page must be accessed in order to deliver it. Likewise, an HTML
page might use code that instructs a computer user’s web browser to
access data on his cookie in order to display the page properly–e.g, to
load the user’s previously customized display. If this sort of
access is determined to be an observation, there is no material
distinction between observation and capture. To have any meaning at all,
observation must be distinct from the data processing that is intrinsic
to the browsing experience or functioning of a device. The next
illustration provides an example outside the webtracking context.

Illustration 3. Vicki’s GPS device, manufactured and serviced
by TomTom, automatically stores and analyzes Vicki’s location data,
and is programmed to periodically recalculate her estimated time of
arrival based on the location logs. TomTom has not observed Vicki’s
location data.

Websites also access personal data in order to aggregate and
analyze it for general trends. Analytics are used to build predictive
modeis about a generalized population and to analyze and refine the
functionality of a website. When poor information architecture leads a
sizeable percentage of a website’s visitors to click on the wrong
link, the backtracking leaves an impression in the aggregated data.

There are cogent reasons to treat the pooling and processing of
data as a non-observation, so long as the data is processed without
overt reference to the data subject. (178) First, since the data is used
without reference to the data subject, to the extent there is
observation at all it is of a fact unleashed from its generator, like
footprints in the snow. If the anonymized data are related back to the
original device-user at some later point, the analytic exemption would
expire. But so long as data is used without interaction with, or
knowledge of, the particular data subjects, the subjects have not been
observed. (179)

Second, the vast new accumulations of data can be extremely useful
for research purposes. We are only just beginning to understand the
value of these grand new sources of information. Researchers at MIT, the
London School of Economics, and Harvard have used cell phone data to
track mental illness, political discourse, obesity, happiness, and stock
market fluctuations. (180) And GPS data can be used to improve traffic
planning and to monitor congestion in real time, so that drivers can
avoid delays. (181) For these purposes–whether they are as mundane as
improving a website or as profound as understanding the determinants of
happiness–researchers do not care who is in the database and who is
not. Statistical analysis strikes a very safe balance, enriching the
accumulation of knowledge and the proverbial marketplace of ideas
without posing risk of repercussion or misuse to the individuals
described in the data. But the data has to be processed in order to
anonymize and prepare the data for research use. (182) The New Intrusion
can be aligned with societal interests by exempting processing from the
definition of observation, much like the European Union exempts
processing for statistical research from the purpose limitations of the
Data Protection Directive. (183)

Illustration 4. Verizon pools together its subscribers’ cell
tower data to analyze which geographic areas require the construction of
additional towers. Verizon has not observed the subscribers’ tower

Illustration 5. Alexander regularly views television shows on Hulu.
Hulu gathers viewer usage data and anonymizes it in preparation for
release to researchers. Hulu has not observed Alexander’s
televiewing habits.

Having carved out the more obvious exceptions, the harder question
remains: what does count as an algorithmic observation? It is worth
reflecting for a moment on the objectives of the right to seclusion.
Seclusion gives people the breathing space to be and to act without
having to worry about social or economic consequences. Data accessed for
some purpose that is different and inconsistent with the product or
service for which the data was generated will generate many of the same
justified anxiefies over the dissemination and potential implications as
an intrusive observation. The user can no longer feel alone with his

For unexposed data–data for which a user maintains a right to
seclusion–the goals and designs of the Fair Information Practices are
quite apt. When the personal data is used or disclosed for some purpose
inconsistent with its original collection without advance notice and
consent, an observation has occurred. This definition of automated
observation is nearly identical to the “respect for context”
incorporated into President Obama’s proposed Consumer Privacy Bill
of Rights. (184)

Context, or “purpose,” is not self-defining. At the very
least it would include uses collateral to the service the user had
accessed that have the potential to significantly disadvantage the user.
The next illustrations provide examples of such uses.

Illustration 6. Anthony visits in order to purchase a
book after reading a review on a blog. Research shows that customers who
linked into Amazon from another website reviewing a product are less
likely to perform price comparisons before making a purchase. Amazon
uses a pricing algorithm that automatically offers Anthony a price $1.00
higher than the standard price based on his link-in data. Amazon has
observed Anthony’s link-in data.

Illustration 7. (Based on the same facts as Illustration 6.) Amazon
uses link-in and web-tracking data to construct a creditworthiness
index. Amazon has observed Anthony’s link-in and web-tracking data.

Illustration 8. (Based on the same facts as Illustration 6.) Amazon
discloses the link-in and web-tracking data to a third party data
aggregator that uses the data to construct, among other things, interest
profiles and employability indices. Amazon has observed Anthony’s
link-in and web-tracking data.

The New Intrusion framework intersects with Fourth Amendment law in
at least one important way. The expansive third party doctrine, which
allows law enforcement officers to access business records without
obtaining a warrant, is premised on the assumption that business records
contain information that the suspect “voluntarily turns over to
third parties.” (185) Personal data that has not been exposed, and
which cannot be observed by a company without triggering intrusion
liability, has no logical place in the third party doctrine exception to
the search warrant requirement. (186)

Less obvious, however, is the New Intrusion’s implication on
behavioral advertising. Given the current, dominant business model for
the most popular web services and online content providers, adverUsing
is arguably intrinsic to the purposes for which web tracking data is
created. If the raison d’etre for Facebook, Hulu, Google, and other
popular websites is to attract visitors by creative (and expensive)
content in exchange for the display of advertising, advertising is a
key, obvious component of the web service. Along this line of reasoning,
the use of data to facilitate advertising would not be inconsistent with
the purpose for which the data was created in the first place. This may
be especially defensible in cases like Gmail targeted advertising, where
the scanning of the body of one’s email, and the prominent display
of all the free storage and service provision the user gets in exchange
for the advertising program, provides clear visceral notice of
Google’s practice of scanning contents to deliver ads. (187)

On the other hand, tracking practices extend well outside a
user’s experience with each particular website because of the
frequent use of third party cookies. A user’s visit to website A on
day one is arguably wholly unrelated to the advertisement he is served
on website B on day 30. There is no definitive classification for
behavioral marketing as an observation. Much will depend on whether one
views advertising as the Internet’s backbone or as its parasite.188

2. Consent

Intrusion rules can always be modified through private agreements.
Today private industry places considerable faith in their privacy
policies and End User Licensing Agreements (“EULAs”) to define
the scope of their duties. Boilerplate formalities of this sort might
suffice to limit the scope of contract liability, but they are not
sufficient to constitute consent to conduct that would otherwise be
tortious. Consent is not assent. Consent requires acts that manifest an
objective expectation that the would-be tort victim is willing for the
tortious conduct to occur. (189) Qualitative research conducted by Chris
Hoofnagle and Jennifer King indicates that web users rarely have actual
notice of a website’s policies; in fact, the mere existence of a
privacy policy prompts web users to assume, inaccurately, that the
website promises not to re-use or share its transaction data. (190)
Notices and agreements that expand the scope of observation beyond what
courts would otherwise consider to be appropriate leave open a number of
important questions. Are there circumstances in which the courts should
demand heightened forms of notice for intrusive observations? (191) Are
there circumstances in which, for public policy reasons, courts should
not recognize consent at all? (192) This Article reserves for future
research consideration of what form of notice is sufficient to convert
an intentional tort into a consented activity. (193)

However, standard privacy policies and user agreements may interact
with New Intrusion liability. When an entity makes promises that data
will not be tracked or maintained, these promises can define the
contours of a user’s objectively reasonable expectations of
seclusion. Thus, if a website observes data that it claims is not even
being captured, the observation will violate an expectation of seclusion
created by the website itself. (194)

In the past, lawsuits alleging that a website violates its own
privacy policies have proceeded under contract theory. Because the
resulting contract damages are speculative, the lawsuits have been
unsuccessful. (195) A claim for intentional intrusion upon seclusion
could better deter privacy policy gaming because plaintiffs would have
access to tort damages based on emotional distress and punitive damages,
or even nominal damages multiplied by large numbers of class members.

3. The Gap Between Tort Theory and Application

A primary goal of tort law–and especially the law of intentional
torts–is to deter socially repugnant behavior. Since privacy claims are
based on psychic harms and emotional distress, compensatory damages and
even exemplary damages rely on evidence that distress has, indeed,
occurred. (197) In theory, courts should allow juries to compensate
plaintiffs generously based on any credible evidence of distress in
order to supply the basis for punitive damages, and in order to effect
deterrence. Far from being an amorphous approach to the law,
compensation for emotional distress in instances of intentional,
offensive behavior is soundly within the canonical law and economics
vision of tort law. The harms, though they are noneconomic and difficult
to count, easily outweigh the negligible benefits of the intentional,
offensive conduct. But many scholars have noted judges’ skepticism
when overseeing cases based on psychic injuries. (198) This Article does
not attempt to explore or resolve the gap between tort theory and its
application in the courtroom, but the hesitancy of the plaintiffs’
bar to bring novel privacy cases, and the jurists to allow them to
proceed to the jury, must be acknowledged. (199)

However, there are reasons to be guardedly optimistic that courts
might embrace the New Intrusion as a conservative response to a mounting
problem. Intrusion liability rules will create much-needed clarity of
law and policy, allowing businesses to use cookies without risk so long
as they stay within the bounds of per se objectively reasonable
observation. Companies would not have to provide opt-out procedures or a
“do not track” cookie, though they might choose to do so to
respond to market pressures. (200) Intrusion law would put an end to
many problematic practices without forcing online businesses to
significantly alter their websites, and without undermining the revenue
model that currently supports much of the free online content. The
intrusion approach is also readily enforceable because, by definition,
the tort applies only to offensive behavior. Thus intrusion avoids the
problems facing European privacy enforcement agencies, which are forced
to choose between ignoring blatant violations of the EU cookies laws by
nearly every website (including those of most EU governments) or
cracking down arbitrarily. (201) Finally, if the common law can deter
offensive observation of personal data, lawmakers will not have to
consider restricting downstream dissemination and use of data which, for
reasons articulated in the next Part, will be more difficult.


Once information is collected through legitimate means,
policymakers face an uphill climb to justify the regulation of its
dissemination. Laws restricting the disclosure or reuse of truthful,
legitimately observed information proceed on the counterintuitive theory
that having more facts is bad for society. However, there are times when
the spread of information does cause great, avoidable harm, and laws
deterring the spread of truthful facts can be the best course in these
instances. Again, tort law has already laid much of the foundation for
sensible restrictions on dissemination.

This Part begins by considering the nature of harms that flow from
the dissemination of information that was lawfully observed and
collected. The subsections that follow describe workable dissemination
restrictions on two categories of information: information revealed in
the context of a special relationship, and information that is
“predictably explosive.” These categories roughly map onto the
common law torts of breach of confidentiality and public disclosure of
private facts. These categories are not meant to be exhaustive; there
may very well be other types of dissemination restrictions that tend to
promote social welfare. But by analyzing confidentiality and public
disclosure laws, it will become apparent that restricting the
dissemination of truthful information is sound public policy only in a
limited number of contexts. This Part ends with a case study on
dissemination and use regulations from the credit reporting context.

A. Conceptions of Harm

Some of the losses routinely identified as “harm” do not
look like redressable injuries after sober reflection. This is
particularly true for reputation-related injuries. Since harm, and risk
of harm, are necessary prerequisites for tort liability, these
infirmities are important and merit explication.

1. Reputation Damage

Reputational harm and shame are among the most commonly cited
privacy harms. (202) The information age has undeniably increased the
availability of reputation-damaging content. In his book Delete, Viktor
Mayer-Schoenberger argues that the vast collections of digital
information keep us from forgetting the embarrassing things we’ve
done. (203) Websites that catalog mug shots (204) or highlight moments
of embarrassment (205) deny us the comfort we once had that our mistakes
and failings would evaporate from collective memory. This new state of
affairs has motivated the European Union to define a right to be
forgotten, requiring websites to destroy any personal information at the
request of the subject. (206)

Privacy scholars are puzzled that shame and reputational harms are
only reluctantly, if ever, vindicated by U.S. courts. (207) Jacqueline
Lipton speculates that lawmakers may fear chilling truthful speech, and
that individuals who have suffered shame and humiliation are unlikely to
demand legal redress, since the process would put their facts in the
spotlight once again. (208) Danielle Citron argues that courts should be
more likely than ever to recognize reputational injuries since the
Internet creates a permanent, searchable record of embarrassing personal
facts. (209) But shame, while undoubtedly unpleasant to the person
feeling it, is not always socially undesirable. (210)

2. Harm Versus Consequence

Reputational damage is usually either a collateral consequence of
past behavior (as when a bad credit history prevents a person from
obtaining a loan (211)) or the accidental loss produced by an otherwise
functioning system (as when a person’s story is used as a
cautionary tale). (212) Take, for example, the woman who is known
worldwide as Dog Poop Girl after she rebuffed the pleas of her fellow
subway-riders to pick up after her dog, which had just made a deposit in
the subway car. (218) If her fellow passengers had called her selfish
and entitled, the insults, while stinging, could not possibly require
redress. The insults would not be “harm” at all, at least not
in the sense that we use that term colloquially. (214) They burden her,
but they are the natural social consequence of her actions.

What happened instead was slightly different. Dog Poop Girl became
the target of a shaming campaign. Koreans pored over the pictures of the
incident posted on the Internet via cell phone camera. Soon her
identity, place of employment, and family members’ names were
attached to the story. She left her job in humiliation, and for the rest
of her life, searching Google for her real name will reveal her epithet.

Dog Poop Girl’s story is a sad one. Despite her transgression,
she did not deserve to bear the full brunt of the world’s contempt
for litterers. This, however, does not make her loss a compensable one.
(215) Stories like hers feed the engine of cultural norm-making, and as
unfortunate as the damage might be for her, the deterrent effect on
incivility and inconsiderate behavior will outweigh that damage. Dog
Poop Girl was the unlucky victim in a properly functioning system.
Though her penalty was out of proportion to her fault, she could have
avoided it by picking up after her dog. She was the cheapest cost
avoider, and so her aberrational penalty is equivalent to the tort
defendant who is liable for the full costs of an eggshell
plaintiff’s injury. (216)

This system, callous as it is, is superior to the alternatives. A
generic right to be forgotten allows an information subject to insist
that existing, truthful information about her must be destroyed. Such a
right imposes serious costs on the public. (217) It plucks out of the
public domain information that people have determined to be pertinent to
the evaluation of a person, supplanting instead that person’s own
(self-interested) judgment about what facts should inform public
perception. (218) Descriptions and empirical claims would have to give
way to opinion and conjecture. Credible proof and certainty of knowledge
would be replaced with rumor, speculation, and deniability. Social class
would be less dynamic; any information that would tend to blemish a
person’s reputation and relative social standing will be erased,
thereby hardening the status quo. (219) (Upward social mobility is,
after all, dependent on social downward mobility.) Also, the risk of
moral hazard is not negligible. A decision to exercise the right to be
forgotten can be driven by perverse incentives, as when an abusive
spouse seeks to have his domestic violence record shielded from public
disclosure. (220)

This is not to say that concrete privacy harm cannot arise from the
dissemination of information. In circumstances where the ex ante
expected losses to an information subject are greater than the expected
societal gains, disclosure of personal information can and should lead
to redress. Reasonable minds are bound to differ when deciding whether
the likely psychic harms outweigh the social gains. The values on both
sides of the scale are inordinately difficult to measure. But privacy
legal scholars tend to demand avenues of redress in every instance where
a person has suffered a psychic loss. Conceived of this way, a right to
privacy would be stronger even than a right to bodily integrity.

