Neil Chilson

First Page


Last Page


Document Type



Legislators, advocates, and business interests are proposing federal privacy legislation with new urgency. The United States has a long-established federal framework for addressing commercial privacy concerns, including general consumer protection law and sector-specific legislation. But the calls to expand or replace this approach have grown louder since Europe’s General Data Protection Regulation went into effect and since California adopted detailed and prescriptive privacy legislation. Should we create a U.S. federal privacy law, and if so, how? When considering any kind of privacy regulation, three concepts are fundamental. First, no one can control all information about them. Second, all privacy laws are government-enforced constraints on how one party can use information about another party. Third, over-restricting the use of information about individuals can harm individuals by limiting beneficial innovation. This Article defines privacy as the combined effect of two different types of constraints on information: perception and use. When perception constraints are weakened, privacy debates ensue about how to restore privacy, presumably by replacing those weakening perception constraints with use constraints. Different kinds of constraints can be used to protect online privacy, including technology, social norms, private agreements, common law, and legislation. Six principles can guide policymakers in choosing among these constraints. These principles are to: maximize permissionlessness, avoid data ownership metaphors, distinguish between privacy and data security, focus on uses that injure consumers, clarify FTC authority, and avoid giving the FTC broad rulemaking authority. In short, we should prefer case-by-case enforcement frameworks where company practices are judged based on consumer outcomes. Such frameworks serve consumers better than do detailed legislation and prescriptive mandatory privacy practices. Outcome-based case-by-case enforcement approaches better resolve real consumer injuries, while maintaining the information flows that ultimately benefit consumers and preserving the permissionless environment that has made the U.S. a leader in online innovation.