Skip to content

The New Privacy Law

Ari Ezra Waldman

Vol. 55

August 2021

Page 19

We are in a second wave of privacy law. The first wave was characterized by privacy policies, self-regulation, and notice and choice. But in the last three years, eleven proposals for comprehensive privacy legislation have been introduced in the United States Congress and forty have been introduced in the states. From the perspective of practice, almost all of these proposals are roughly the same: They guarantee individual rights to data and rely on internal corporate compliance for ongoing monitoring. This second wave of privacy law is undoubtedly different from the first, but how? This essay provides a taxonomy to understand changes in U.S. privacy law, distinguishing between two “waves” along three metrics: their practices, theories of governance, and underlying ideologies. A first wave was characterized by privacy policies, self-regulation, and limited regulatory enforcement. Its practices were focused on notice, its governance was self-regulatory, and its ideology was laissez faire. A second wave almost uniformly relies on rights and internal corporate compliance structures to manage data collection, processing, and use. Its practices are focused on compliance, its governance is managerial, and its underlying ideology is neoliberal. This taxonomy offers privacy law scholars a new way to understand and critique the current state of the field. The essay concludes with four research questions for scholars to pursue. View Full Article

© Regents of the University of California. All rights reserved.