The overarching concern motivating reputational harm arguments is
that, with rapidly changing technologies and capabilities to store and
process personal data, negative consequences to individuals’
wellbeing are overlooked by courts and lawmakers. Implicit in this
concern, though, is a strong assumption that losses in the era of big
data automatically count as privacy harm. Many are simply collateral

Nevertheless, just as intrusion constitutes an injury with coherent
theoretical underpinnings, certain types of disclosures also can cause
predictable direct and indirect injury. In the next two sections, we
explore restrictions on dissemination that successfully target
appreciable harm.

B. Confidences

When personal information is revealed to a professional in a
special, fiduciary relationship with the subject, as when a client tells
a lawyer ah unflattering fact about himself, disclosure restrictions
function like an extension of the zone of seclusion. When the lawyer
learns the secrets of his client, the client has not abandoned his
seclusion. Instead, he has let the lawyer into it. The private facts, at
least as disclosed to the lawyer, are still in the client’s
control, as if he had never exposed them in the first place. The
client’s conversation with his lawyer is different from other
private conversations because the client has reserved, through express
agreement or by implication, a right to confidentiality.

Arguably, dissemination restrictions could be left to private law,
since express agreements of confidentiality can be worked out between
private parties. However, individuals and society at large benefit so
routinely from candor in certain types of relationships that law has
stepped in to create default duty of confidentiality rules. (221)
Placing stringent restrictions on doctors to keep their patients’
confidences will on balance serve the public interest by encouraging
candor and minimizing gawking. But the duty is qualified: in
circumstances when disclosure would be better, as when others are in
foreseeable danger, the common law either permits disclosure or requires
it. (222)

Relationships were historically regulated through tort duties and
professional codes of ethics, (223) but now a host of federal and state
statutes impose some confidentiality rules. They usually regulate
relationships where the information-receiver has an express or implied
fiduciary responsibility to the information-provider. The major
sector-specific federal privacy regimes are examples of
confidentiality-style statutes, covering medical providers, (224)
creditors, (225) educators, (226) communications service providers,
(227) banks, (228) and entertainment geared toward children. (229)

The harm caused by the dissemination of information held in
confidence is three-fold: first, the dissemination constitutes an
invasion of seclusion. If a doctor provided his patient’s medical
file to a curious snoop, the revelation would cause at least as much
distress as if the snoop had stolen a glance without the doctor’s
permission (a traditional intrusion upon seclusion). (230) Second, the
professional’s breach of trust may be an independent source of
distress. And third, because confidentiality duties are imposed in
contexts to promote the candid transfer of inherently sensitive
information, dissemination of confidential information is likely to be
used against the subject in some way.

Scholars focus on the third form of privacy harm as a means of
understanding the goals of laws like HIPAA. On that basis, they advocate
for recognition of dissemination harms for more, or even all, categories
of information. (231) But this second form contains an inherent tension
between society’s interest in having probative information and a
person’s desire to keep information secret precisely because it is
probative. The first form of harm, by contrast, allows
confidentiality-style regulations to fit comfortably with our
commitments to the free flow of information because, like intrusion,
injury from a breach of confidentiality is independent from the utility
of the divulged information. If a doctor talked about a particular
patient’s routine appendectomy at a party, he would violate his
patient’s privacy even if the facts were not particularly

American privacy law is criticized for being fragmented, (232) but
the existing statutory schemes typically apply to sectors in which an
imbalance in training or experience justifies the imposition of
fiduciary responsibilities. For sectors that do not have a
quasi-fiduciary responsibility with the consumer, assigning a duty of
confidentiality unduly encumbers relationships that are not ones of
unusual trust. (233) In addition to lost information, the public would
bear the costs of administering a strong privacy system. These costs are
considerable. A small hospital with only 400 beds can spend upwards of
$500,000 on HIPAA compliance each year, and for large hospitals the
direct administrative costs are in the millions of dollars. (234)
Arguably, it is appropriate to impose these costs on doctors and spread
them across the base of health care consumers because the
confidentiality duty promotes truthful medical consultations and leads
to optimal care, but the same reasoning does not hold for our merchants.

Some existing privacy laws unwisely create confidentiality duties
for relationships with only marginal amounts of trust. California’s
carpooling privacy statute, for example, imposes criminal liability for
divulging carpool or ridesharing information. (236) The Video Privacy
Protection Act (VPPA) imposes criminal and civil liability upon video
rental stores and their employees who disclose customer rental
information. (237) These statutes are often the products of legislation
by anecdote, as when the release of Judge Robert Bork’s video
rental records during his Supreme Court confirmation hearings prompted
the passage of the VPPA. (238) The VPPA now demonstrates how
overreaching confidentiality-style statutes can frustrate a regulated
industry’s attempts to expand services or use data in innocuous
ways. Netflix has expended considerable energy, and billable hours, to
find a lawful way for its members to report that they “like” a
movie on Facebook. The VPPA’s written consent requirements for
re-disclosure of video rental information are so onerous that Netflix
has resorted to lobbying for a change in the law. (239) Duties of
confidentiality should be imposed only in the instances where the
benefits are known to outweigh the considerable costs.

C. Disclosure of Highly Volatile Information

The tort of public disclosure of private facts has an uncertain
future. Liability for public disclosure is triggered when somebody gives
“publicity” to a private fact, if the matter is highly
offensive, and if the fact is not of legitimate concern to the public.
(240) Scholars have struggled to make sense of the public disclosure
tort’s interaction with the First Amendment for decades. The tort
is constructed with a number of safety valves to ease the inherent
tension between the right to speech and the right to not have one’s
story told. It avoids roping in gossip and ordinary conversation by
requiring the plaintiff to show that the defendant disclosed the private
fact to a broad audience. (241) And it also immunizes disclosures of
newsworthy information, an exemption much bemoaned by privacy scholars
as the exception that swallows the rule. (242) These exceptions may be
helpful for avoiding constitutional challenges, but they only make it
more difficult to understand what the tort is attempting to accomplish.
If a person is not at liberty to communicate a piece of information he
has, why do we not constrain this person through confidentiality laws?
And if this person is too distant from the tort victim to formalize
their relationship through confidentiality laws, then what is it that
makes the fact “private”?

Notwithstanding these puzzles, the public disclosure tort serves
important and unique functions. Consider this hypothetical, based
loosely on the facts of Doe v. Borough of Barrington. (243) A heated
argument at a bar in 1987 led to a physical confrontation between Arthur
and Billy. Arthur said, “Careful! I’m HIV positive.” At
this time, the AIDS epidemic was not well understood by the general
public. Later that night, Billy told Arthur’s neighbors about
Arthur’s serostatus. One of Arthur’s neighbors had young
children who attended public school with Arthur’s children. She
phoned the parents of all of the other students in the class and spread
the news that Arthur has HIV. Panicked, the other parents decided to
keep their children home from school, fearing they might somehow
contract the disease. Arthur’s children arrived at school to find
empty classrooms and social stigmatization.

These facts demonstrate that the public disclosure tort can target
harm outside the ambit of confidentiality laws. The disclosure cases
that tend to overcome the default assumptions favoring information flow
usually share two characteristics: first, there is some modicum of
implied use restriction; (244) and second, the public will have a
predictably irrational reaction to the disclosed facts. These types of
highly volatile facts lead to consistent overreaction and
discrimination. (245) Disclosure liability under these conditions avoids
conflict with net public knowledge because highly volatile facts degrade
public knowledge instead of improving it. (246)

Courts face a difficult task in identifying which types of personal
facts are highly volatile. The lawmakers must have confidence that the
public’s response is not only overwhelmingly negative, but
irrationally so. Sexually transmitted disease (especially HIV and AIDS)
marks one example where the public’s perception of the risks of
transmission and fault of the carriers are not in line with reality.
(247) Homosexuality might be another. (248)

The trouble is that classifications are unlikely to stay static
over time and are sometimes defused in a single generation. A strong
regulation that makes sense at one point in time can cause unexpected
problems later. As an example, California’s HIV privacy law
prohibits the disclosure of HIV test information for any reason,
including through compelled discovery with protective orders. (249) At
the time of the law’s passage, this seemed like a wise way to
protect HIV-positive patients and their supportive communities. However,
as the stigma of positive serostatus diminished, the law began to
produce unintended consequences. For example, the plaintiff in
Children’s Hospital v. Workers’ Compensation Appeals Board
mysteriously contracted HIV during her time working at a hospital. (250)
She presented convincing evidence to the Workers’ Compensation
Board that she did not contract HIV from her husband, her only sexual
partner, but the Board demanded evidence affirmatively supporting her
claim that she contracted the disease at work. (251) The plaintiff
subpoenaed her former employer hospital for a statistical record
reporting the number of patients that passed through her particular
hospital ward each year during her employ.

California’s HIV privacy statute prevented the hospital from
complying with her demand. Because a record of this sort did not yet
exist, the hospital would have to order a member of its staff to go
through patients’ charts to count the number of HIV cases, and even
a staff member could not do so without first securing explicit consent
from every hospital patient. (252) At the time of the law’s
passage, even hospital employees may have had a morbid curiosity in the
serostatus of patients, but today it is difficult to believe that a
hospital administrator would be unable to maintain professionalism while
compiling a statistical record of this sort. Since the plaintiff’s
claim for worker’s compensation depended on her access to this
evidence, the privacy statute quashed her chances of receiving pay and,
as a result, harmed a member of the very HIV-positive community it had
intended to help. State laws regarding homosexuality as a category of
libel per se exhibit a similar problem. (253) The common law might be
better suited than legislatures to recognize highly volatile facts
without letting that status ossify and outlast its usefulness.

Privacy advocates and scholars champion dissemination restrictions,
but when the regulations do not follow the confidentiality model or the
highly volatile fact model, they are usually ill-advised. The next
subsections discuss the problems that can result from overzealous
dissemination bans using credit markets as a case study.

D. Dissemination Restriction Case Study: Credit Markets

Many Americans have difficulty accessing credit for the first time.
Banks and credit card issuers use debt payment histories to determine
credit-worthiness, so without debt histories, college students and low
socio-economic status (SES) individuals are frequently shut out of
mainstream credit markets. (254) This is not in the best interests of
reliable low-SES applicants who might benefit from a line of credit, nor
is it in the credit issuers’ interests. But creditors have a
difficult time distinguishing low-risk applicants who lack credit
history from those who pose a high risk of default. The credit market
suffers from an information problem. By leaving a significant portion of
the American population un-assessable and unscorable, the information
problem does a disservice to creditors and would-be debtors alike.

A recent study by the Political & Economic Research Council
found a new source for measuring creditworthiness: utility bills. (255)
Utility bill payment histories correlate well with loan repayment, so
adding data on utility payment histories to the calculation of credit
scores improves the scores’ predictive power. More importantly,
utility bills provide a means of creating credit scores for 10% of the
previously unscorable population. (256)

Privacy advocates have objected to the disclosure of utility bill
data for this purpose because some applicants’ credit scores might
decrease on account of payment histories they did not know were being
tracked. (257) It is an odd argument: because consumers are not given
the opportunity to game the credit markets through strategic behavior, a
creditor’s use of a fuller, more accurate set of information
constitutes a privacy violation. This is another example where
collateral consequences of past behavior are mistaken for privacy harm.
Moreover, privacy regulations outlawing the transfer of utility bills in
this context would hinder class mobility.

Better measures of creditworthiness help the poor. They allow
traditionally overlooked credit applicants to access credit lines, and
just as importantly, they weed out higher-SES credit applicants who
score well on traditional measures but are actually more likely to
default. (258) Without the utility credit scores, lower-SES applicants
would cross-subsidize higher income applicants. (259)

Utility payment history reporting for credit scoring is a novel
repurposing of data. If all business records operated under the same
dissemination restrictions that our medical records do, this new use
would have been overlooked. (260) Dissemination restrictions are rarely
the best means of balancing privacy and information interests.
Restrictions that prohibit all uses other than the ones for which the
information was collected are equally problematic. (261) On the other
hand, regulations targeting specific misuse can work quite well.

E. Use Restriction Case Study: Credit Reports

Laws prohibiting specific uses of personal information can achieve
the goals of privacy law without significantly curtailing the flow of
truthful information. If we have reason to believe that a particular use
diminishes social welfare, we can and should craft prohibitions on those
specific uses. Antidiscrimination laws are prime examples of narrow use
restrictions. Antidiscrimination laws restrict the use of race, age,
sex, or medical information for hiring, housing, and lending decisions
because the biases that result from use of this information, whether
statistically rational or not, run against the public interest. (262)
These laws work well on the risk-utility calculator because they allow
information to be exploited for all purposes except the ones that have
been determined to be harmful or risky. (263) The large, rich
scholarship on discrimination law explores and debates the soundness of
anti-discrimination measures. (264) Curiously, the privacy and
discrimination fields often work in isolation, without overt awareness
that regulations called “privacy laws” and those called
“antidiscrimination laws” often aim to prevent the same harms.

To observe how privacy goals can be achieved through
antidiscrimination policies, consider the utility credit reports
described in the last subsection. We might wonder whether employers
should be proscribed from using these new utility credit scores. As a
general matter, we would like employers to differentiate between job
applicants on the basis of characteristics that have a relationship to
job performance. If employers are enjoined from making hiring
considerations based on likely performance ability, the redistribution
of jobs and wealth will take place within a pool of applicants such that
it will be slightly harder for higher-performers to obtain the job, and
slightly easier for lower-performers. (266) However, employers, like all
humans, are susceptible to biases or unexamined assumptions leading them
to adopt a hiring criterion that does not actually predict future job
performance. When this happens, wealth and employment are distributed
within the class of job applicants in a way that is capricious at best,
discriminatory at worst, and in any case unmoored from merit and desert.
Under which of these models do credit reports fall? Do credit reports
make the labor market more meritocratic or less so?

