This is part 2 of a series on the constitution's role in informational privacy. There will be endnotes.
The General Data Protection Regulation is designed to support the individual’s interest in informational privacy, which the EU recognizes as a fundamental right. Under that law, the collection, use and transfer of personal information is prohibited unless done with consent of the individual. It has a de minimis legitimating role for social or business purposes but generally, if the individual revokes consent, processing of information must stop and often the information itself must be deleted.
The US works from a different paradigm. We certainly value privacy as necessary and valuable to ensure both personal dignity and a free and functioning society. But we focus privacy laws on the prevention and remediation of harm, not on consent. United States privacy law grew out of the common-law privacy torts: defamation, intrusion on seclusion, disclosure of private facts, false light and the right of publicity. Thus, for example, the tort of disclo ...
When the Equifax data breach occurred, 240,000 Vermonters received notice that their information had been compromised. Equifax’s initial response—which among other things required people to waive their legal rights—did not inspire great confidence in the public. And legislators were justifiably angry.
But people make mistakes when they’re angry, and when the First Amendment is involved, those mistakes can be expensive. Not so long ago, the legislature was convinced that it could regulate information in the same way as “beef jerky.” Both liberal and conservative justices of the Supreme Court told them they were wrong. As a result, Vermont spent $4 million and was forced to pay approximately $2.22 million in attorneys’ fees.
History is about to repeat itself.
The Vermont Senate is now considering legislation that requires provocatively named “data brokers” to register with the state and co ...