Harvard Law Review Harvard Law Review Harvard Law Review

Harvard Law Review Forum

Privacy Law: Positive Theory and Normative Practice

Responding to Lior Jacob Strahilevitz, Toward a Positive Theory of Privacy Law, 126 Harv. L. Rev. 2010 (2013)

Professor Lior Strahilevitz’s article Toward a Positive Theory of Privacy Law urges novel positive approaches to privacy law scholarship.1 Positive theories of law employ empirical and analytical methods to describe what the law is, how it came to be, and what its consequences may be. Grounded in median voter models and public choice theory generally,2 Strahilevitz’s article illustrates positive analysis, illuminating distributive implications of privacy statutes and common law privacy doctrines for a range of groups, including political elites, racial minorities, criminal offenders, naïve and sophisticated consumers, data miners, and marketers. The overall goals of this insightful article are to clarify the distributive “winners and losers” of privacy law and to shed light on the predictability of who prevails in the institutions that formulate privacy rules in the United States and in Europe.3

By contrast to Strahilevitz’s positive project, my recent work on privacy law has been normative in thrust. Specifically, I have explored the normative ethical value of privacy, evaluated the normative ethics of privacy laws, and pondered the extent of normative ethical obligations to protect one’s own and others’ privacy.4 Though a normativist, I welcome greater attention to positive theory. Positive theory and normative theory go hand-in-hand, in my view. Normative theories of law evaluate and commend laws by reference to values that the laws embody or promote. Information management policies reflected in law are subject to evaluation by economists as efficient or inefficient, but by ethicists as right or wrong, good or bad, virtuous or vicious, and just or unjust.

We cannot know if we are doing the right thing, if we do not know what we are doing and whom we are doing it to. My work often attends to the winners of losers of privacy rules and practices — whether corporations, women, the LGBT community, criminals locked in prisons, African Americans, or children. Whether privacy is a good thing for the people who have it is a question with a large empirical dimension. For the sake of rigor and completeness, normative ethical theorizing must attend to subtle concrete distributional effects of the sort Strahilevitz examined. Attending with special care to distributive implications serves the needs of ethics, as it serves the needs of other normative enterprises of perhaps more immediate concern to Strahilevitz — welfare-enhancing cost-benefit policy analysis and commercial advantage-seeking. Understanding those that Strahilevitz terms the “winners and losers” of privacy law bears on the choices that persons of conscience, character, and goodwill make respecting the frequency, content, and context of data acquisition, data disclosure, and data retention.

Yet the truth about distributional effects may be subtle, unobserved, and disbelieved. Presumed winners may be losers, and the presumed losers may be winners. Presumptions about winners and losers may be so fixed in prejudice that no one bothers to challenge philosophical assumptions with fresh analytics or factual pieties with rigorously derived empirical data. I applaud Professor Strahilevitz’s illustrations of new ways to think empirically about privacy laws’ distributive effects. Here, I briefly comment on his major arguments and examples. First, in Part I, I comment on his claims concerning the law of celebrity privacy, and I offer a challenge to his conception of winners and losers in that domain. Second, in Part II, I consider his argument that granular criminal-history disclosures may be the direction for the near future and may benefit African Americans more than criminal-history privacy. I suggest that privacy-reducing surveillance of African Americans may already be so extensive that African Americans would not view themselves as “winners” under a regime that placed detailed criminal-history data in the hands of employers. Third, in Part III, I address privacy concerns raised by Big Data, noting grounds for a concerned response to the data mining and consumer-profiling practices artfully described by Strahilevitz. Finally, in Part IV I respond to Strahilevitz’s celebratory response to the federal Do Not Call registry’s privacy implications with the observation that a benignly more paternalistic Do Not Call law could have made telephone customers even bigger winners. In sum, I embrace Strahilevitz’s call for nuanced positive theories of privacy law’s “winners and losers” but for a reason he does not highlight: better positive theory is critical also for better normative ethical theory. I reject his specific characterizations of “winners and losers” of the law of celebrity publicity and criminal-history disclosure, and I suggest policy directions for bigger wins for American shoppers and consumers.