The federal Fair Credit Reporting Act permits employers to access
credit reports during hiring processes. (267) Considering that federal
law prohibits just about everyone else from accessing credit reports,
(268) one would think there is abundant evidence that credit scores
correlate strongly with worker competency and job performance. While
there is evidence that present financial stress correlates with
absenteeism, (269) there is little evidence that credit reports predict
the likelihood of success among job applicants.

Even if credit reports were somewhat predictive of job performance,
if the effect is small, social welfare could benefit from limiting an
employer’s access to credit information. A person who is already
struggling to pay bills and regain control over their finances is
vulnerable to sliding into bankruptcy or poverty if he cannot obtain
employment. If he does, he will impose negative externalities on others,
including unemployment insurance, the cost of uninsured health care, and
at the extreme, welfare programs. We also might be concerned about
disparate impacts on the disabled and working mothers since financial
crises are often caused by medical or family emergencies. We might
classify the financially insecure as a protected class, and prevent
discrimination on the basis of financial security. However, this puts
employers in a difficult spot. They are under pressure to avoid hiring
risky employees not only for financial reasons, but to avoid liability
under Title VII and for the tort of negligent hiring. (270)

An information-forcing law might provide a reasonable middle
ground, obligating employers to disclose to their job applicants all
personal information accessed in the course of making a hiring decision.
Accurate information, and the influence it has on the choices of both
employers and job applicants, is one of the three means of transferring
power identified in Mary Graham’s Democracy by Disclosure. (271)
Transparency laws are in direct tension with personal privacy, but they
can be unexpectedly consonant with the aim of respectful and dignified

The credit report case study shows that, with careful consideration
for competing public policy concerns, information harms can be reduced
using carefully tailored use restrictions. But these restrictions have
little in common with the blunt and comprehensive restrictions proposed
by privacy scholars. (272)


Tort law holds the solution to vexing problems in privacy law. Yet
it has been neglected by privacy law scholars, who are on a misguided
quest to constrain the quantity, spread, and repurposing of personal
data. The extensive regulations they propose come into direct conflict
with traditional American normative commitments to the free flow of
information. Rather than questioning the wisdom of their proposals,
privacy scholars pursue the dubious goal of changing America’s
normative commitments.

We do not yet understand the benefits and consequences of living in
a world of unlimited quantities of accurate data–bad portraits, precise
records of e-mails, web search histories, recordings of our own voices,
and nearly every other interaction we have with a computer. Undoubtedly
we know more about each other and ourselves because of these new
information troves. It is natural, even if it isn’t rational, to
regard change as a presumptive threat. Privacy scholars, like all
humans, are wired to believe that the existing state of affairs has
struck a good balance between remembering and forgetting, and that
technologies tipping the scale in one direction or the other are more
likely to damage the information ecosystem than to improve it. (273)
Behavioral psychologists and economists refer to this as status quo
bias, (274) and Lawrence Lessig more vibrantly refers to it as
“is-ism”: what is, is what must be. (275) Technology shocks
significantly alter the world, and predictions about the future state
will be more pessimistic than the valuation of the current state, of
what we have to lose.

To this point, American lawmakers have been wisely reluctant to
condemn the accumulation of personal information until we fully
understand its consequences. It is tempting to think that controlling
the production of records so that we have not-too-many-more than we used
to will keep intact the best balance between the virtues of information
and secrecy, but this is emotion-driven rationalization of the status
quo. Consider the similarities to the fable of King Thamus, originally
told by Plato and retold in Neil Postman’s Technopoly. (276)
Theuth, an inventor, approached Thamus with a new invention he hoped to
introduce to the Egyptian people: the written word. Claiming that the
use of letters could make Egyptians wiser by improving their memories,
King Thamus responded:

   [Y]ou, who are the father of letters, have been led by your
   affection to ascribe to them a power the opposite of that which
   they really possess. For this invention will produce forgetfulness
   in the minds of those who learn to use it, because they will not
   practise their memory. Their trust in writing, produced by external
   characters which are no part of themselves, will discourage the use
   of their own memory within them. You have invented an elixir not of
   memory, bur of reminding; and you offer your pupils the appearance
   of wisdom, not true wisdom, for they will read many things without
   instruction and will therefore seem to know many things, when they
   are for the most part ignorant and hard to get along with, since
   they are not wise, but only appear wise. (277)

The comparison between distrust of personal data and Plato’s
distrust of the written word is all the more chill-inducing when we
consider the history of personal data collection. The progenitor of Big
Data was the early accounting records scratched into clay tablets six
thousand years ago by traders in Uruk, an ancient Mesopotamian city.
(278) These clay accounting tablets are also one of the first forms of
writing. (279) Records really are the building blocks of ideas and

Though the United States stands alone among developed countries
without omnibus data protection laws, our preference for tort principles
over property rights is eminently sensible. The sweeping restrictions of
Europe’s Data Protection Directive allow individuals to control the
flow of information regardless of the impact on the rest of the public.
Tort doctrines find rules that favor the well-being of society over the
preferences of any one individual. They begin with a presumption that
private actors may gather and distribute information freely. This
presumption is overcome in circumstances where privacy rights improve
social welfare. (280 Courts and lawmakers are desperate to find a
privacy response suited to the ambiguity and risks of new technologies
without imposing too many restrictions on information flow. Even Justice
Kennedy, who is not by any stretch of the imagination a privacy
advocate, acknowledges that technology “presents serious and
unresolved issues with respect to personal privacy and the dignity it
seeks to secure.” (281) Fortunately, tort has already developed an
attractive, pragmatic option.

Privacy scholars have overlooked the potential of the old common
law intrusion tort to meet new privacy challenges in the information
age. Because the interests protected by the intrusion tort are
independent from the public’s interest in probative information,
the tort is more stable than other types of privacy laws. By clarifying
that the intrusion tort imposes liability for obnoxious observations, as
opposed to the creation of data, this Article has demonstrated that the
intrusion tort is apt to deter offensive, targeted observations, and to
protect the sense of seclusion that people have come to expect even in a
world brimming with data. Intrusion offers a principled way to penalize
space invaders without unduly taxing the benefits society enjoys from
open information exchange.

(1) Nader v. Gen. Motors Coo., 255 N.E.2d 765, 767 (N.Y. 1970).

(2) Id.

(3) Id. at 771.

(4) Id. at 767.

(5) Id. at 771. The other conduct, while relevant to Nader’s
claim for Intentional Infliction of Emotional Distress, did not
constitute intrusion upon seclusion. Id. at 770.

(6) Id. at 771.

(7) RESTATEMENT (SECOND) OF TORTS [section] 652B (1977).

(8) See infra Part II for a discussion of the theoretical
underpinnings of a right to seclusion.

(9) “Where there is intrusion, the intruder should generally
be liable whatever the content of what he learns.” Pearson v. Dodd,
410 F.2d 701, 705 (D.C. Cir. 1969). The tort “consists solely of an
intentional interference with his interest in solitude or seclusion,
either as to his person or as to his private affairs or concerns, of a
kind that would be highly offensive to a reasonable man.”
RESTATEMENT (SECOND) OF TORTS [section] 652B cmt. a (1977). “The
intrusion itself makes the defendant subject to liability, even though
there is no publication or other use of any kind of the photograph or
information outlined.” Id. cmt. b. A few courts and jurisdictions
have gotten this wrong, and have found that seclusion cannot be intruded
if the same information could have been learned through proper means.
See, e.g., Fletcher v. Price Chopper Foods of Trumann, Inc., 220 F.3d
871, 876 (8th Cir. 2000) (holding that “unauthorized release of
medical information does not constitute highly offensive conduct when
that information could have been obtained by proper means”);
Remsburg v. Docusearch, Inc., 816 A.2d 1001, 1009 (N.H. 2003) (holding
that because work address information is “readily observable by
members of the public,” no cause of action for intrusion upon
seclusion can be maintained). These opinions miss the heart of the tort,
and are anomalous. Some courts also use the tort of intrusion to address
harassing behavior that fits the tort of intentional infliction of
emotional distress better, as when a debt collector makes incessant,
hostile phone calls to a person believed to be the debtor. See, e.g.,
Norris v. Moskin Stores, Inc., 132 So. 2d 321, 323 (Ala. 1961)
(recognizing a claim for invasion of privacy based on wrongful intrusion
when a creditor takes unreasonable actions to collect on a debt). These,
too, are not representative of the tort. Moreover, statutes that outlaw
similar behavior (so-called “trespass by telephone” statutes)
are on constitutionally infirm ground. See, e.g., People v.
Pierre-Louis, 2011 N.Y. Slip Op. 21254, at *4 (2011) (holding that
repeated calls to a district attorney could not be banned because of the
First Amendment’s free speech guarantee).

(10) Neil M. Richards, The Limits of Tort Privacy, 9 J. ON
TELECOMM. & HIGH TECH L. 357, 359 (2011); see also Danielle Keats
Citron, Mainstreaming Privacy Torts, 98 CAL. L. REV. 1805, 1805 (2010);
Jerry Kang, Information Privacy in Cyberspace Transactions, 50 STAN. L.
REV. 1193, 1231 (1998); Jessica Litman, Information Privacy/Information
Property, 52 STAN. L. REV. 1283, 1304 & n.94 (2000); Neil M.
Richards & Daniel J. Solove, Prosser’s Privacy Law: A Mixed
Legacy, 98 CAL. L. REV. 1887, 1918 (2010); Paul M. Schwartz, Privacy and
Democracy in Cyberspace, 52 VAND. L. REV. 1607, 1634 (1999).

(11) Paul M. Schwartz, Property, Privacy, and Personal Data, 117
HARV. L. REV. 2055, 2095 (2004).

(12) Joel R. Reidenberg, Restoring Americans’ Privacy in
Electronic Commerce, 14 BERKELEY TECH. L.J. 771, 788 (1999).

(13) Neil M. Richards, Reconciling Data Privacy and the First
Amendment, 52 UCLA L. REV. 1149, 1165, 1171-72 (2005). The First Circuit
adopted Richards’s strategy, and ruled that prescription data held
by a large data aggregator could be regulated for the same reasons that
beef jerky can. IMS Health Inc. v. Ayotte, 550 F.3d 42, 53 (1st Cir.
2008). The opinion was effectively overruled by the Supreme Court’s
decision in Sorrell v. IMS Health Inc., 131 S. Ct. 2653 (2011). But see
Richards, supra note 10, at 376 (noting that First Amendment rights must
trump privacy interests, at least in the context of the public
disclosure tort, because free speech is the more important value).

(14) Commercial Privacy Bill of Rights Act of 2011, S. 799, 112th
Cong. (2011); Press Release, White House, Fact Sheet: Plan to Protect
Privacy in the Internet Age by Adopting a Consumer Privacy Bill of
Rights (Feb. 23, 2012) [hereinafter Consumer Privacy Bill of Rights],
available at

(15) Consumer Privacy Bill of Rights, supra note 14.

(16) Daniel J. Solove, Conceptualizing Privacy, 90 CAL. L. REV.
1087, 1151 (2002).

(17) Future work will use the taxonomy to assess privacy policies
for information in the state’s possession.

(18) Other scholars laud the intrusion tort, though none fully
develop it. Andrew Jay McClurg touted the virtues of intrusion and gave
definition to the aims of the tort, but ultimately gave up on the tort
as helpful for any actions taken in public that are voluntarily
revealed. Andrew Jay McClurg, Bringing Privacy Law Out of the Closet: A
Tort Theory of Liability for Intrusions in Public Places, 73 N.C.L. REV.
989, 1054 (1995). Lyrissa Lidsky proposes the expansion of the intrusion
tort through the creation of a newsgatherer’s privilege, which
could take pressure off courts that might be reluctant to impose
intrusion liability for fear of interfering with the news media’s
important functions. Lyrissa Barnett Lidsky, Prying, Spying, and Lying:
Intrusive Newsgathering and What the Law Should Do About It, 73 TUL. L.
REV. 173, 173 (1998). More recently , in describing the limitations on
the tort of public disclosure, Neil Richards has concluded that
“the law should focus on preventing unwanted collections or
accumulations of information, rather than preventing the dissemination
of already-collected information” and recommends turning to the
tort of intrusion to do so. Richards, supra note 10, at 383.

(19) Europe is experiencing increasing difficulty enforcing its
strict data privacy laws without forcing European websites and devices
to adopt needlessly clunky interfaces. Marisa Taylor, Europe Approves
New Cookie Law, WALL ST. J. (Nov. 11, 2009, 11:13 AM),
?mod=. The European Union is struggling to enact and make sense of the
Privacy and Electronic Communications Directive (E-Directive), which
requires all European countries to enact laws requiring websites to
obtain consent before placing cookies on computer users’ machines.
Implementation of the Directive has been so difficult that the
Information Commissioner’s Office in the United Kingdom issued a
press release announcing that enforcement would not begin for another
year. See Press Release, Information Commissioner’s Office, ICO
Gives Website Owners One Year to Comply with Cookies Law (May 25, 2011),
available at; see also Siobhain
Butterworth, Cookie Law Shambles Really Takes the Biscuit, GUARDIAN (May
27, 2011, 10:31 AM) web-browsers. Some commentators
have criticized the cookie law, arguing that enforcement is bound to be
either arbitrary and capricious or (last visited Sept. 11,

(20) See generally Richards, supra note 10 (discussing the impact
of Richards & Solove, supra note 10); Samuel D. Warren & Louis
D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193 (1890) (arguing
that the common law allowed for a general right to privacy).

(21) The HEW Report, drafted in 1973 and heralded as the seminal
source of fair information practices, has a subsection titled “Too

(22) See M. Ryan Calo, The Boundaries of Privacy Harm, 86 IND. LJ.
1, 9 n.41 (2011); see also Jacqueline D. Lipton, Mapping Online Privacy,
104 NW. U. L. REV. 477, 482-84 (2010) (acknowledging that many privacy
responses, including the European Union’s Data Protection Directive
are ill equipped to respond to privacy issues inherent to user-generated
Web content); Felix T. Wu, Privacy and Utility in Data Sets, 84 U. COLO.
L. REV (forthcoming 2013).

