Research and Advances
Computing Applications

Personalization and Privacy

Does personalization jeopardize our privacy? If so, what should the law do about it?
  1. Introduction
  2. Contracts as Tools for Protecting Information Privacy
  3. Proposed Expansions of Information Privacy Law and the Freedom of Speech
  4. Conclusion
  5. Author
  6. Footnotes

People are constantly learning information about us. They see what we do, what we buy, what we look at, and the like. If they know who we are, and if they have enough financial incentive, they can record this information under our name. If we engage in computerized transactions with them, such recording becomes very easy, as does combining this information with still other information tied to our names. If the transactions are personalized—if we voluntarily turn over information about ourselves that facilitates our business arrangement—then they will have even more information to record. And once they’ve recorded this information, they can easily communicate it to others (usually for money).

Many people don’t like to have others learn information about them. Ironically, those same people are usually quite happy to learn information about others, and sometimes resent it when legal barriers block them from learning such information. Nonetheless, when it comes to information about us, many believe we should have (in the words of various privacy advocates) a legal "right to control information about ourselves."

Do we currently have such a legal right to control the flow of information about ourselves by stopping others from speaking about us? The answer, as is typical in law, is "sometimes."1

First, the one thing that’s not helpful here is to talk in general terms about our right to privacy. The law does recognize certain things that one might call "a right to privacy." The Supreme Court has interpreted the Bill of Rights as securing a right to privacy that limits the government’s power to interfere with certain personal decisions related to family life, like contraception, abortion, or childrearing. Calling this "a right to privacy" is probably a misnomer, but more importantly this right has little to do with any right to informational privacy.

Second, the law protects our physical privacy in a variety of ways. The Fourth Amendment limits the government’s power to search us, our homes, and our papers. Trespass law imposes even broader limits on the power of private parties to break into our homes and rifle through our papers. Some other laws, for instance the so-called "intrusion upon seclusion" tort, further protect us from unwanted spying, for instance barring people from looking into our homes with high-powered cameras. Computer trespass laws generally bar people from accessing our computers without our authorization.

All these may properly be called "privacy rules" (in fact, the intrusion tort is often called an "invasion of privacy" tort), but they only limit others’ ability to learn things about us by accessing our property. They do not limit others’ ability to communicate things they have lawfully learned about us.

Third, the Supreme Court has suggested the Bill of Rights may stop the government from revealing certain potentially embarrassing information that it might have about us, such as our medical histories. This is closer to a right to information privacy, but it is limited in a critical way: Like virtually all other constitutional rights, it applies only to the government’s actions. The Constitution says little about what private persons or businesses may or may not do; recall that the Bill of Rights starts with "Congress shall make no law . . ." and the Fourteenth Amendment, which applies most of the Bill of Rights to state and local governments, starts with "No state shall." Whatever rights we might have against our business partners, none of these rights flow from the federal Constitution.

Fourth, Congress has specifically enacted some laws that bar the government from revealing certain information about people: The Privacy Act, for instance, applies to a variety of federal agencies, special laws constrain the census department and the IRS, and the Driver’s Privacy Protection Act generally bars state governments from revealing driver’s license information. Many states have also enacted similar laws that apply to their own state and local government agencies. But again, these laws, while they are important tools for stopping the government from compromising our information privacy, say nothing about what private parties can do.

Fifth, a few laws genuinely do aim to stop certain private parties from disclosing certain information about people. Federal laws bar cable companies and video stores from disclosing information about their customers’ viewing habits. State professional licensing laws bar lawyers, doctors, and other professionals from revealing certain confidential information learned from the relationship. And more controversially, the so-called "disclosure of private facts" tort bars anyone—including newspapers—from publicizing highly embarrassing and supposedly unnewsworthy information about anyone else. (This tort is also sometimes called an "invasion of privacy" tort.) However, all these laws apply to only a narrow range of revelations; none of them stop a business (either an e-business or a brick-and-mortar business) from revealing which kinds of food, shoes, or books you bought from it.

