Stanford Law Review
U.S. privacy law is under attack. Scholars and advocates criticize it as weak, incomplete, and confusing, and argue that it fails to empower individuals to control the use of their personal information. These critiques present a largely accurate description of the law “on the books.” But the debate has strangely ignored privacy “on the ground”—since 1994, no one has conducted a sustained inquiry into how corporations actually manage privacy, and what motivates them.
This Article presents findings from the first study of corporate privacy management in fifteen years, involving qualitative interviews with chief privacy officers identified by their peers as industry leaders. Spurred by these findings, we present a descriptive account of privacy “on the ground” that upends the terms of the prevailing policy debate. This alternative account identifies elements neglected by the traditional story—the emergence of the Federal Trade Commission as a privacy regulator, the increasing influence of privacy advocates, market and media pressures for privacy protection, and the rise of privacy professionals—and traces the ways in which these players supplemented a privacy debate largely focused on processes (such as notice and consent mechanisms) with a growing emphasis on substance: preventing violations of consumers’ expectations of privacy.