I. Virtuous Inattention

Californians enacted an anti-paparazzi statute after the deaths of Princess Diana and Dodi Fayed,5 which were initially attributed to their chauffeur’s attempt to evade encroaching paparazzi. The law forbade recording celebrities’ activities near their homes; more recent laws outlaw high-speed chases and intrusive photography.6 Describing California as an exception, Strahilevitz points out correctly that under U.S. law, readers and the media are generally permitted wide access to information about celebrities. The law of the United Kingdom and Continental Europe resembles California law. Celebrated public figures are often accorded the protection of privacy rights, including the fundamental rights set by the European Convention on Human Rights.7 Why the antipopulism of California’s and Europe’s law? Strahilevitz’s answer is an observation about power and influence.

According to Strahilevitz, popular celebrity Californians (like former Governor and film star Arnold Schwarzenegger) swayed legislators and median voters. Wealthy and elite Californians thus “won” at the expense of the ordinary literate public with a taste for celebrity gossip. In a move from strictly positive theory toward normative reflection, Strahilevitz questions whether the law ought to make privacy winners of those who so often win, when it could distribute a win to less politically and economically powerful consumers (and the for-profit media interests that sell to them). He does not reach the deep ethical questions raised by his example, however. I suggest we ask whether the distribution of publication and readership rights to non-elites makes non-elites “winners” worthy of the name. Indeed, moral theorists might call for restraint in attention to others’ intimate lives. The individual readers who win the ability to access celebrities’ personal lives may lose from the point of view of perfectionist conceptions of virtue.8 A balance of inattention to others’ personal lives and attention to one’s own is arguably a moral virtue. Kantian-style conceptions of perfect and imperfect duties to the self include duties of self-improvement and self-respect.9 Feeding raw desires and fan obsessions at the expense of nontrivial activities has moral implications. Inattention to others’ personal lives may also be a qualitative benefit to civil society. Samuel Warren and Louis Brandeis made a point along these lines about the loss to civil society that comes from privacy invasions: the market for gossip represents a qualitative decline in cultural life, “a lowering of social standards and of morality.”10 Their prose was high-minded: “Triviality destroys at once robustness of thought and delicacy of feeling. No enthusiasm can flourish, no generous impulse can survive under its blighting influence.”11 It could be best to let celebrities have their privacy since, what conservative political theorist Robert George calls the “moral ecology” of our society may suffer if the populace grows coarsely inquisitive and celebrities are egregiously abused.12

II. Transparency as Racism

The Supreme Court once blessed the notion that people have a strong privacy interest in their criminal histories, strong enough to defeat media efforts to obtain rap sheets prepared by the Justice Department.13 Common law courts have noted that criminal-history secrecy facilitates rehabilitation and reintegration.14 Against the grain of such thinking, Strahilevitz argues that granular criminal-history disclosures may make winners of African Americans without criminal backgrounds and losers of white ex-offenders. A policy of making publicly available detailed criminal-history information might be presumed to make African Americans losers because African Americans are disproportionately convicted of crimes. Although “bad information” may be discounted by time, criminal histories are a long-term burden affecting where ex-offenders can live and work. Strahilevitz argues that a policy of disclosure could benefit blacks — and the more granular the disclosures the better. Supplied with criminal histories, potential employers can distinguish serious offenders from those who have not offended at all or trivially. More granularity can reveal that a felony was mere possession of marijuana rather than armed robbery, rape, or homicide. The ability to discern and discriminate removes any rational incentive for employers to use race as a proxy for criminality. Loss of privacy might confer on African Americans competitiveness in the market for jobs. The privacy losers, on a closer look, turn out to be the winners.