(23) See generally Eugene Volokh, Freedom of Speech and Information
Privacy: The Troubling Implications of a Right to Stop People from
Speaking About You, 52 STAN. L. REV. 1049 (2000) (arguing that broad
information privacy rules are not easily defensible under existing free
speech law).


(25) Ruth Gavison, Privacy and the Limits of Law, 89 YALE L.J. 421,
423 (1980).

(26) This marches the European Union Data Protection Directive,
which imposes limitations when data is “used for taking measures or
decisions regarding any particular individual.” Directive 95/46/EC,
of the European Parliament and of the Council of 24 October 1995 on the
Protection of Individuals with Regard to the Processing of Personal Data
and on the Free Movement of Such Data, art. 13(2), 1995 O.J. (L 281) 31,
42, available at 31995L0046:en:HTML (last visited Oct. 11, 2012) [hereinafter EU
Data Protection Directive].

(27) 18 U.S.C. [section][section] 2510-2522 (2006).

(28) Video Voyeurism Prevention Act, id. [section] 1801.

(29) Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in
scattered sections of 18, 26, 29, and 42 U.S.C.).

(30) Pub. L. No. 101-336, 104 Stat. 327 (codified in scattered
sections of 42 U.S.C.).

(31) The EU Data Protection Directive bans the
“processing” of data without the subjects’ consent.
Processing is “any operation or set of operations which is
performed upon personal data, whether or not by automatic means, such as
collection, recording, organization, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, blocking,
erasure or destruction.” EU Data Protection Directive, supra note
26, art. (2)(b). Processing could constitute a distinct stage in the
information flow, along with observation, capture, dissemination, and
use. But while processing might mark a distinct phase, it is not one
that is “regulable” under the First Amendment or the American
normative commitments to information. Regulations proscribing the
analysis of accurate data do not weed out inferences and heuristics.
Instead, they invite inferences based on hunch. Moreover, if a
relationship between two characteristics is very strong, processing can
be so unavoidable as to be indistinguishable from thought. Since
processing is so difficult to detect, as a practical matter privacy laws
are better off operating earlier or later in the information stream.

(32) Daniel Solove’s taxonomy of privacy problems can map
directly onto these four stages. Surveillance (clandestine observation),
identification, and fruitful interrogations occur at the
“observation” stage. Daniel J. Solove, A Taxonomy of Privacy,
154 U. PA. L. REV. 477, 491-99 (2006) (explaining that
“identification” is the attachment of an identity to a
previously anonymous piece of information, so it allows an observation
about the identified person for the first time, even if the information
were already observed in anonymized form). Aggregation occurs at the
“capture” stage since the stage includes the presumed
indefinite storage of a record. Id. at 506-11, Exclusion and security
occur at the “dissemination” stage, as do all of the privacy
problems in Solove’s “information dissemination”
family–breach of confidentiality, disclosure, exposure, increased
accessibility, blackmail, appropriation, and distortion. Id. at 522-52.
Secondary uses are, obviously, “uses” under my framework. Id.
at 520-21. Solove’s interference family of privacy problems do not
map cleanly onto my framework because “intrusions,” as Solove
categorizes them, include harassing acts that are best treated as
something other than information-related. “Decisional
interferences” are actually observation harms–the chilling effects
that can result from government inquiry or surveillance of certain types
of acts. Id. at 557-62.

(33) Gavison, supra note 25, at 426 (quoting Hyman Gross’s
definition of privacy). Gavison finds this definition unhelpful and puts
forward her own definition of privacy interests, which break into the
categories of secrecy, anonymity, and solitude. Id. at 428.

(34) See generally Solove, supra note 32, at 564 (“Modern
privacy problems emerge not just from disclosing deep secrets, but from
making obscure information more accessible (increased accessibility) or
from consistent observation or eavesdropping (surveillance).”).
Fully half of the privacy problems identified in Daniel Solove’s
influential privacy taxonomy take place at the dissemination stage,
which implies that the regulatory solutions would have to constrain
these disseminations. Id. at 525-552.

(35) LAWRENCE LESSIG, CODE VERSION 2.0, 6-8 (2d ed. 2006).

(36) Id. at 223.

(37) Id. at 227.

(38) Schwartz, supra note 11, at 2058; see also LESSIG, supra note
35, at 142-63 (arguing property rights should be used to protect
Internet privacy) ;Jerry Kang & Benedikt Buchner, Privacy in
Atlantis, 18 HARV. J.L. & TECH. 229, 232 (2004) (indicating that the
property right approach would result in personal data being exchanged
through free market interactions).

(39) Schwartz, supra note 11, at 2098.

(40) Kang & Buchner, supra note 38, at 255-56.

(41) See LESSIG, supra note 35, at 227-28; A. Michael Froomkin, The
Death of Privacy?, 52 STAN. L. REV. 1461, 1461 (2000); Litman, supra
note 10, at 1290; Marc Rotenberg, Fair Information Practices and the
Architecture of Privacy (What Larry Doesn’t Get), 2001 STAN. TECH.
L. REV. 1, 33 (2001) (noting the effort to protect an individual’s
privacy); see also Kang & Buchner, supra note 38, at 246, 255. Kang
notes several differences between the property model and the EU Data
Protection Directive, believing that the former springs from an
orientation toward market solutions while the latter is designed to
protect dignity. Id. at 231-36. But Kang recognizes that the two models
both place initial entitlements in the hands of the individuals
described in the data. Id. at 255. The property proposals from the
privacy literature incorporate other protections to prevent the
completely free alienability of personal information, so in practice the
difference between these approaches would not be as distinct as Kang

(42) EU Data Protection Directive, supra note 26. The European
Commission’s recently released draft regulations would amend the EU
Data Protection Directive to add a new right to data deletion, a
“right to be forgotten,” which requires data controllers to
delete information upon request, even if the data subject had consented
to the collection of the information. Proposal for a Regulation of the
European Parliament and of the Council on the Protection of Individuals
with Regard to the Processing of Personal Data and on the Free Movement
of Such Data, at 9, COM (2012) 56 draft (Nov. 29, 2011).

(43) HEW REPORT, supra note 21; Rotenburg, supra note 41. Rotenburg
laments that industry lobbyists do not appreciate and account for the
fact that Fair Information Practices were developed by American
congressmen. Id. at 15. This is an odd criticism since, as Rotenburg
acknowledges, FIPs were designed to be an agreement about how the
federal government should treat personal data, not private parties. Id.
at 3 & n.11. Some sectors of American enterprise are governed by
industry-specific privacy regulations such as the Video Privacy
Protection Act and the Health Insurance Portability and Accountability
Act (HIPAA). These are discussed at length in Part IV, infra.

(44) EU Data Protection Directive, supra note 26, at 41; HEW
REPORT, supra note 21.

(45) See generally William L. Prosser, Privacy, 48 CAL. L. REV. 383
(1960) (describing four types of privacy invasion); Warren &
Brandeis, supra note 20 (contemplating several restrictions on the right
to privacy, including the need to show special damages).

(46) See, e.g., Citron, supra note 10, at 1809-10 (criticizing the
privacy torts for failing to recognize new, increased quantities of
harm, but also encouraging privacy law to expand from its common law
tort roots); Kang, supra note 10, at 1231; Litman, supra note 10, at
1304; Richard S. Murphy, Property Rights in Personal Information: An
Economic Defense of Privacy, 84 GEO. L. REV. 2381, 2397 (1996);
Richards, supra note 10, at 357; Richards & Solove, supra note 10,
at 1918; Schwartz, supra note 10, at 1634; see generally DANIEL SOLOVE,
THE FUTURE OF REPUTATION 122-29 (2007) (arguing that tort law continues
to play an important role as a deterrent for individuals who spread
rumors or spill secrets); Patricia Sanchez Abril, Recasting Privacy
Torts in a Spaceless World, 21 HARV. J.L. & TECH. 1 (2007)
(reconstructing the tort of public disclosure to avoid the
“scattershot” nature of existing precedent).

(47) Prosser, supra note 45, at 389.

(48) Froomkin, supra note 41, at 1523-24; Kang & Buchner, supra
note 38, at 235-36; Richards, supra note 10, at 359-61 (suggesting that
other torts and the expansion of confidentiality duties can be used to
meet new privacy demands); Solove, supra note 32, at 477-78.

(49) Citron, supra note 10, at 1813 (citing FRIEDRICH NIETZSCHE,
THE GAY SCIENCE 194-95 (Bernard Williams ed., Josefine Nauckoff trans.,
Cambridge Univ. Press 2001) (1887)).

(50) Lipton, supra note 22, at 501.

(51) A property rule would avoid what privacy scholars perceive to
be unjust enrichment; since information has value, privacy scholars view
the collection of data to be a sort of theft. Eugene Volokh describes
and responds to this argument. Volokh, supra note 23, at 1074. Empirical
research suggests this value will be quite small for most Americans,
anyway. IAN AYRES, SUPER CRUNCHERS 197 (2007) (citing studies that found
most people were willing to disclose their social security numbers in
exchange for fifty-cent-off coupons); Eric Goldman, The Privacy Hoax,
FORBES, Oct. 14, 2002, at 42, available at But as with real
property, a right to information property would allow some Americans to
be data holdouts.

(52) Murphy, supra note 46, at 2397 (“Given anonymity, people
will do what they want.”).

(53) Cf. Froomkin, supra note 41, at 1535 (“Ironically, the
advances in technology that are reducing the transactions [sic] costs
… also work to facilitate the sale of personal data, potentially
lowering the cost enough to make the purchase worthwhile.”). But
see Litman, supra note 10, at 1299 (voicing skepticism that transaction
costs will be significant, and noting that the real issues at stake are
the allocations of the entitlements).

(54) Schwartz, supra note 11, at 2091.

RAPID CHANGE 6-7 (2010), available at report.pdf. This is
particularly odd since the Federal Trade Commission’s consumer
protection duties requires the FTC and the plaintiffs’ bar to
detect fraud and identify likely victims, both of which are improbable
without the aid of data.

(56) See Official Court Notice of Settlement In re DoubleClick Inc.
Privacy Litig., Master File No. 00-CIV-0641; see also Press Release,
Fed. Trade Comm’n, FTC Announces Settlement with Bankrupt Website,, Regarding Alleged Privacy Policy Violations (July 21,
2000), available at toysmart2.shtm.

(57) James Q. Whitman, The Two Western Cultures of Privacy: Dignity
Versus Liberty, 113 YALE L.J. 1151, 1155-60 (2004).

(58) The inherent value of information is expressed by the
influential writings by John Stuart Mill:

   Wrong opinions and practices gradually yield to fact and argument:
   but facts and arguments, to produce any effect on the mind, must be
   brought before it. Very few facts are able to tell their own story,
   without comments to bring out their meaning. The whole strength and
   value, then, of human judgment, depending on the one property, that
   it can be set right when it is wrong, reliance can be placed on it
   only when the means of setting it right are kept constantly at


(59) The HEW Report recommended the submission of legislative
proposals to Congress to “establish a code of fair information
practice for all automated personal data systems maintained by agencies
of the Federal government or by organizations within reach of the
authority of the Federal government.” HEW REPORT, supra note 21, at
136 (emphasis added).

(60) The examples in the chapter titled “Latent Effects of
Computer-Based Record Keeping,” which describes privacy harms,
include fears of dragnet-style investigation processes, inaccurate
welfare distributions, and the FBI’s clearinghouse of criminal
files. See id. at 12-30.

(61) Internet search terms can reveal epidemiological trends faster
than the Center for Disease Control. See Alexis Madrigal, Google Could
Have Caught Swine Flu Early, WIRED (Apr. 29, 2009, 3:40 PM),
google-could-have-caught-swine-flu-early; Melinda Wenner, Google Flu
Trends Do Not Match CDC Data, POPULAR MECHANICS (May 17, 2010, 9:15 AM),
http://www.popular The flu can infect ah area without causing the fever and
respiratory problems that are typically Googled. What Google Flu Trends
tracks is better understood as tracking flu-like symptoms rather than
actual confirmed influenza outbreaks.

(62) Backlogs of crime victim reports and other data have allowed
experimental law enforcement programs to use analytics to predict more
accurately where larceny and other crimes are most likely to happen and
when. The most cutting-edge programs can provide predictions as focused
as a one square-block area. See Erica Goode, Sending the Police Before
There’s a Crime, N.Y. TIMES, Aug. 15, 2011, at All, available at
http:/ /

(63) Baseball, which has rewarded fans and team owners who have the
patience and aptitude for statistics, is about to undergo another data
renaissance with the help of a new technology called Fieldf/x, which
records every single motion of each player at every game. If it works as
promised, the corrective statistics made popular by Moneyball may prove
to be completely outmoded. Also, baseball’s league awards and pay
structure might become one of the most meritocratic systems known to
exist. Ira Boudway, Baseball Set for Data Deluge as Player Monitoring
Goes Hi-Tech, BLOOMERG (Mar. 31, 2011, 5:00 PM), players-goes-hi-tech.html.

(64) See Jim Rutenberg & Jeff Zeleny, Obama Mines for Voters
with High-Tech Tools, N.Y. TIMES, Mar. 8, 2012, at A1, available at
us/politics/obama-campaigns-vast-effort-to-re-enlist-08-supporters.html?pagewanted= all.

(65) Sorrell v. IMS Health, Inc., 131 S. Ct. 2653, 2667 (2011)
(“Facts, after all, are the beginning point for much of the speech
that is most essential to advance human knowledge and to conduct human
affairs. There is thus a strong argument that prescriber-identifying
information is speech for First Amendment purposes.”). Lawrence
Lessig and Neil Richards have argued that personal data is not
“expression” and therefore should not be the basis for First
Amendment protection. See Richards, supra note 13, at 1154-55. As a
descriptive matter, IMS Health has put these arguments in doubt. As a
normative matter, I agree with the broader views of the First Amendment,
articulated by Derek Bambauer and Eugene Volokh, among others, that in
deciding whether a First Amendment protection applies in the first
place, we ought not allow the courts to decide which types of
information count as “speech” and which do not. Derek E.
Bambauer, Orwell’s Armchair, 79 U. CHI. L. REV. (forthcoming 2012).
Moreover, a test that assigns less protection to expressions that have a
higher proportion of dry factual information puts undue emphasis on the
proportion of an expression that is made from opinion and point-of-view.

(66) See Barmicki v. Vopper, 532 U.S. 514, 527-28 (2001).

