How to frame privacy penalties to protect our personal information is an important question as demands for legislation and proposals proliferate. The predominant assumption in calls for a comprehensive consumer privacy regime is that regulation and penalties arm the consumer David against Goliath businesses. Missing in the focus on powerful companies is attention to the potential harms of expanding privacy penalties for small-fry individuals and entities, especially from disfavored or marginalized groups. This Article is the first to illuminate the regressive risks of privacy penalties, showing how broad privacy penalties can become tools for harassment of small businesses and individuals with limited resources to defend.

Drawing on original research collecting and coding 571 privacy penalty decisions from 20 nations under the world’s toughest privacy rights and penalties regime, the European Union’s General Data Privacy Regulation (“GDPR”), this Article offers cautionary lessons. Illuminating a shadow jurisprudence of small targets, the Article shows how overly broad, amorphously worded privacy penalty provisions can be used to target disfavored groups and create weapons for the disgruntled, such as punishing people who record the police or in disputes between neighbors.