As more U.S. states have begun to pass consumer privacy laws, there are growing calls for federal data privacy regulation to ease the burden of compliance with various, sometimes conflicting, state laws. However, scholars and lawmakers are divided on how best to balance robust privacy protections with privacy laws to which businesses can realistically comply. Two prominent regulatory models have emerged from scholarly debate. The Rights/Obligations Model grants consumers various rights and imposes obligations on businesses. This model has been trending in U.S. states, which have mirrored language from the European Union’s General Data Protection Regulation (GDPR) by imposing different obligations on “data controllers” and “data processors.” However, there are shortcomings to this model that limit consumer rights and their ability to vindicate those rights. The Fiduciary Model has also received attention from lawmakers and scholars as an alternative model of regulation. The Fiduciary Model addresses gaps in the Rights/Obligations Model, but prominent critics have voiced skepticism about the workability of the Fiduciary Model. This paper’s contributions are threefold. First, this paper examines the distinction between “data controllers” and “data processors” in the GDPR and whether those terms are likely to apply in a functionally similar way in new U.S. state consumer privacy laws. As companies strategize about how tocomply with laws from a multitude of jurisdictions—and as states incorporate identical language into their own laws—understanding the similarities and differences between how such laws are applied will be crucial. Second, this paper furthers the debate about the workability of the Fiduciary Model by proposing that “data controllers,” as defined in the GDPR and U.S. state laws, should be considered “data fiduciaries.” This definition offers two benefits: (1) defining data fiduciaries as data controllers provides a workable definition that corresponds with fiduciary theory, and (2) harmonizing U.S. and GDPR law. Finally, this paper will argue that companies subject to state consumer privacy laws should be considered “data controllers” by default and bear the burden of rebutting this presumption. This presumption reinforces the substantive policy behind consumer privacy law, accounts for the probability that parties violating consumer privacy laws will most likely be data controllers, and allocates the burden to the party with superior access to the evidence.
Noelle Wilson & Amanda Reid,
Data Controllers as Data Fiduciaries: Theory, Definitions & Burdens of Proof,
U. Colo. L. Rev.
Available at: https://scholar.law.colorado.edu/lawreview/vol95/iss1/4