Technology: The demise of the reasonable person

Many recent governmental frameworks emphasize transparency and consumer control, rather than reasonable expectations

Until recently, “privacy” jurisprudence was limited to a manageable number of discrete topics. In the civil context, “privacy law” referred to the four common law privacy torts: intrusion on seclusion, public disclosure of private facts, false light publicity, and misappropriation of publicity rights. In the criminal context, privacy law referred to the “reasonable expectation of privacy” standard that constrains the government’s search powers under the Fourth Amendment or to the infamous First Amendment “penumbra” of privacy first recognized in Griswold v. Connecticut. In each of these contexts (except misappropriation of publicity rights), the legal analysis turns on the expectations or reactions of a hypothetical “reasonable person” — in the tort context, whether a reasonable person would be offended; in the Constitutional context, whether a reasonable person would have an expectation of privacy in the circumstances at hand. Indeed, the reasonable person standard is so pervasive in pre-Internet privacy jurisprudence that its extirpation would leave the entire area of law largely devoid of a conceptual framework.

In recent years, as “privacy law” has come to refer primarily to the set of laws and regulations governing the collection and use of consumer data, the reasonable person has been marginalized and explicit consent has become the expected norm. The Obama Administration’s 2012 framework for privacy policy, Consumer Data Privacy in a Networked World (the Framework), reflects this evolution; its seven-point “Consumer Privacy Bill of Rights” emphasizes transparency and consumer control, rather than reasonable expectations. As a practical matter, this approach removes the limits that the “reasonable person standard” would otherwise apply — the question is no longer whether a practice is consistent with our societal values and expectations, but whether it was disclosed in the fine print. Similarly, by focusing on data collected from consumers rather than information about consumers, the framework avoids a broader discussion of the implications of the exponentially increasing flood of consumer data being gathered and stored. More recently, the National Institute of Standards and Technology (NIST) publication “Security and Privacy Controls for Federal Information Systems and Organizations,” also known as NIST Special Publication 800-53, includes a detailed appendix dedicated to privacy controls — none of which mentions consumer expectations (other than those created by the recommended disclosures).

Contributing Author

author image

Kit Winter

Kit Winter is a member at law firm Dykema Gossett in Los Angeles and focuses on internet, intellectual property and business litigation. He can be...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.