Assume with Strahilevitz that employers use white race as a proxy for honesty, reliability, and skill, resulting in squeaky-clean African Americans losing opportunities to whites who may harbor secret criminal histories. There is likely more than one way to address the problem of resource- and power-holders’ “rational” racial profiling. Before pursuing policies that decrease privacy on a premise of intractable black criminality, should come (1) attacks on the inequities that account for black criminality in the first place, (2) a solid understanding of how criminal-history disclosures impact rehabilitation and the reintegration of ex-offenders, and (3) clarity about the aggregation problem of numerous small privacy losses aggregating into an enormous surveillance and transparency burden for African Americans. The surveillance society is doubly such for low-income people living in high-crime communities and reliant on government benefits, services, and public and military employment. The state collects detailed information about individuals, families, living arrangements, health, and financial resources. Many African Americans are heavily supervised at work, watched in stores to deter shoplifting, scrutinized, and profiled when they drive their cars or walk outside their neighborhoods.15 African Americans might in important respects be better off in a society of trust and fairness than in a suspicious and biased society that arms the public with access to criminal histories. As Strahilevitz suggests, there might be a political backlash of sorts against the increasing granularity of criminal-history disclosures that offend the sensibilities of median voters. A public choice theory positive account of winners and losers might suggest to African American interest groups effective strategies for promoting privacy rules that make a net positive contribution to their constituents’ lives.

African Americans are not always better off with more information privacy, however. Not having certain information privacies benefits historically subordinated groups.16 A failed 2002 “Racial Privacy” referendum would have made losers of California’s racial minorities. The proponents of the referendum claimed that an amendment to the California constitution barring state racial data collection would have ushered in color-blind practices that would make winners of everyone.18 However, giving up so-called racial privacy helped minorities acquire access to health and education goods vitally needed by their communities.17 Moreover, racial privacy is an illusory concept. Race is a social construct with public historical, associational, and phenotypical dimensions. Race is “in the face” and seeking to privatize it the way one privatizes the results of a blood test makes little practical sense.19 Giving up so-called racial privacy makes winners of African Americans, while the giving up of criminal-history privacy may not.

III. Big Data, Big Personality, and Consumer Privacy

Policymakers and privacy theorists need to understand the implications that Big Data has for information privacy. “Big Data” is a nickname for enterprises that collect, analyze, package, and sell data, even uninteresting-looking data, to reveal tastes, habits, personality, and market behavior. Big Data is challenging traditional privacies.20 Private sector surveillance is rampant, introducing research about personality assessment and classification into the legal literature.21 Increasingly, the personality and psychology of individual consumers are probed without their knowledge or consent.

Big Data, Strahilevitz observes, represents a shift from nondiscriminating, pooling equilibriums to controversial discriminating, separating equilibriums in marketing.22 Big Data is enabled by the promise of efficiencies that include the capacity cheaply to ascertain who is a suitable purchaser of goods and products, output maximization, and producer surplus. Strahilevitz focuses on what he calls the “secondary” rather than “primary” effects of information rules governing consumer retail transactions. Primary effects relate to how the collection, manipulation, and disclosure of information affect individuals whose data is collected and disclosed. Secondary effects are the consequences of data collection, manipulation, and disclosures, whether or not experienced as individual harm. Both primary and secondary effects of privacy laws have implications that positive theorists will want to describe and normative theorists will want to evaluate.

Big Data’s thirst for information and capacity to learn from it threatens privacy. Big Data information extractions are offensive to principled privacy lovers even when, as in the pharmacy data at issue in Sorrell v. IMS Health Inc.,23 most sensitive personal information has been scrubbed using anonymization. Privacy advocates’ concerns include concerns about re-identification of de-identified data and the loss of trust in confidential relationships. Ought we jump on the privacy bandwagon?

Strahilevitz answers with analysis and facts, not norms. He maintains that protecting privacy seems to thwart price and service discrimination that is consistent with consumer welfare. Without privacy, Amazon can tell you what you want before you know what you want. Products can be marketed to those likely to want them, and, if credit is extended, people can be relied upon to pay. Collecting consumer data and engaging in personality discrimination might make winners of certain shoppers no less than for-profit data miners. Data miners win if they can guide efficient marketing. Shoppers win if they are offered attractive discounts and premiums based on data demonstrating reliability and creditworthiness. (It turns out that buying felt pads to protect your furniture from scratches and dents predicts credit worthiness.)24

The general public is not a clear winner of data accessibility and manipulation by Big Data, economically or otherwise. In theory relying on information gleaned from data mining or consumer personality testing will lead to lower costs, and lower costs for business could mean lower prices for consumers. Yet data miners and retailers will not necessarily lower prices. When do powerful business interests pass on profits to consumers? When there is competition? We need to know a great deal about the industries in question to predict likely winners and losers.