Back to Top

Contracts as Tools for Protecting Information Privacy

So we see that people’s search for legal protection of their information privacy cannot rely on some currently existing broad right to privacy. U.S. law simply does not recognize such a thing. On the other hand, information privacy does get considerable protection from a source that to some is unexpected—the law of contract.

Contracts are tools for you and your business partners to make your own law for your own transactions. If you have a great new product idea and you tell it to me, there is nothing illegal in my revealing it to the whole world, even if that would lose you a great deal of money. But if I promise to keep it secret, then my revelation becomes a breach of contract, and opens me up to a lawsuit. By our contract, we have given you a right to insist that I keep certain information private.

Likewise, a customer and a seller can create a sort of right of privacy, if the seller promises not to communicate data about the customer, or promises to communicate it only under certain conditions. True, in contracts it takes two to tango—if the seller isn’t willing to undertake such a promise, the customer can’t make the seller do it. But the customer can just go to another seller, and in a hotly competitive economy, many companies would be happy to attract more customers by promising privacy. And such a privacy contract doesn’t require any special formalities, like a signature on paper. If the site says "We promise to keep your data private," and people act in reliance on that promise, that promise becomes a binding contract.

Of course, some businesses may breach their contracts, but the law offers significant remedies for such breaches. Customers can file a class-action suit, and can often ask the Federal Trade Commission or other regulatory bodies to take action on their behalf. Moreover, the scandal created by a lawsuit can cause businesses more loss than the lawsuit itself. Congress could also make these contracts easier to enforce, require the privacy terms to be clearly specified, and set default contractual terms that protect information privacy in transactions where there are no explicit contractual provisions on the subject. These contractual rights will never be perfectly enforced, but no law is ever perfectly enforced.

Information privacy does get considerable protection from a source that to some is unexpected—the law of contract.

Contracts, however, have one important limitation: They legally constrain only the parties to the contract. If a business breaches a privacy protection contract with you (intentionally or inadvertently), and communicates the information to some other business, you can sue the first business for breach of contract, but you can’t sue the second business for breach of contract, since it never agreed to be bound by any such deal. Likewise, if information about you leaks to some centralized database, to a newspaper, or to anyone else with whom you have no contractual relationship, you can’t stop those third parties from communicating it further. At best, you can sue the original entity with which you had the privacy agreement and which leaked the information, if you can figure out which entity it is.

Back to Top

Proposed Expansions of Information Privacy Law and the Freedom of Speech

So that’s where the law stands today; but what should it be? Congress (and possibly state legislatures) could strengthen the protections offered by contract law. Most importantly, they can define default privacy protection rules. For instance, they can say sellers of medical supplies implicitly promise not to reveal information about their customers, unless they explicitly and prominently disclaim this default provision.

This explicit disclaimer will alert customers to the site’s refusal to agree to keep transactions confidential. Those customers who care enough about their information privacy would then know they should go to the competition. Congress could also authorize special remedies for breaches of information privacy contracts, and could give the Federal Trade Commission extra authority (or extra funding) to prosecute businesses that breach these contracts, rather than just relying on injured customers to bring suit.

Congress could also impose mandatory information privacy rules that go beyond what parties explicitly or implicitly promised. To take an extreme example, Congress might bar any person from communicating any information about another’s purchases or other transactions without the subject’s permission. Alternatively, it might just bar people from communicating such information for money.

But, is it permissible for Congress to do this? After all, there’s another term for "barring any person from communicating any information about…" It’s "speech restriction." This is clearest if we start with one application of this hypothetical law: a newspaper reports that a politician or a celebrity was seen buying some product or engaging in some transaction. The newspaper, after all, is communicating information about another’s commercial transactions, and it’s doing so as part of a money-making business. But stopping the newspaper from publishing such stories raises obvious First Amendment problems.

