Until recently, “privacy” jurisprudence was limited to a manageable number of discrete topics. In the civil context, “privacy law” referred to the four common law privacy torts: intrusion on seclusion, public disclosure of private facts, false light publicity, and misappropriation of publicity rights. In the criminal context, privacy law referred to the “reasonable expectation of privacy” standard that constrains the government’s search powers under the Fourth Amendment or to the infamous First Amendment “penumbra” of privacy first recognized in Griswold v. Connecticut. In each of these contexts (except misappropriation of publicity rights), the legal analysis turns on the expectations or reactions of a hypothetical “reasonable person” — in the tort context, whether a reasonable person would be offended; in the Constitutional context, whether a reasonable person would have an expectation of privacy in the circumstances at hand. Indeed, the reasonable person standard is so pervasive in pre-Internet privacy jurisprudence that its extirpation would leave the entire area of law largely devoid of a conceptual framework.
Consumers are likely to throw up their hands in confusion, much as they do now. As the Internet of Things becomes a reality —with all of those smart appliances and devices gathering consumer data and transmitting it over the Internet — it seems wildly unlikely that consumers will have either the time or the inclination to parse the scores of privacy disclosures they are likely to encounter on a given day. The burden of reading and understanding the disclosures from all smart devices one encounters in a day would be so overwhelming as to leave no time for anything else.
Because I view the framework advanced by the administration as ultimately unworkable (more on this in future columns), I anticipate that at some point in the future the pendulum will swing back, and the reasonable person will again set the standard for acceptable data practices.