Surveillance & Privacy

A Broader Look at Privacy Remedies

Jim Dempsey, Chris Jay Hoofnagle, Ira Rubinstein, Katherine J. Strandburg
Wednesday, April 7, 2021, 2:29 PM

In a paper we are making public today, we go beyond private right of action and preemption to consider enforcement frameworks outside the privacy field.

FTC Acting Chairwoman Rebecca Kelly Slaughter speaks at the State of the Net conference in 2019. (Internet Education Foundation,; CC BY-NC-SA 2.0,

Published by The Lawfare Institute
in Cooperation With

Divisions over private right of action and federal preemption have long gridlocked efforts to enact federal consumer privacy legislation. Cameron Kerry and John Morris have outlined nuanced proposals for resolving both issues here on Lawfare (private right of action and preemption) and in their longer Brookings Institution report with Caitlin Chin and Nicol Turner Lee.

But fine-tuning these contested issues may not be enough to break the gridlock or to produce a competent system for enforcing any federal consumer privacy law. In a paper we are making public today, we go beyond private right of action and preemption to consider enforcement frameworks outside the privacy field. The paper is based on workshops we convened in late 2020 with experts from financial services regulation, environmental law, labor law, intellectual property and other fields. We find that, to a remarkable degree, the realization of public policy goals often depends on enforcement mechanisms and remedies that have not yet received much attention in the privacy debate. These tools applied in other arenas may offer ideas for assembling an effective web of enforcement for a federal privacy law.

In the U.S., the dominant model of federal regulation is based on supervision, not on investigation and complaint. Under the supervision model, government overseers have routine access to information about the activities of regulated entities, and those monitors can take a variety of actions short of investigation, complaint and litigation that change practices of a business.

Most large federal regulators have authority for some combination of both supervision and investigations but, for many large agencies, supervision is the primary form of enforcement. The Federal Trade Commission, the likely locus of privacy enforcement powers under any new federal law, is an outlier in this regard. The agency was designed to rely primarily on investigations led by lawyers. Over time, the FTC has developed more supervision-like activities, and many major tech companies are already under supervision for past privacy or data security failings. But so far, the FTC’s use of its supervision powers generally comes only after investigation and complaint. Also, where the FTC does put companies under ongoing supervision, there are concerns that the third-party assessments the agency relies on to track compliance are not rigorous. One path to effective privacy enforcement may be to shift FTC emphasis to supervision.

In our paper, we rely heavily on the research of Boston University law professor Rory Van Loo. Among his many insights: The supervision model may be well matched with the rise of privacy compliance departments inside corporations. Also, most federal monitoring agencies have at their disposal a graduated continuum of enforcement options, and at many agencies, the options most frequently exercised are those outside the court system. Federal regulators can recall toys and automobiles. Monitors at the Federal Energy Regulatory Commission can issue public noncompliance notices. The Food and Drug Administration’s inspections group issues thousands of warning letters every year. Compliance varies across time and agencies, but there are indications that companies in diverse industries cooperate when informally advised to take a course of action. A similar mix of enforcement options may work well in the privacy context.

Our paper also draws on lessons from environmental law, relying on the work of Ohio State University law professor Dennis Hirsch. Environmental law has adopted innovative ways of dealing with small, collective and intangible harms. As a baseline, there are statutory requirements, such as emission limits, that the government enforces. By focusing on whether a regulated company exceeded an objective standard, the government does not have to demonstrate the causality and harm required of traditional tort plaintiffs. Another interesting approach in environmental statutes is the concept of natural resource damages to account for degradation of common resources. This allows for the measurement of collective and intangible harms, something that would be an important feature in the privacy context because many privacy interferences have subtle but population-wide effects.

Another powerful enforcement innovation in environmental law is the citizen suit, found in almost every federal environmental protection law. These provisions authorize any affected individual to sue any person (including any government agency) alleged to be in violation of a standard or to sue the Environmental Protection Agency itself for failure to perform any duty that is not discretionary. Typically in these proceedings, attorneys fees can be awarded to successful plaintiffs.

Many regulatory systems also rely on private-sector enforcers, such as certification bodies, self-regulatory organizations, accountants, lawyers and other “gatekeepers.” In recent years, the use of gatekeepers across many sectors has expanded and, moreover, has changed in that the large corporations have themselves been enlisted as gatekeepers, regulating the conduct of their third-party service providers. As Van Loo has written, “[P]olicymakers have begun relying on third-party enforcement by the real gatekeepers of the economy: the firms who control access to core product markets.” Already we see the power of gatekeepers in the privacy context, as browser makers require express, just-in-time consent for disclosure of location information and Apple moves to bar from its store apps that do not comply with its tracking transparency rules. Policymakers may want to look for ways to further leverage the power of browsers, operating systems and other technical intermediaries.

We discuss much more in our paper, including the emergence of injunctive-only relief (plus attorneys’ fees) in a few recent privacy and data security cases.

Finally, two overarching points emerge from our research: Remedies provided for in statutes should be tied to policy goals, and a regime pursuing even a single clearly defined goal may require multiple enforcement mechanisms. In many realms, policy enforcement is not just about compensating individuals for the harms they have suffered but also aims for deterrence. Considering remedies through a deterrence theory framework reveals just how complex and interdependent the necessary remedies might be. Before developing a system of remedies, therefore, policymakers should define their goals. In the privacy field, it is not at all clear that has been done yet.

Jim Dempsey is a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Program on Geopolitics, Technology and Governance. From 2012-2017, he served as a member of the Privacy and Civil Liberties Oversight Board. He is the co-author of Cybersecurity Law Fundamentals (IAPP, 2024).
Chris Jay Hoofnagle is Professor of Law in Residence at the University of California, Berkeley, School of Law, where he teaches cybersecurity, programming for lawyers, and torts. He is affiliated faculty with the Simons Institute for the Theory of Computing, an adjunct professor in the School of Information, and a faculty director of the Berkeley Center for Law & Technology. Hoofnagle’s new book, "Law and Policy for the Quantum Age" (with Simson Garfinkel) is forthcoming 2021 from Cambridge University Press, which also published his first book, "Federal Trade Commission Privacy Law and Policy" (2016). He is an elected member of the American Law Institute. Hoofnagle is of counsel to Gunderson Dettmer LLP, and serves on boards for Constella Intelligence and Palantir Technologies.
Ira Rubinstein is a Senior Fellow at the Information Law Institute. His research interests include Internet privacy, electronic surveillance law, big data, voters' privacy, EU data protection law, and privacy engineering. Rubinstein lectures and publishes widely on issues of privacy and security and has testified before Congress on these topics on several occasions.
Alfred Engelberg Professor of Law Katherine J. Strandburg directs NYU’s Information Law Institute and interdisciplinary Privacy Research Group and is a faculty director of the Engelberg Center on Innovation Law and Policy. She researches and teaches in the areas of information privacy, automated decisionmaking, patents and innovation policy. Before obtaining her JD (Univ. of Chicago, 1995), she was a computational physicist at Argonne National Laboratory’s Materials Science Division (PhD, Cornell, Postdoc, Carnegie Mellon).

Subscribe to Lawfare