And the First Amendment doesn’t just protect the media (a good thing in the cyberspace age, when the line between media and others is blurrier than ever). It generally lets all of us communicate to each other on a wide variety of topics, without the government restricting our speech based on its content. True, the First Amendment doesn’t provide absolute protection to all speech, but it does provide very broad protection, outside a few relatively narrow exceptions. And none of the existing First Amendment exceptions justify the government banning speech that reveals supposedly private information, in the absence of an express or an implied contract not to reveal it.

It’s clear that information privacy speech restrictions cannot be justified on the grounds "they don’t restrict speech, they only restrict the sale of information." Speech is often the sale of information. Consider the Wall Street Journal, the Encyclopedia Britannica, and, the contents of which are fully constitutionally protected against government suppression even though they’re sold for money. Commercial advertisements indeed get less constitutional protection than other speech does, under the "commercial speech" doctrine, but this principle is limited to commercial ads and does not cover other communication, even if it’s done for money.

Nor can information privacy speech restrictions be defended on the grounds they merely create a "property right in personal facts." Traditional intellectual property law generally does not allow property rights in such facts. One reason the Supreme Court gave for upholding the constitutionality of copyright law is precisely that copyright law doesn’t interfere with the free communication of facts. (Copyright gives people a monopoly in their particular expression of ideas or facts, but never in the facts or ideas themselves, even if the facts or ideas are originated by them.) Under current intellectual property law and free speech law, facts about people are owned neither by the subject nor by their gatherer: They are "free as the air to the common use." And that’s a good thing. Suppression of facts, whether done in the name of intellectual property or otherwise, is a troubling matter.

But isn’t information about people’s transactions of relatively low constitutional value? Isn’t it something that’s really not of legitimate public interest? After all, "Volokh bought a lawnmower" isn’t "We hold these truths to be self-evident …" It isn’t commentary on political issues, or debate about high philosophy. Shouldn’t we balance the rather modest constitutional value of this speech against the important interests supporting suppression of this speech?

This is a powerful point; before we urge the legal system to accept it, we should think about all its implications. After all, this is exactly the argument made in favor of the Communications Decency Act, which the Supreme Court nonetheless struck down in 1997. The CDA’s proponents argued that sexually themed speech (whether you call it "pornography" or "art") isn’t really that constitutionally valuable, and the right to communicate such speech had to be balanced against the government’s interests. If such expression were excluded from public discourse, the Republic wouldn’t fall. Plenty of people have argued that the right to engage in such speech should therefore be restricted.

If the Court were to accept the notion that personal information is of "low constitutional value," then this would provide powerful precedent for further restrictions on these other categories of speech, which others (including some Justices) are prepared to call "low-value." Conversely, if we think that even pornography, profanity, and nonrational vituperation are speech, and as such deserve protection under the Free Speech Clause, we might ask why the same wouldn’t apply to (accurate) speech about our neighbors’ behavior, habits, and purchases. And if we wouldn’t approve of the Supreme Court balancing away constitutional free speech rights in favor of government interests with the CDA and the other laws, we might worry about this for information privacy speech restrictions, too.

Moreover, information about what others are doing can often be of significant value. Sometimes, it can even be of political relevance, for instance, when it involves the behavior of political figures. In Europe, where information privacy speech protections have taken greater hold, and where the government generally has more power to restrict speech than it does in the U.S. There is already talk about forbidding journalists from publishing supposedly private information about public officials’ sexual affairs. Even in the U.S., the "disclosure of private facts" tort—one of the few currently existing information privacy speech restrictions—has already led a court to hold a newspaper may be punished for speaking about a political official’s past sex-change operation. I personally wouldn’t care about such a fact in deciding whether to vote for someone, but other voters might, and in a democracy the media shouldn’t be gagged from informing them about it.