(67) Rochelle Cooper Dreyfuss, Warren and Brandeis Redux: Finding
(More) Privacy Protection in Intellectual Property Lore, 1999 STAN.
TECH. L. REV. 8, [paragraph][paragraph] 14-23 (1999); Diane Leenheer
Zimmerman, Information As Speech, Information As Goods: Some Thoughts On
Marketplaces and the Bill of Rights, 33 WM. & MARY L. REV. 665, 717
(1992) (discussing the effect the right of publicity has on speech).
Right of publicity claims are often lumped under the banner of
“misappropriation.” I distinguish for the purposes of this
Article between the tort claim of misappropriation, which protects
ordinary people from receiving unwanted and unconsented exposure when
their images or names are used to sell commercial products, from
intellectual property claims for the right of publicity, which are
concerned with the commercial mining and exploitation of
celebrity’s fame without the celebrity’s permission. For the
contrast, see, for example, Carson v. Here’s Johnny Portable
Toilets, Inc., 698 F.2d 831, 836 (6th Cir. 1983) (permitting recovery
when Johnny Carson’s celebrity was exploited to market

(68) Parks v. LaFace Records, 329 F.3d 437, 441 (6th Cir. 2003).

(69) Id. at 442-43.

(70) Id. at 461.

(71) Id. at 442.

(72) Id. at 460 (“All that a plaintiff must prove in a right
of publicity action is that she has a pecuniary interest in her
identity, and that her identity has been commercially exploited by a

(73) This extension of the right of publicity would correspond to
Rochelle Dreyfuss’s descriptive theory of intellectual
property–that courts assign property rights wherever there is value.
Dreyfuss, supra note 67, at [paragraph] 16.

(74) See Zimmerman, supra note 67, at 667-68; see also Eldred v.
Ashcroft, 537 U.S. 186, 205-06, 214-15 (2003); Diamond v. Chakrabarty,
447 U.S. 303, 307 (1980).

(75) Under a labor desert theory, it is very likely the data
aggregator who will be seen to invest effort in creating a usable and
probative set of personal information since personal information is only
as valuable as its data quality. To understand the effort required to
create and maintain usable data, see THOMAS C. REDMAN, DATA DRIVEN 53-86

(76) Zimmerman, supra note 67, at 682.

(77) Kang & Buchner, supra note 38, at 233; Volokh, supra note
23, at 1066. Hot news misappropriation is an exception to the general
proposition that facts cannot be property. See Int’l News. Serv. v.
Associated Press, 248 U.S. 215, 216 (1918). But again, this exception
rests on a labor desert theory that aims to reward the production of

(78) Even Rochelle Dreyfuss, who enunciated the clearest
jurisprudential path to propertization of personal information, advised
against widening the scope of intellectual property since the recent
expansions of intellectual property have been unprincipled. Dreyfuss,
supra note 67, [paragraph] 25; see also LAWRENCE LESSIG, FREE CULTURE 10
(2004) (arguing that the change in creative property laws aimed at
eliminating piracy can also eliminate “our culture of
values”); Zimmerman, supra note 67, at 667 (worrying that the
expansion of intellectual property theories is “cannibalizing
speech values at the margin”).

(79) Richards, supra note 10, at 376-77.

(80) Lee Tien, the staff attorney for the Electronic Frontier
Foundation, proposes a statute requiring consent to be obtained before
de-identified data can be released. Natasha Singer, Data Privacy, Put to
the Test, N.Y. TIMES, May 1, 2011, at BU3, available at

(81) The Birth of the Gerrymander, MASS. HIST. SOC. (Sept. 2008),

(2002); Ian Ayres & Eric Talley, Solomonic Bargaining: Dividing a
Legal Entitlement to Facilitate Coasean Trade, 104 YALE LJ. 1027,
1031-32 (1995).

(83) Much of this example is borrowed from Richard Posner. RICHARD
POSNER, ECONOMIC ANALYSIS OF LAW 37-38 (5th ed. 1998).

(84) This example is similar to Richard Posner’s example of
the sexually abusive school teacher. Richard Posner, The Economics of
Privacy, 71 AM. ECON. REV. 405, 406 (1981).

(85) Lizette Alvarez, (Name Here) Is a Liar and a Cheat, N.Y.
TIMES, Feb. 16, 2006, at G1, available at

(86) Even if there were a business model for TrueDater, similar to
the CarFax model, the married man will charge an exorbitant price or
hold out entirely. These problems do not plague businesses like CarFax
that rely on records that are not under the control of the individuals
selling the cars.

(87) KAPLOW & SHAWLL, supra note 82, at 427. Kaplow and Shavell
would object to characterizing these valuation decisions as decisions
driven by concerns for fairness, but the authors struggle, as others had
before them, to final any pure economic rationale for dismissing and
ignoring certain types of idiosyncratic preferences, such as preferences
for sadism. Id. Richard Murphy preferred not to count the utility
derived from deceit in his social utility calculus. Murphy, supra note
46, at 2386. I agree with this impulse, but note that it highlights a
larger problem with utilitarian theories that command the analyst to
make decisions, based on ethics, about what types of pleasure should and
should not count as utility.

(88) Posner, supra note 84, at 406.

(89) Moreover, sometimes property rights are extinguished. Eminent
domain provides relief when hold-outs are judged to be
counter-productive. See Monongahela Nav. Co. v. United States, 148 U.S.
312, 326-27 (1893); see also Sara Rimer, Some Seeing Crimson at
Harvard’s ‘Land Grab,’ N.Y. TIMES, Jun. 17, 1997, at A16,
available at http://

(90) Sipple v. Chronicle Publ’g Co., 201 Cal. Rptr. 665 (Ct.
App. 1984).

(91) Dan Morain, Private Lives, L.A. TIMES, Feb. 13, 1989,
[section] 5, at 1, available at http:/


(93) If not, providing Sipple with an entitlement of any sort (let
alone a property right) would not be economically efficient. Guido
Calabresi & A. Douglas Melamed, Property Rules, Liability Rules, and
Inalienability: One View of the Cathedral, 85 HARV. L. REV. 1089, 1122
(1972). Speculation about the value of personal information also suffers
from the problem of assessment costs.

(94) Thornhill v. Alabama, 310 U.S. 88, 102 (1940).

(95) KAPLOW & SHAVELL, supra note 82, at 410.

(96) Guido Calabresi and Douglas Melamed warn against any analysis
that favors economic efficiency and treats all costs with equal weight
without regard for other considerations such as distributional effects
and social justice. Calabresi & Melamed, supra note 93, at 1122.
Likewise, Kaplow and Shavell encourage models other than equal
distribution when aggregating utility, including Rawlsian models that
might weight the interests of the poor and underprivileged more heavily.
KAPLOW & SHAVELL, supra note 82, at 28-29 & n.27.

(97) Low stakes scenarios lead us to the same result. Suppose viewers were able to exercise a property right and withhold
consent to use their viewing history information for directed
advertising (or for any purpose other than serving the television shows
they would like to watch). In the best case scenario, the
privacy-seekers would absorb the costs of forcing the site to supply a
different business model–either in the form of having to watch more
advertisements or by having to pay to watch the Hulu content. But since
differentiating between viewers and creating different platforms imposes
transaction costs on Hulu, it is more likely that Hulu will keep a
single platform and force all viewers to absorb the additional costs–in
the form of more advertisements, for example–that result from the
privacy-seekers’ withheld information. The property interest
creates a free rider problem.

(98) Eugene Volokh makes the descriptive claim that a restriction
on the flow of personal information would not survive constitutional
scrutiny even if the restriction did maximize aggregate social utility.
Volokh, supra note 23, at 1076. This may well be true, but this Article
asks how information should be regulated. As a practical matter, since
the utility of privacy and speech cannot be measured, one could argue
that First Amendment strict scrutiny (requiring a compelling state need
and tailoring) is a utilitarian test–one that assumes a high value in
speech and looks searchingly for evidence of countervailing factors.

(99) This is the basic welfare economics model. Louis Kaplow &
Steven Shavell, Fairness Versus Welfare, 114 HARV. L. REV. 961, 977
(2001). Paul Ohm, too, uses a utilitarian model and advises regulators
to compare the risks of unfettered information flow to its likely costs
in privacy. Paul Ohm, Broken Promises of Privacy: Responding to the
Surprising Failure of Anonymization, 57 UCLA L. REV. 1701, 1768 (2010).
Note that this model is flexible as to what types of “harm”
are accounted. Thus, it is not necessary to come up with one unifying
theory of what constitutes a privacy harm. I tend to agree with Daniel
Solove that this is a futile task. DANIEL SOLOVE, UNDERSTANDING PRIVACY
ix (2008).

(100) Risk-utility models were originally anticipated by Samuel
Warren and Louis Brandeis, whose groundbreaking article on privacy
cautioned that privacy rights should not interfere with access to
valuable information. Warren & Brandeis, supra note 20, at 214-16.

(101) Compare KAPLOW & SHAVELL, supra note 82, at 85, with
Litman, supra note 10, at 1303, and Richards, supra note 10.

(102) See, e.g., Richards, supra note 10, at 373-74. As Richards
points out, much of this chiseling has been done for good reason in
light of the speech interests implicated by the tort. For a full
discussion, see infra Part IV.

(103) Abril, supra note 46, at 39-40.

(104) Id. at 40.

(105) Id.

(106) George’s behavior is a criminal violation of the federal
Computer Fraud and Abuse Act, 18 U.S.C. [section] 1030 (2006). A
Michigan resident is facing a possible five year sentence for using his
wife’s password to log into her Gmail account, in violation of
Michigan state anti-hacking law. Sara Wilson, Clara Walker: Leon Walker
‘Violated My Privacy,’ HUFFINGTON POST (Jan. 5, 2011, 4:14

(107) Anita Bernstein, How to Make a New Tort: Three Paradoxes, 75
TEX. L. REV. 1539, 1544-47 (1997).

(108) See, e.g., Van Alstyne v. Rochester Tel. Corp., 296 N.Y.S.
726, 730-31 (App. Div. 1937) (imposing liability for the poisoning of
two dogs when telephone company trespassed by leaving small bits of
cable insulation containing lead, which were then consumed by the dogs).

(109) Richards, supra note 13, at 1181-82.

(110) David Rittgers, Wiretap Law Needs Update, BALT. SUN, June 1,
2010, at A13, available at mr-graber; Heidi Reamer
Anderson, The Mythical Right to Obscurity: A Pragmatic Defense of No
Privacy in Public, 7 ISJLP (forthcoming 2012), available at 9374.

(111) See De May v. Roberts, 9 N.W. 146 (Mich. 1881) (presenting
the factual basis of this example); see also Sanchez-Scott v. Alza
Pharmaceuticals, 86 Cal. App. 4th 365 (2001), in which a pharmaceutical
sales representative intruded on a patient’s seclusion when he
observed a breast examination because the patient’s consent to his
presence was predicated on the false assurance that the sales
representative was a doctor.

(112) RESTATEMENT (SECOND) OF TORTS [section] 652B (1977).

(113) Gavison, supra note 25, at 443; Joel R. Reidenberg &
Francoise Gamet-Pol, The Fundamental Role of Privacy and Confidence in
the Network, 30 WAKE FOREST L. REV. 105 (1995) (arguing that privacy on
the internet is necessary in order to promote trust and exploration);
Solove, supra note 32, at 553.

(114) Posner, supra note 84, at 408.

(115) Julie E. Cohen, Examined Lives: Informational Privacy and the
Subject as Object, 52 STAN. L. REV. 1373, 1377 (2000).


(117) Nader v. Gen. Motors Corp., 255 N.E.2d 765, 768 (N.Y. 1970).

(118) Barber v. Time Inc., 159 S.W.2d 291 (Mo. 1942) (imposing
liability and punitive damages on Time Magazine for taking and
publishing a photograph of a patient with a rare physical ailment after
she explicitly denied consent).

(119) 18 U.S.C. [section][section] 2510-2522 (2006).

(120) Id. [section][section] 2710-2712.

(121) Id. [section] 1030.

(122) Like other intentional torts, intrusion aims to penalize
anyone who evades the information market and intentionally observes
without permission. Since the optimal activity level for intentional
torts is zero, we should embrace any enforcement and deterrent that
proves to be cost-effective. See POSNER, supra note 83, at 226-27.

(123) See generally Whitman, supra note 57 (explaining the
difference between the American and European approaches to privacy).

(124) Ryan Linkof elegantly makes this point in a recent op-ed in
the New York Times. Watching the painfully choreographed, and highly
policed, red-carpet arrival of Prince William and Kate Middleton at a
recent Los Angeles polo match reminded me why intrusive journalistic
tactics are often called upon. They exist to break down the barriers of
access that keep social elites at a remove from ordinary people. The
tabloids, throughout history, on both sides of the Atlantic, have been
predicated on chipping away at that division. They play a fundamental
role in democratic cultures, especially in societies characterized by
the pull between the demands of a mass society and the persistence of
social and economic inequality. Ryan Linkof, Op-Ed., Why We Need the
Tabloids, N.Y. TIMES, July 20, 2011, at A27, available at
http://www.nytimes. com/2011/07/20/opinion/201inkof.html?_r=0.

(125) Emily Miller, Op-Ed., John Edwards Indictment a Vindication
for National Enquirer, WASH. TIMES, June 3,

(126) Helton v. United States, 191 F. Supp. 2d 179 (D.D.C. 2002).

(127) DeBlasio v. Pignoli, 918 A.2d 822, 825 (Pa. Commw. Ct. 2007).

(128) Kjerstad v. Ravellette Publ’ns, Inc., 517 N.W.2d 419,
422-23 (S.D. 1994).

(129) Hougum v. Valley Mem’l Homes, 574 N.W.2d 812, 818 (N.D.

(130) In re Marriage of Tigges, 758 N.W.2d 824, 827 (Iowa 2008).

(131) The quiet conversation between the accident victim and the
doctor that came to the scene is afforded seclusion, because the
conversation might have been heard only with the help of microphones.
Shulman v. Group W Prods., Inc., 955 P.2d 469, 491 (Cal. 1998).

(132) The Nader line of reasoning has been followed in other
jurisdictions as well. Kramer v. Downey, 680 S.W.2d 524 (Tex. App. 1984)
(holding that incessant observation by a scorned ex-lover, even though
she stayed on public property to do so, was an intrusion upon seclusion
justifying a jury damages award).

(133) Id.

(134) Nader v. Gen. Motors Corp., 255 N.E.2d 560, 570-71 (N.Y.

