PAPERS WE’RE READING: Privacy Law’s False Promise 

The rise in cybercrime has generated many questions about privacy and security as it relates to personal information. Regarding privacy, many consumers wonder how businesses utilize their private information and the legal regulations behind the corporate use of the data. In response, corporations claim that privacy law –the seemingly governing force that should regulate what a corporation does with their client’s information—has never been stronger. 

Although companies tout their emphasis on the consumer’s privacy, few people truly understand what that means as it relates to their private information. 

In a research paper published in the Washington University Law Review, Ari Ezra Waldman examines the scope of privacy law for businesses and corporations. In his piece, Ezra questions why companies extract large amounts of information from their consumers while still maintaining that privacy law standards are more substantial than in the past. Waldman concludes that corporations prioritize mere symbols of privacy law compliance over comprehensive consumer protection despite an increase in privacy laws.

Waldman argues privacy law is undergoing a process of legal endogeneity, which he describes as mere symbols of compliance that stand in the way of fundamental privacy protections. Legal endogeneity is a process whereby privacy compliance professionals dictate privacy law into an unaccountable structure that benefits the company and leaves the consumer exposed. As a result, the process by which privacy laws are enforced and the law itself is transformed into corporate compliance structures that provide little to no protection to the consumer. 

“When given the opportunity, compliance professionals often frame the law in accordance with managerial values like operational efficiency and reducing corporate risk rather than the substantive goals the law is meant to achieve, like consumer protection or equality. This opens the door for companies to create structures, policies, and protocols that comply with the law in name only,” writes Waldman.

Part one of the article looks at the nature of privacy law and how a company’s privacy compliance legal team can frame the law to benefit the company exclusively. Waldman breaks down what he refers to as the ‘social practice of law’ and explores the various actors who design and implement privacy law. There are lawyers, engineers, CPOs, and other social groups that work to apply general privacy law to benefit the specific company signing their paychecks.

In part two, Waldman highlights legal endogeneity and how companies hide behind the veneer of privacy laws. After gathering primary research, this section demonstrates how various groups create symbolic structures of privacy compliance for a company and leave consumers vulnerable. On the front end, consumers believe their information is secure. Unfortunately, by pulling apart the reasoning and methods of privacy compliance within a company, it is clear that privacy is merely an illusion.

Finally, part three addresses the consequences and dangers of legal endogeneity concerning privacy law. Waldman notes that the holes in privacy law are the fault of companies utilizing the law and the law itself. He concludes that substantive privacy law requires a shift from procedural rules that legitimize data extraction to regulations that protect individuals and the community from the harms of informational capitalism. 

Waldman agrees that public trust is essential if a company wants to succeed and grow its business. However, the consumer needs to recognize the ambiguity of privacy law behind the scenes. Privacy professionals have leeway to translate the law’s requirements for their employers in a way that makes it easy for companies to technically comply with the law without harming their bottom line and without changing any data extractive practice. Compliance professionals create structures, services, and technologies to comply with the version of the law they wish to emphasize. 

The article concludes that privacy law is at risk, and consumers need to be aware that a company’s simple compliance with privacy law does not mean their information is safe. 

“Systems that have the veneer of legality—paper trails, assessment, and audits, internal and external policies, to name a few—take the place of actual adherence to the law. And when these merely symbolic structures proliferate, they undermine the substantive power of the law and shift the discourse of power, all to the detriment of consumer privacy,” writes Waldman. 


Ari Ezra Waldman is a Professor of Law and Computer Science at Northeastern University and is a leading authority on law and technology. He directs the School of Law’s Center for Law, Information, and Creativity. Professor Waldman studies asymmetrical power relations created and entrenched by law and technology, focusing on privacy, online harassment, free speech, and the LGBTQ community. 


Emma Nitzsche
+ posts


Share on facebook
Share on twitter
Share on linkedin
Share on email

Subscribe to get the latest consumer news

More consumer News