At other times, information about people can be valuable to us in our daily lives. Say someone—in the media or not—reveals that an acquaintance has a criminal record, or a bad credit history. Should we trust the person in business? Should we trust the person to watch our children? We can’t decide unless we’re informed about this. And while the other person will probably not want us to have full information on this score, it’s not clear why the government should have the power to use its coercive force to ban people from speaking about this information.

Here, the experience of the private facts tort is illustrative. Several cases have actually held that newspapers can be punished for revealing a person’s criminal past, even if the revelations are entirely accurate. For instance, in one case a court held that a newspaper could be held liable for running a story that revealed a particular person had committed an armed robbery 11 years before. The court said naming the criminal served no "public purpose" and was not "of legitimate public interest;" there was "no reason whatsoever" for it. The person was "rehabilitated" and had "paid his debt to society." "[W]e, as right-thinking members of society, should permit him to continue in the path of rectitude rather than throw him back into a life of shame or crime" by revealing his past. "Ideally, [the person’s] neighbors should recognize his present worth and forget his past life of shame. But men are not so divine as to forgive the past trespasses of others, and plaintiff therefore endeavored to reveal as little as possible of his past life."

But appealing as the court’s rhetoric might sound, there’s considerable danger in the government deciding which speech is of legitimate public interest and which isn’t, or which things "right-thinking members of society" would want to know and which only the wrong-thinking ones would care about. Maybe we shouldn’t assume that someone who committed armed robbery 11 years before might still be dangerous (in fact, many criminals do go on to commit more crimes). Maybe we ought to forgive and forget. But in a free society, we are entitled to decide this for ourselves, and under a regime of free speech, the government ought not forbid others from giving us information that affects our decisions.

And if we—and not the government—should be the ones who decide what is said and what is listened to about people’s criminal records, perhaps the same should apply to other speech. Many might say that certain kinds of speech, for instance speech about someone’s food or clothing purchases, aren’t of legitimate interest (As it happens, this is also the least embarrassing information, whereas the very information people would most want to conceal is also often what others would most like to know about them). But perhaps freedom of speech principles should be understood as leaving it to speakers and listeners to decide what information they find interesting, and as denying the legal system the power to make this decision for us.

More importantly, even if a narrow restriction on speech about a person’s innocent shopping habits might do more good than harm, the danger with accepting any legally enforced system of control over factual information is that it may eventually go far beyond its roots. As I mentioned, in Europe the concept of information privacy is already being urged as a justification for controlling media reports about politicians. The experience with the private facts tort shows some U.S. forces would urge the same. And accepting the notion that certain facts may be suppressed because they are of "low value" or lack "legitimate public interest" creates a precedent in favor of broader suppression of other speech supposedly likewise of "low value."

Back to Top


Current U.S. law generally imposes few restraints on private parties communicating information about people. The chief legal protection that people have is contract law: If a business promises to keep information private, consumers can hold it to that promise. They can also threaten to withhold their patronage from businesses that refuse to undertake such obligations, a powerful threat in today’s competitive marketplace. Many businesses will realize that to lure customers they must provide both personalization and a promise the personal information they learn will stay confidential. And the government can put extra teeth into such promises by providing supplemental enforcement (for instance, through regulatory bodies such as the Federal Trade Commission).

Of course, the government may go beyond enforcing people’s promises of confidentiality, and impose broader, categorical obligations on them not to speak about certain things. It’s important, though, to recognize such obligations for what they are—speech restrictions, which raise serious constitutional problems.

One can argue that courts should carve out a new First Amendment exception to justify such restrictions, and perhaps the courts will be sympathetic to such arguments. But there are costs to new exceptions. In a legal and political system built on precedent and analogy, one speech restriction can easily lead to other, broader ones. Relying on admittedly imperfect contractual protections may ultimately prove to be the safer bet.

Back to Top

Back to Top

    This article is based on "Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop Others from Speaking About You," forthcoming in the Stanford Law Review and available in full at

    1Caveat: I am an expert on U.S. law, and am writing only about U.S. law. As to foreign law, I know nothing about it and, despite that, have no opinion.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More