(135) Zimmerman v. Wilson, 81 F.2d 847 (3d Cir. 1936); State ex
rel. Clemens v. Witthaus, 228 S.W.2d 4 (Mo. 1950) (en banc); Frey v.
Dixon, 58 A.2d 86 (N.J. Ch. 1948); Bednarik v. Bednarik, 16 A.2d 80
(N.J. Ch. 1940); Brex v. Smith, 146 A. 34 (N.J. Ch. 1929).


(137) 18 U.S.C. [section] 2511(2)(c) (2006).

(138) Anderson, supra note 110.

(139) Id.

(140) See Kelly v. Borough of Carlisle, 622 F.3d 248 (3d Cir.
2010); Pomykacz v. Borough of W. Wildwood, 438 F. Supp. 2d 504, 513 n.14
(D.N.J. 2006) (“An argument can be made that the act of
photographing, in the abstract, is not sufficiently expressive or
communicative and therefore not within the scope of First Amendment
protection–even when the subject of the photography is a public
servant.” (citing Tenafly Eruv Ass’n, Inc. v. Borough of
Tenafly, 309 F.3d 144, 160 (3d Cir. 2002))); C. Thomas Dienes,
Protecting Investigative Journalism, 67 GEO. WASH. L. REV. 1139, 1146
(1999). Perhaps in light of Justice Kennedy’s reasoning in Sorrell
v. IMS, the right to mechanical capture can be tested again. Sorrell v.
IMS Health Inc., 131 S. Ct. 2653, 2667 (2011) (“Facts, after all,
are the beginning point for much of the speech that is most essential to
advance human knowledge and to conduct human affairs. There is thus a
strong argument that prescriber-identifying information is speech for
First Amendment purposes.”).

(141) Dietemann v. Time, Inc., 449 F.2d 245, 249 (9th Cir. 1971)
(internal quotation marks omitted); Shulman v. Group W Prods., Inc., 955
P.2d 469, 495 (Cal. 1998) (internal quotation marks omitted); Shevin v.
Sunbeam Television Corp., 351 So. 2d 723, 727 (Fla. 1977).

(142) Seth Kreimer makes a powerful case for First Amendment
protection of image capture. Seth F. Kreimer, Pervasive Image Capture
and the First Amendment: Memory, Discourse, and the Right to Record, 159
U. PA. L. REV. 335, 337 (2011).

(143) Robin Wilkey, John Pike Memes Go Vital: Pepper-Spraying UC
Davis Cop Becomes Internet Sensation, THE HUFFINGTON POST (Nov. 21,
2011, 8:22 PM),

(144) See Glik v. Cunniffe, 655 F.3d 78, 82 (1st Cir. 2011)
(“Gathering information about government officials in a form that
can readily be disseminated to others serves a cardinal First Amendment
interest in protecting and promoting ‘the free discussion of
governmental affairs.'” (quoting Mills v. Alabama, 384 U.S.
214, 218 (1966))). The U.S. District Court for the Eastern District of
Pennsylvania recognized a First Amendment right to videotape public
officers performing their public duties. Robinson v. Fetterman, 378 F.
Supp. 2d 534, 541 (E.D. Pa. 2005). The Third Circuit declined to follow
Robinson when a recording was made during a traffic stop because these
stops are inherently dangerous for police, and because the recording was
not clearly made for a political or expressive purpose. Kelly v. Borough
of Carlisle, 622 F.3d 248, 262 (3d Cir. 2010); see also Pomykacz v.
Borough of W. Wildwood, 438 F. Supp. 2d 504, 513 n.14 (D.N.J. 2006)
(“[V]ideotaping or photographing the police in the performance of
their duties on public property may be a protected activity.”
(emphasis added) (quoting Gilles v. Davis, 427 F.3d 197, 212 n.14 (3d
Cir. 2005))).

(145) Hamberger v. Eastman, 206 A.2d 239, 242 (N.H. 1964).

(146) Id.

(147) Id.

(148) See, e.g., Video Voyeurism Prevention Act, 18 U.S.C.
[section] 1801 (2006); ALA. CODE [section] 13A-11-32 (2005); FLA. STAT.
ANN. [section] 810.145 (West 2012).

(149) 18 U.S.C. [section] 1801.

(150) The tort of public disclosure of private facts has been used
to effect a limitation at the point of capture when a momentary
accidental nudity was captured without consent. Daily Times Democrat v.
Graham, 162 So. 2d 474 (Ala. 1964). But see McNamara v. Freedom
Newspapers, Inc., 802 S.W.2d 901 (Tex. App. 1991) (finding that the
First Amendment provided immunity to a newspaper that published a
photograph of a high school soccer player whose genitalia were
accidentally exposed). The exposure of nude body parts may be a
necessary (but not sufficient) condition for recovery based on images of
people in sexually compromising positions. See Borton v. Unisys Corp.,
1991 WL 915, *9 (E.D. Pa. 1991) (where a photograph taken while an
employee cupped his hands over another employee’s breast without
consent was not depicting anything sufficiently “private”
because none of the crucial body parts were exposed).

(151) Lyle Rexer, Marriage Under Glass: Intimate Exposures, N.Y.
TIMES, Nov. 19, 2000, at AR1, available at exposures.html?pagewanted=all&src=pm.

(152) The Prosecution of Linda Tripp, Editorial, N.Y. TIMES, Dec.
19, 1999, at WK12, available at

(153) Hotel door data was expected to play a role in the rape
prosecution of Dominique Strauss-Kahn, the Chief of the International
Monetary Fund. Angelique Chrisafis & Ed Pilkington, Hearing is
Likely to Hinge on the Question of Consent, GUARDIAN (LONDON), May 19,
2011, at 23, available at

(154) A. Michael Froomkin, The Death of Privacy?, 52 STAN. L. REV.
1461, 1542 (2000). Froomkin did not believe that existing tort laws,
including intrusion upon seclusion, could be expanded to meet privacy
demands such as closed circuit television monitoring because the tort
traditionally excluded any surveillance or observations performed in
public spaces. Id at 1538-39. He also believed expansion of the tort
into public spaces would directly conflict with the First Amendment, but
the tort is in fact in less tension with the right to free speech and
access to information than the other reforms Froomkin considers.
However, Froomkin and I are in agreement that the creation of records in
the course of a business transaction is immune from tort liability, and
therefore puts limits on the aggressiveness with which the intrusion
tort may defend and define privacy fights.

(155) Id. at 1542.

(156) For a more detailed description of the technology, see In re
DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 503-04 (S.D.N.Y.

(157) One military court opinion suggested that people cannot have
a subjective expectation of privacy in data files that they do not know
exist. “The military judge concluded the appellant had no
expectation of privacy in the contents of the computer. We find no abuse
of discretion in his ruling. There is no evidence the appellant was
aware the Internet history files existed, and we are unconvinced the
appellant could entertain a subjective expectation of privacy in them
without such knowledge.” United States v. Larson, 64 M.J. 559, 563
(A.F. Ct. Crim. App. 2006). This poor reasoning is probably an example
of bad facts making bad law. Since the defendant was sanctioned for
soliciting sex from somebody he believed to be a fourteen-year-old (but
was in fact a law enforcement officer), the court was motivated to make
every determination against him.

(158) Matthew Lasar, The Perils of Being Pandora, ARS TECHNICA
(Feb. 15, 2011),

(159) Stefanie Olsen, Nearly Undetectable Tracking Device Raises
Concern, CNET (July 12, 2000, 3:05 PM), For a description of current
cookie-setting practices, see CHRIS JAY HOOFNAGLE ET AL., CAN

(160) The computer user and the website (or its advertising
intermediaries) are “users” under the Electronic
Communications Privacy Act, and the communications recorded by the
cookies are covered communications; thus, accessing the cookies without
consent would be an offense under 18 U.S.C. [section] 2701(a) (2006). In
re DoubleClick, 154 F. Supp. 2d at 507-08.

(161) The Computer Fraud and Abuse Act outlaws the intentional
access of information and causing damage to an end user’s computer.
18 U.S.C. [section] 1030(a) (5) (B), (2) (C) (2006).

(162) Richards, supra note 13, at 1158.

(163) Ohm, supra note 99, at 1762.

(164) In re Pharmatrak, Inc. Privacy Litigation, 329 F.3d 9 (1st
Cir. 2003); Chance v. Avenue A, Inc., 165 F. Supp. 2d 1153 (W.D. Wash.
2001); In re DoubleClick, 154 F. Supp. 2d at 497; Valdez v. Quantcast
Corp., CV10-05484 (Cal. 2010).

(165) Avenue A, 165 F. Supp. 2d at 1160; In re DoubleClick, 154 F.
Supp. 2d at 522.

(166) The Stored Communications Act exempts interceptions that are
authorized “(1) by the person or entity providing a wire or
electronic communications service; [or] (2) by a user of that service
with respect to a communication of or intended for that user.” 18
U.S.C. [section] 2701(c) (1)-(2) (2006). The Wiretap Act states that
“[i]t shall not be unlawful under this chapter for a person not
acting under color of law to intercept a wire, oral, or electronic
communication where such person is a party to the communication or where
one of the parties to the communication has given prior consent to such
interception….” Id. [section] 2511(2)(d); United States v.
Caceres, 440 U.S. 741, 750 (1979) (confirming the Wiretap Act adopts the
one- party consent rule). The Wiretap Act does outlaw interceptions that
are made for a tortious purpose, regardless of whether a party has
consented to the interception, but courts have distinguished between
tortious purposes and tortious means. The interception cannot be the
basis for relief under the “tortious purpose” clause. Sussman
v. Am. Broad. Co., 186 F.3d 1200, 1202-03 (9th Cir. 1999).

(167) Avenue A, 165 F. Supp. 2d at 1161; In re DoubleClick, 154 F.
Supp. 2d at 510, 519.

(168) Avenue A, 165 F. Supp. 2d at 1163.

(169) Greg Sandoval, Suit Alleges Disney, Other Top Sites Spied on
Users, CNET (August 14, 2010, 3:33 PM),; Christopher Sheean
on the Latest Google Class Action, POINT OF LAW (December 8, 2010, 9:41

(170) This is a collapsed version of the Second Restatement
definition of intrusion upon seclusion. The Restatement defines the
tortfeasor as: “[o]ne who intentionally intrudes, physically or
otherwise, upon the solitude or seclusion of another or his private
affairs or concerns, is subject to liability to the other for invasion
of his privacy, if the intrusion would be highly offensive to a
reasonable person.” RESTATEMENT (SECOND) OF TORTS [section] 652B
(1977). Here, the observation event incorporates the intentionality and
the intrusion elements, and the requirement that the observation event
be offensive incorporates both the “offensiveness” element as
well as considering whether the plaintiff had “seclusion” in
the first place.

(171) M. Ryan Calo has stressed the importance of defining privacy
without reference to a human observation. Calo, supra note 22, at 1134
(“Privacy harm can and does occur in the absence of a human

(172) In re Northwest Airlines Privacy Litig., 2004 WL 1278459, at
*5 (D. Minn. 2004) (finding that the plaintiffs’ intrusion claim
failed because “[i]n this instance, Plaintiffs voluntarily provided
their personal information to Northwest’); Dwyer v. Am. Express
Co., 652 N.E.2d 1351, 1354 (Ill. App. 1995) (“By using the American
Express card, a cardholder is voluntarily, and necessarily, giving
information to defendants….”).

(173) Searches within a site, while technically communications
between the computer user and the website, might be treated differently
from other types of communications. These searches might be
distinguished from transactions with the website because they are a
means of orientation only, and not part of the quid pro quo of a

(174) Dissemination and use restrictions are discussed in the next
Part. See infra Part IV. Uses of legitimately observed information that
seem obnoxious, such as price discrimination or employment screens, can
be prohibited through tailored use restrictions.

(175) See supra note 135 for intrusion cases based on unauthorized
access to records.

(176) Cameras installed in a restroom, or used to take up-skirt
photographs, would be another matter. See, e.g., Video Voyeurism
Prevention Act, 18 U.S.C. [section] 1801 (2006); Speer v. Ohio Dept.
Rehab. & Corr., 624 N.E.2d 251 (Ohio Ct. App. 1993).

(177) Aaron Perzanowski, Fixing RAM Copies, 104 NW. U. L. REV.
1067, 1083-84 (2010).

(178) That is, processed without direct identifying information
such as name, address, or full IP address. If the aggregated data is
going to be shared for research purposes it will need to undergo
additional scrubbing to ensure that reidentification of a subject is not
too easy to do. See Ohm, supra note 99, at 1744-48; Jane Yakowitz,
Tragedy ofthe Data Commons, 25 HARV. J. L. & TECH. 1, 3-4 (2011).

(179) Privacy advocates, the advertising industry, and the Federal
Trade Commission are locked in debate over whether an IP address, or the
information contained in a cookie, is “personally identifiable
POLICYMAKERS 18 (2012), available at report.pdf. The New Intrusion
sidesteps this debate because, once a party accesses a cookie in order
to communicate or interact with the end user for a purpose collateral or
in tension with the original purpose for which it was generated, it is
irrelevant that the advertiser does not know the name of the user, or
does not know the user in a meaningful way. This is consistent with the
goals that underlie the intrusion tort; since intrusion protects a
person’s seclusion from observation, it makes no difference whether
a peeping tom actually knows the person he observes. It is the act of
observing that violates the rights of the observed.

(180) Robert Lee Hotz, The Really Smart Phone, WALL ST. J. (Apr.
22, 2011, 7:34 PM), html?KEYWORDS=%22The+Really+Smart+Phone%22
(“[Cellphone] data can reveal subtle symptoms of mental illness,
foretell movements in the Dow Jones Industrial Average, and chart the
spread of political ideas as they move through a community

(181) Thus far, GPS studies have relied on vehicles carrying GPS
logging devices with the intent that the data would be analyzed by the
municipality or city conducting the studies. But the studies are
enormously useful for studying travel time and delays, for assessing the
effects (in traffic time) of construction or route alterations, and for
evaluating whether traffic signals are timed correctly. These types of
studies could become inexpensive and widespread standard practices for
all jurisdictions if researchers are able to access the log data of
commercial GPS providers. See GEOSTATS, TravTime, (last visited Oct. 11, 2012)
(discussing the use of GPS to collect, analyze, and report traffic
data). However, aggregated data is used for law enforcement purposes,
such as to help determine where to establish speed traps. Such use is
often perceived as violating the privacy of the GPS device-users. Tim
Stevens, TomTom User Data Sold to Dutch Police, Used to Determine Ideal
Locations for Speed Traps, ENGADGET (Apr. 27, 2011, 1:53 PM), (discussing how the Dutch police force is using
TomTom navigation devices to determine where speed traps and cameras
should be placed). It is possible that the issue underlying the privacy
concerns is that law enforcement might have the wrong motivation in
establishing speed traps. Data-assisted speed traps might do more to
increase revenues and citation rates than they do to improve traffic
safety. In that case, a person might feel tricked for his or her
unwitting contribution to the dataset that enabled the police to create
the speed trap. There are categories of government data uses that can be
carefully cabined or prohibited altogether through use restrictions, but
the capture of anonymized GPS data is not inherently harmful.

