Privacy by design is about making privacy part of the conception and development of new data collection tools. But how should we interpret “privacy by design” as a legal mandate? As it transitions from an academic buzzword into binding law, privacy by design will, for the first time, impose real responsibilities on real people to do specific things at specific times. And yet, there remains significant disagreement about what privacy by design actually means in practice: we have yet to define its who, what, when, why, and how. Different approaches to privacy by design have tried to answer those questions in different ways, but they have done so by making unfounded assumptions and without clear eyes toward practical implementation and enforcement. This makes it difficult, if not impossible, for technology companies to know how to comply or for consumers to set their expectations. Nor do we have any doctrinal guides for judges and regulators to use to answer new privacy by design questions as they come up. Privacy by design is unmoored and unclear. This Article fills that void. More specifically, this Article offers a new paradigm, based on the law of products liability for design defects, for thinking about privacy by design as a law. This Article shows how privacy by design and products liability arose in similar socioeconomic contexts to answer similar questions and to achieve similar goals. It makes sense, then, to look to products liability to explain the proactive obligations of technology companies to design technology products with privacy and the needs of consumers in mind.
Waldman, Ari Ezra, "Privacy's Law of Design" (2019). Articles & Chapters. 1316.