U.S. privacy law is under attack. Scholars and advocates criticize it as weak, incomplete, and confusing, and argue that it fails to empower individuals to control the use of their personal information. These critiques present a largely accurate description of the law “on the books.” But the debate has strangely ignored privacy “on the ground”—since 1994, no one has conducted a sustained inquiry into how corporations actually manage privacy, and what motivates them.
This Article presents findings from the first study of corporate privacy management in fifteen years, involving qualitative interviews with chief privacy officers identified by their peers as industry leaders. Spurred by these findings, we present a descriptive account of privacy “on the ground” that upends the terms of the prevailing policy debate. This alternative account identifies elements neglected by the traditional story—the emergence of the Federal Trade Commission as a privacy regulator, the increasing influence of privacy advocates, market and media pressures for privacy protection, and the rise of privacy professionals—and traces the ways in which these players supplemented a privacy debate largely focused on processes (such as notice and consent mechanisms) with a growing emphasis on substance: preventing violations of consumers’ expectations of privacy.
This “grounded” account should inform privacy reforms. While widespread efforts to expand consent mechanisms to empower individuals to control their personal information may offer some promise, those efforts should not proceed in a way that eclipses robust substantive definitions of privacy and the processes and protections they are beginning to produce, or that constrains the regulatory flexibility that permits their evolution. This would destroy important tools for limiting corporate overreaching, curbing consumer manipulation, and protecting shared expectations about the personal sphere on the Internet and in the marketplace.