(182) If an entity with access to personal data exhaust wishes to
analyze it in aggregated form (and without any future reference back to
the data subjects), it is sufficient to strip direct identifiers such as
names, IP addresses, contact information, and credit card numbers. If
the entity wishes to share the data for research purposes to third
parties, the data will need to go through additional anonymization
procedures, or must be disseminated only through restricted licensing
agreements. See Yakowitz, supra note 178, at 6-8.

(183) “Further processing of data for historical, statistical
or scientific purposes shall not be considered as incompatible provided
that Member States provide appropriate safeguards.” Council
Directive 95/46, art. 6(1)(b), 1995 O.J. (L 281) 40 (EU). Note, though,
that the required “safeguards” demand that the data pose no
risk of reidentification–a standard that is impossible to meet–and
forces data holders to choose between risking sanction or halting
standard practices. Id. art. 13(2).

(184) “Respect for Context” is defined as so:
“[c]onsumers have a right to expect that organizations will
collect, use, and disclose personal data in ways that are consistent
with the context in which consumers provide the data.” Press
Release, The White House, Office of the Press Sec’y, We Can’t
Wait: Obama Administration Unveils Blueprint for a “Privacy Bill of
Rights” to Protect Consumers Online (Feb. 23, 2012), blueprint_privacy.bill_rights.

(185) Smith v. Maryland, 442 U.S. 735, 744 (1979).

(186) The more lenient warrant requirements adopted in the Stored
Communications Act (SCA) that apply to routing data do not require
probable cause. 18 U.S.C. [section] 2703(d) (2006). If web-tracking data
is “unexposed” and deserving of full Fourth Amendment
protection, the procedural protections of the SCA will not be
constitutionally sufficient.

(187) For a description of visceral notice, see M. Ryan Calo,
Against Notice Skepticism, in Privacy (and Elsewhere), 87 NOTRE DAME L.
REV. 1027, 1034-35 (2012).

(188) I do not wish to speculate about social norms with respect to
behavioral advertising since the empirical evidence is so mixed. Survey
after survey confirms that, considered in isolation, Americans want to
surf the Internet without creating a record of their transactions and
activities. One study reports that ninety-two percent of Americans
believe there should be a law requiring “websites and advertising
companies to delete all stored information about an individual, if
requested to do so.” Joseph Turow et al., Americans Reject Tailored
Advertising and Three Activities That Enable It, 3 (2009),; see also Aleecia M. McDonald &
Lorie F. Cranor, Americans’ Attitudes About Internet Behavioral
Advertising Practices, WPES ’10: PROCEEDINGS OF THE 9TH ANNUAL ACM
WORKSHOP ON PRIVACY IN THE ELECTRONIC SOCIETY 63 (2010), available at However, these studies repeat
a flaw that undermines the credibility of the findings: they do not ask
respondents whether they would prefer an alternative reality where the
same online content contains about twice the amount of (non-targeted)
advertising, or where they pay for content. The handful of studies that
do force survey respondents to state their preferences in the context of
privacy tradeoffs find that a majority of Internet-users prefer free
content with targeted ads over other types of privacy-protecting options
like pay walls or increased quantity of advertising, though some of
these studies too have methodological flaws. KARL W. LENDENMANN,
2-3, 11 (2010), available at
report. Note that the phrasing of the question, and the ordering of the
answer options, are objectionable. The survey does not offer respondents
the option to view the same content with more advertising; the closest
is an option for “somewhat limited online information or less
functional services.” Id.; see also Jacqui Cheng, 53% of Mobile
Users Happy to Hand Over Location Data For Discounts, ARS TECHNICA (Aug.
17, 2011, 1:25 PM),
(“[M]ore than half of all consumers are willing to exchange their
mobile location data for content that is relevant to them at the
moment….”); David Hallerman, Behavioral Targeting Attitudes,
EMARKETER (July 29, 2008), (finding
that fifty-five percent of respondents are “very” or
“somewhat” comfortable with behavioral advertising).

(189) See Litman, supra note 10, at 1311; John H. Mansfield,
Informed Choice in the Law of Torts, 22 LA. L. REV. 17, 31 (1961)
(“Consent is the right term to use when the plaintiff was willing
that a certain event occur, probably some conduct on the part of the
defendant, because he desired an invasion of a normally protected
interest.”). However, in light of the recent Supreme Court holding
in Concepcion, websites might enjoy de facto immunity from intrusion
claims by requiring all visitors to arbitrate their claims individually.
AT&T Mobility LLC v. Concepcion, 131 S. Ct. 1740, 1753 (2011).

(190) Chris Jay Hoofnagle & Jennifer King, What Californians
Understand About Privacy Online (Sept. 3, 2008) (unpublished article),
available at http://papers.ssrn.

(191) Groundwork for these questions has already been laid by
Andrea Matwyshyn. Andrea Matwyshyn, Technoconsen(t)sus, 85 WASH. U. L.
REV. 529, 551-54 (2008).

(192) For example, should job applicants be able to consent to
observed urinalysis drug testing when applying for jobs for which drug
use is not particularly predictive of incompetent or unsafe performance?

(193) Christine Jolls has begun this very inquiry. Christine Jolls,
Rationality and Consent in Privacy Law, (Dec. 10, 2010) (unpublished
article), available at http://www.

(194) For example, the privacy policy for AudienceScience claims
that the site will replace any cookie of a user who opts out of
information-collection with a new cookie instructing the website to stop
collecting information. What actually happens, according to Stanford
researchers, is that AudienceScience keeps a highly unique cookie in
place that tracks the user’s interests, and continues to add
information to this interest cookie. Jonathan Mayer, Tracking the
(July 12, 2011, 12:12 AM), 6694.

(195) In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d
299, 330 (E.D.N.Y. 2005); Dyer v. Northwest Airlines Corp., 334 F. Supp.
2d 1196, 1200 (D.N.D. 2004).

(196) In the context of trespass, which has a number of theoretical
similarities to intrusion, courts have allowed plaintiffs to recover
punitive damages even though the plaintiff suffered only nominal damage
from the trespassing act. See Feld v. Feld, 783 F. Supp. 2d 76, 78
(D.D.C. 2011).

(197) Alternatively, even nominal damage spread over a large enough
class–such as the class of Californians with DoubleClick cookies on
their computers–would expose web trackers to significant liability.

(198) Citron, supra note 10, at 1809; Danielle Keats Citron,
Law’s Expressive Value in Combating Cyber Gender Harassment, 108
MICH. L. REV. 373, 393 (2009).

(199) Another potential impediment is the recent U.S. Supreme Court
case AT&T Mobility v. Concepcion, 131 S. Ct. 1740 (2011), which held
that class action waivers in standard-form contracts are enforceable.
Id. at 1753. The parameters of that holding are still quite unclear. See
Myrium Gilles & Gary Friedman, After Class: Aggregate Litigation in
the Wake of AT&T Mobility v. Concepcion, 79 U. CHI. L. REV. 623,
639-40 (2012).

(200) A new firm called Evidon is offering the behavioral marketing
industry’s first “assurance platform.” It organizes
industry best practices that would, if followed, receive Evidon’s
trusted seal of approval. Turn Names Evidon Preferred Provider of
Compliance Services, PRWEB (May 4, 2011), 5/prweb8377655.htm.

(201) Mike Butcher, Stupid EU Cookie Law Will Hand the Advantage to
the US, Kill Our Startups Stone Dead, TECHCRUNCH EUROPE (Mar. 9, 2011),
2011/03/09/stupid-eu-cookie-law-will-hand-the-advantage-to-the-us-kill-our-startups-stone-dead/. The European cookie law would require any
website that uses Google Analytics to keep track of the number of
visitors to a website, who would also have to comply with the opt-in
consent requirements. See also discussion supra note 19.

(202) See JEFFREY ROSEN, THE UNWANTED GAZE 120 (2000) (discussing
shame as a basis for harm); DANIEL SOLOVE) THE FUTURE OF REPUTATION
114-17 (2007) (discussing damage to reputation); Lipton, supra note 22,
at 503 (discussing gossip and embarrassment); Murphy, supra note 46, at
2385 (discussing reputation protection with privacy claims).


(204) David Kravets, Mug-Shot Industry Will Dig Up Your Past,
Charge You to Bury It Again, WIRED (Aug. 2, 2011, 1:52 PM), mugshots/.

(205) Sex List Rating Female University Student’s Lovers
Becomes Internet Sensation, MAILONLINE (Oct. 8, 2010, 11:49 PM),
(“[A] student has been left devastated after an elaborate sex list
she created … became an internet sensation.”).

(206) Matt Warman, Online Right “To Be Forgotten”
Confirmed by EU, THE TELEGRAPH (Mar. 17, 2011, 12:53 PM),
33/Online-right-to-be-forgotten-confirmed_by_EU.html (“Under the
new [EU] legislation, users could sue websites for invading their
privacy and would have a right to be entirely “forgotten”

(207) Lipton, supra note 22, at 504; Citron, supra note 10, at

(208) Lipton, supra note 22, at 504.

(209) Citron, supra note 10, at 1808, 1810. Citron’s argument
makes real sense if the Internet allows a large number of
micro-invasions to add up to real, actionable psychic costs. The
question, though, is whether each revelation of embarrassing information
is a small harm, too trivial to be redressable on its own but adding up
to a real psychic harm due to repetition over the Internet (a summation
of epsilons), or whether instead each revelation is not a legal harm at
all (a summation of zeroes).

(210) But see Laura A. Heymann, The Law of Reputation and the
Interest of the Audience, 52 B.C.L. REV. 1341 (2011) (arguing that legal
frameworks for reputational interests must account for the public’s
interest in access to the information).

(211) Bad credit histories are a surprising mainstay among privacy
scholars’ examples of privacy harm. See Citron, supra note 10, at
1814 (coding a client’s decision not to work with somebody in debt
as a “privacy invasion”); Lori Andrews, Facebook Is Using You,
N.Y. TIMES, Feb. 5, 2012, at SR7, available at

(212) See Eric Goldman, The Regulation of Reputational Information,
295-96 (B. Szoka & A. Marcus eds., 2010) (discussing in detail the
value that reputational information adds to consumer trust and
well-functioning markets).

(213) Jonathan Krim, Subway Fracas Escalates Into Test of the
Internet’s Power to Shame, WASH. POST (July 7, 2005),
2005/07/06/AR2005070601953.html; see also DANIEL SOLOVE, THE FUTURE OF
REPUTATION 1-2 (2007).

(214) For strict utilitarians, the disapprobation would be harm. It
would count against Dog Poop Girl’s utility in the overall
calculation of social welfare. But her decrease in utility is easily
overcome by the deterrent effect that shaming and social norms have on
litterers and dog-owners, by the avoidance of the sizable cost that
would be imposed on the subway passengers if they were constrained from
expressing their opinions, and by the justice and satisfaction the
subway passengers would get from retribution. KAPLOW & SHAVELL,
supra note 82, at 12, 18-19.

(215) Privacy scholars have argued that Dog Poop Girl deserves
legal recourse. See Lipton, supra note 22, at 511.

(216) Vosburg v. Putney, 50 N.W. 403 (Wis. 1891). Or, perhaps she
is more similar to the accident victim whose loss of life or limb was
caused by non-negligence. Either way, we traditionally let the chips
fall where they may.

(217) See Heymann, supra note 210 (arguing that access to
reputations helps reduce search costs).

(218) Robert Post raises a similar objection to Jeffrey
Rosen’s claim that Bill Clinton’s sexual exploits ought to
have been kept private. Robert C. Post, Review Essay, Three Concepts of
Privacy, 89 GEO. L.J. 2087, 2089-90 (2001) (reviewing JEFFREY ROSEN, THE

(219) Whitman, supra note 57, at 1169-70 (heralding, however, the
expressive value of dignity-based privacy protections).

(220) See Sheetz v. The Morning Call, Inc., 946 F.2d 202 (3d Cir.
1991). Another example, discussed in Part II, supra, is a police
officer’s use of a state wiretap statute to prevent a citizen from
recording ah interaction the citizen believes to be corrupt or
unethical. Am. Civil Liberties Union of Ill. v. Alvarez, 679 F.3d 583
(7th Cir. 2012).

(221) McCormick v. England, 494 S.E.2d 431, 435 (S.C. Ct. App.
1997) (“Being a fiduciary relationship, mutual trust and confidence
are essential.”). Courts look for a degree of kinship between the
parties, or disparities in age, health, or mental conditions, or
disparities in training and experience in order to determine whether two
people are in a fiduciary relationship. See Pottinger v. Pottinger, 605
N.E.2d 1130, 1137 (Ill. App. Ct. 1992).

(222) Tarasoff v. Regents of Univ. of Cal., 551 P.2d 334, 347 (Cal.
1976) (invoking duty to warn likely victim of psychotherapy patient);
Pate v. Threlkel, 661 So. 2d 278, 282 (Fla. 1995) (invoking duty to warn
patients’ children about genetic conditions).

(223) The tort of confidentiality does not enjoy the recognition
that Prosser’s privacy torts do, and it does not appear in the
Second Restatement. But many jurisdictions recognize and enforce the
duty of confidentiality in contexts ranging from doctors to bankers to
accountants. Neil M. Richards & Daniel J. Solove, Privacy’s
Other Path: Recovering the Law of Confidentiality, 96 GEO. L.J. 123
(2007). I am in agreement with Richards and Solove, and with Susan
Gilles and Danielle Citron as well, that a clearer and more robust tort
of breach of confidentiality could allow the common law to react to
harmful disseminations of personal information. Id.; Citron, supra note
46, at 1848-50; Susan Gilles, Promises Betrayed: Breach of Confidence As
a Remedy for Invasions of Privacy, 43 BUFF. L. REV. 1, 4 (1995). The
tort of public disclosure of private facts occasionally provides
recourse for confidentiality-style harms. The disclosure tort has
imposed responsibility on the police force to hold information about
accident and crime victims in confidence, as well as the information
from cooperative witnesses. See Catsouras v. Dep’t of Cal. Highway
Patrol, 104 Cal. Rptr. 3d 352 (Ct. App. 2010) (providing recovery to a
decedent’s family when a paramedic took pictures at the scene of a
deadly accident and sent the pictures to friends and acquaintances on
Halloween). On the other hand, police are not expected to keep the
confidences of suspects. Wilson v. Freitas, 214 P.3d 1110 (Haw. Ct. App.

(224) Health Insurance Portability and Accountability Act of 1996,
Pub. L. No. 104-191, [section] 1173, 110 Stat. 1936, 2024-26 (codified
as amended in scattered sections of 18, 26, 29, and 42 U.S.C.).

(225) Fair Credit Reporting Act, 15 U.S.C. [section] 1601 (2006).

(226) Family Educational Rights and Privacy Act, 20 U.S.C.
[section] 1232g (2006).

(227) Telecommunications Act of 1996, 47 U.S.C. [section] 222
(2006); Stored Communications Act, 18 U.S.C, [section] 2702 (2006)
(stating that business records may be disclosed to non-government third
parties, but the contents of electronic communications may not).

(228) Gramm-Leach-Bliley Act, 15 U.S.C. [section] 6801.

(229) Children’s Online Privacy Protection Act of 1998, id.
[section] 6502.

(230) See records-based intrusion cases, supra note 135.

(231) Richards, supra note 13, at 1194-1201. Neil Richards and
Daniel Solove suggest that, if the tort of confidentiality were adopted
in the United States to the same extent it is embraced in the United
Kingdom, nearly every relationship could be considered the basis for a
duty of confidentiality–ordinary citizens could be expected to refrain
from divulging information about their friends, and airlines could be
expected to maintain the confidences of their customers. Richards &
Solove, supra note 223, at 176-78. But see Litman, supra note 10, at
1308-09 (proposing the expansion of the breach of confidence tort on the
basis of the first source of harm–distrust). Litman predicted that
without robust confidentiality-style protection for all consumer
transactions, we would “think twice before making embarrassing
purchases or watching certain pay-per-view movies.” Id. at 1308.
Consumer behavior in the twelve years that have elapsed since her
writing this has proven otherwise.

(232) See Lipton, supra note 22, at 510; Lior Jacob Strahilevitz,
Reunifying Privacy Law, 98 CAL. L. REV. 2007, 2007 (2010).

(233) I disagree with scholars who explain the current collection
of statutes as imposing privacy restrictions when some forms of
information are “regarded as more sensitive than others.”
Lipton, supra note 22, at 510. Bartenders, personal trainers, and
friends end up with a lot of special information about the most
sensitive aspects of their customers’ and colleagues’ lives.
It is the nature of the relationship, and not the nature of the
information, that justifies a different treatment for the information
held by doctors and financial advisors.

(234) Peter Kilbridge, The Cost of HIPAA Compliance, 348 N. ENG. J.
MED. 1423, 1424 (2003).

(235) Confidentiality duties might be expanded to cover
relationships of trust in the online space. An online support group, or
a website offering customized medical or legal advice, arguably should
have the same responsibilities that apply in real space.

(236) CAL. PENAL CODE [section] 637.6 (West 2010).

(237) Video Privacy Protection Act of 1988, 18 U.S.C. [section]
2710 (2006).

(238) Michael Dolan, The Bork Tapes Saga, THE AM. PORCH,
http://www.theamerican (last visited Oct. 24, 2012).

(239) Adam Clark Estes, Why Robert Bork (Indirectly) Kept Netflix
Off Facebook, ATLANTIC WIRE (July 26, 2011), facebook/40408 (discussing how the VPAA discouraged
Netflix from launching Facebook integration in the U.S.).

(240) RESTATEMENT (SECOND) OF TORTS [section] 652D (1977).

(241) In most jurisdictions the “publicity” element
requires disclosure to the general public, but in some states disclosure
to an especially important audience will suffice. See Miller v.
Motorola, Inc., 560 N.E.2d 900, 903 (Ill. 1990) (finding that disclosure
to the plaintiff’s work colleagues was sufficient to fulfill the
“publicity” element).

(242) Citron, supra note 10, at 1829.

(243) 729 F. Supp. 376 (D.N.J. 1990). In the case, the
plaintiff’s HIV status was initially disclosed to a police officer,
who then told other people in his department for no health–or public
safety–related reason.

(244) Lior Jacob Strahilevitz has shown that courts’
determinations in disclosure cases tend to track theories of social
networks. If a personal fact is shared with a support group made up of
20 members, the fact is treated as more private than if it is shared
with 20 unconnected friends. Strahilevitz’s social network theory
is quite useful in explaining which contexts might have a modicum of
implied use restriction. See Lior Jacob Strahilevitz, A Social Networks
Theory of Privacy, 72 U. CHI. L. REV. 919 (2005).

(245) Richard Murphy makes the sound argument that overreactions to
AIDS and other phenomena are not necessarily irrational. Overreaction
can occur when the population remains rationally ignorant about a
disease that is difficult to understand and relatively rare. Murphy,
supra note 46, at 2401.

(246) And, because of the first factor, disclosure torts would
avoid imposing liability when the plaintiff puts no effort into keeping
the information private. This reasoning lines up with Judge Frank
Easterbrook’s argument that reasonable restrictions on information
will limit certain types of information that have the effect of
diminishing the overall quality and quantity of publicly available
information. Frank H. Easterbrook, Insider Trading, Secret Agents,
Evidentiary Privileges, and the Production of Information, 1981 SUP. CT.
REV. 309, 313 (1981).

(247) See CAL. HEALTH & SAFETY CODE [section] 120975 (West
2006); Doe v. Se. Pa. Transp. Auth., 72 F.3d 1133, 1140 (3d Cir. 1995);
Doe v. Borough of Barrington, 729 F. Supp. 376, 381 (D.N.J. 1990); Margo
Kaplan, Rethinking HIV-Exposure Crimes, 87 IND. L.J. (forthcoming 2012).

(248) See Sipple v. Chronicle Publ’g Co., 201 Cal. Rptr. 665,
670 (Ct. App. 1984) (finding the disclosure of Sipple’s sexual
orientation was a matter of public concern because the newspaper story
was exploring the possible homophobia of President Ford). Sipple’s
parents disowned him after the national news coverage broke, showing the
high stakes when this sort of information is released.

(249) CAL. HEALTH & SAFETY CODE [section] 120975.

(250) Children’s Hosp. & Res. Ctr. Oakland v.
Workers’ Comp. Appeals Bd., 2010 WL 3936050, at *1 (Cal. Ct. App.
Oct. 8, 2010).

(251) Id. at *2.

(252) Id. at *7.

(253) Klepetko v. Reisman, 839 N.Y.S.2d 101 (App. Div 2007). But
see Yonaty v. Mincolla, 945 N.Y.S.2d 774 (N.Y. App. Div. 2012)
(declining to follow Klepetko).

(254) Ylan Q. Mui, A Deep Dive into Consumers’ Habits:
Unregulated Firms’ Use of Shadowy Tactics can Upend Credit Scores,
WASH. POST, July 17, 2011, at A1.

(July 2008), available at (discussing the
use of utility bills in assessing creditworthiness).

(256) Id. at 12.

(257) Mui, supra note 254.

(258) Perhaps this point is best illustrated if we imagine an
alternative universe where credit lenders were not allowed to access any
credit or consumer data on their applicants. In this case, the creditor
would use existing assets and income in order to determine who got a
loan and who did not. In other words, lower-income applicants would
systematically be denied credit due to lack of collateral. This would
not serve creditors well, either. Because of the noise in their
algorithm, default rates would rise, and interest rates would have to

(259) This phenomenon is completely overlooked by the National
Consumer Law Center, which concluded that utility credit reporting would
adversely affect low-income credit applicants. JOHN HOWAT, FULL UTILITY
CTR. 1 (December 2009), available at 2009.pdf. The report argues that, because fourteen percent of
households in the lowest income quintile missed a payment on their
utility bill (compared to just over two percent for the highest income
quintile), a credit measure that takes utility bills into account will
disproportionately harm the poor. Id. at 5. It is true that utility
data, like all measures of creditworthiness, does not fall uniformly
across income classes. But the consumer organization overlooks the fact
that credit scores will rise for the eighty-six percent of the lowest
quintile who did not miss a payment. The report also concludes that
incorporating utility bills into credit scores will have the effect of
pushing utility bills to the top of the priority list for low-income
households, and as a result these households will reduce their purchases
of necessities like food and medical care. Id. at 4. This claim is not
supported by data in the report, but is an interesting empirical

(260) Utility credit reports, like all reports used to make credit
and hiring decisions, ought to be paired with regulation allowing for
consumers to check for the accuracy of their records, and to challenge
any report believed to contain inaccurate information. The Fair Credit
Reporting Act serves as a model for such a scheme. 15 U.S.C.
[section][section] 1681e(b), 1681i(a)(1) (2006).

(261) EU Data Protection Directive, supra note 26.

(262) Title VII of the Civil Rights Act of 1964, 42 U.S.C.
[section] 2000e (2006).

(263) Occasionally these laws will override pragmatism, as when the
Americans with Disabilities Act requires employers to incur additional
costs by hiring disabled applicants who require ala accommodation, and
whose inclusion in the employer’s health plan may drive up fees. We
do so for expressive and equitable reasons, but such laws require some
forethought and caution, since use regulations of this sort will
localize large costs that might be better spread across society. Id. at
[section][section] 12111-12117.

(264) I include just a smattering of the scholarship here. See
generally RICHARD EPSTEIN, FORBIDDEN GROUNDS (1991) (discussing the
application of the antidiscrimination principle to employment
relationships in the public and private sectors); Kimberle Williams
Crenshaw, Race, Reform, and Retrenchment: Transformation and
Legitimation in Antidiscrimination Law, 101 HARV. L. REV. 1331 (1988)
(arguing that antidiscrimination law, has been fairly successful in
eliminating the symbolic manifestations of racial oppression, but has
not been able to preclude the continued subordination of Blacks); John
J. Donohue, Anti-Discrimination Law, THE NEW PALGRAVE DICTIONARY OF
ECONOMICS (Steven N. Durlauf & Lawrence E. Blume eds., 2d ed. 2008).

(265) The one exception seems to be the topic of genetic privacy,
which inspires privacy and discrimination scholars to synchronize their
efforts. See, e.g., Michael S. Yesley, Protecting Genetic Difference, 13
BERKELEY TECH. L.J. 653, 659-63 (1998) (discussing various states’
laws regarding genetic privacy and genetic discrimination).

(266) George J. Stigler, An Introduction to Privacy in Economics
and Politics, 9 J. LEGAL STUD. 623, 630 (1980).

(267) 15 U.S.C. [section] 1681b(a) (3) (B) (2006).

(268) Id. [section] 1681b(a) (“[A]ny consumer reporting agency
may furnish a consumer report under the following circumstances and no
other.” (emphasis added)).

(269) So-hyun Joo & E. Thomas Garman, The Potential Effects of
Workplace Financial Education Based on the Relationship Between Personal
Financial Wellness and Worker Job Productivity, 2 PERS. FINS. &
WORKER PRODUCTIVITY 163 [pincite] (1998).

(270) See John E. Matejkovic & Margaret E. Matejkovic, Whom to
Hire: Rampant Misrepresentations of Credentials Mandate the Prudent
Employer Make Informed Hiring Decisions, 39 CREIGHTON L. REV. 827,
840-42 (2005); Cathie A. Shattuck, The Tort of Negligent Hiring and the
Use of Selection Devices: The Employee’s Right of Privacy and the
Employer’s Need to Know, 11 INDUS. REL. L.J. 2, 5-8 (1989). See
generally Meredith J. Fried, Note, Helping Employers Help Themselves:
Resolving the Conflict Between the Fair Credit Reporting Act and Title
VII, 69 FORDHAM L. REV. 209 (2000) (discussing employer liability for
sexual harassment and employer obligations under the Fair Credit
Reporting Act).


(272) LESSIG, supra note 35, at 325-34 (2006); Kang & Buchner,
supra note 38, at 251-53; Richards, supra note 13, at 1149, 1221-22.

(273) Jessica Litman argues that the mere fact that most Americans
deplore the collection and selling of personal data is reason enough to
regulate or prohibit the practices, though she does not attempt to
define what, exactly, is so deplorable. Litman, supra note 10, at 1303.
Orin Kerr posits that an unconscious quest to maintain the existing
equilibrium in relative information power explains the outcomes of
Fourth Amendment cases. Orin S. Kerr, An Equilibrium-Adjustment Theory
of the Fourth Amendment, 125 HARV. L. REV. 476, 525-42 (2011).

(274) Daniel Kahneman et al., Anomalies: The Endowment Effect, Loss
Aversion, and Status Quo Bias, 5 J. ECON. PERSP. 193, 197-99 (1991).

(275) LESSIG, supra note 35, at 31-37

(276) NEIL POSTMAN, TECHNOPOLY 3-4 (1992).

trans., 1913).


(279) Id.

(280) Tort and privacy scholars alike have doubted the viability of
tort law to make a significant impact in the information frontier,
especially since tort is regarded as the disfavored branch of common
law, inviting accusations of litigiousness and uncertainty that do not
seem to attach to the doctrines of property and contract. This is what
Anita Bernstein calls the “tort paradox.” Bernstein, supra
note 107, at 1547-52.

(281) Sorrell v. IMS Health Inc., 131 S. Ct. 2653, 2672 (2011).

Jane Yakowitz Bambauer, Associate Professor of Law, University of
Arizona James E. Rogers College of Law. B.S., Yale College; J.D., Yale
Law School. The author is grateful for the top notch research assistance
of John Randall, John Teufel, and Drew Rausa, and for invaluable
feedback from Derek Bambaner, Paul Schwartz, Neil Richards, Peter Swire,
George Priest, Christine Jolls, James Grimmelmann, Eric Goldman, Brian
Lee, Margo Kaplan, Rebecca Kysar, Jim Park, Sarah Light, Alan Trammell,
Cynthia Godsoe, Mark Noferi, Gregg Macey, Miriam Baer, Irina Manta,
Robin Effron, Kathie Barnes, Chris Robertson, Marc Miller, Ellie
Bublick, Simone Sepe, David Gantz, Bill Sjostrom, Michelle Boardman,
Joshua Wright, Tun-Jen Chiang, Bruce Kobayashi, Christopher Newman, Ilya
Somin, Jeffrey Parker, Heidi Anderson, Berin Szoka, Mark Noferi, and
Annie Decker. This Article was generously supported by the Brooklyn Law
School Dean’s Summer Research Stipend Program.