Strahilevitz suggests an interesting political alliance between Big Data and sophisticated consumers. Sophisticated consumers are the wealthier, better-educated, voting consumers with excellent credit and wholesome habits who think they have nothing to lose from policies that put volumes of data into the hands of firms. According to Stahilevitz, a median voter model predicts that American law will systematically favor the interests of sophisticated consumers, which are congruent with those of data miners, since sophisticated consumers are on the whole more politically engaged people who pay attention to legislative policy proposals and vote their interests.25

The Lisbon Treaty may widen the divide between U.S. and EU approaches to data mining. The treaty protects all data as a matter of fundamental right.26 Legislative lobbying by Big Data in the U.S. is not impeded by doctrines of fundamental right. My observation is in line with Strahilevitz’s that the presence of a tradition of powerful industry lobbying in the U.S. predicts fewer restrictions on Big Data. He argues that a lack of such a tradition may help explain why, even though EU and U.S. persons have similar privacy tastes, EU law is significantly more prohibitive.

Power and interest group dynamics may also explain why Big Data and major firms have been successful fighting consumer information privacy claims in the U.S. courts interpreting commercial free speech doctrines.27 Few relationships are as surrounded by traditions of confidentiality and privacy as the physician-patient relationship. In Sorrell, consistent with Strahilevitz’s positive theory, the Supreme Court nonetheless struck down a state law limiting data miners’ access to confidential physician prescription information, on the ground that singling out data miners with a disabling law violated their commercial free speech rights.

However, the precise nature of median voter, power, and interest group dynamics is not always easy to discern in interactions among Congress, the federal courts, federal agency privacy regulators, the big business sector, voters, and consumers. Consider the following examples. A common contrast between EU and U.S. privacy law is that our sectoral laws typically permit consumers to consent to disclosures of personal information by default, simply by not affirmatively “opting out”. The U.S. “opt-out” bias seems to favor data sharing—hungry American businesses, since consumers rarely bother to affirmatively opt out. In the late 1990s when Federal Communications Commission (FCC) regulators attempted to impose a stricter “opt-in” consent requirement for the disclosure of sensitive customer proprietary network information (CPNI),28 the telecom firm U.S. West, Inc. took them to court. U.S. West prevailed in the Tenth Circuit Court of Appeals with the argument that the FCC’s preferred opt-in consent requirement violated “the First Amendment by restricting its ability to engage in commercial speech with customers” and raised “serious Fifth Amendment Takings Clause concerns because CPNI represents valuable property that belongs to the carriers and the regulations greatly diminish its value.”29 Positive theory could potentially explain why a federal court interpreted the Constitution so as to make the telecom industry the owners of CPNI, defined as “information of, and relating to . . . customers”30 and why the court refused to allow federal regulators to act aggressively and beneficently as guardians of consumer privacy. Yet the contours of an explanation in terms of power dynamics and median voter alliances here is far from obvious. In the CPNI case, the 10th Circuit sided with industry against the government; but in the Do Not Call registry case, the 10th Circuit sided with the government against industry. The Court upheld the right of the FTC to create the Do Not Call registry, over objections from the telemarketing industry that Congress had not authorized the FTC to act and that such a move would deliver a profitable blow to a productive industry that was also a major employer.31

IV. Hold the Calls, Forget the Notices!

Finally, Strahilevitz touches on design mechanism in the enactment of the federal Do Not Call rules.32 Do Not Call rules (Rules) enforced by the Federal Trade Commission (FTC) make losers of commercial telemarketers but winners of telephone consumers, both consumers annoyed by unsolicited phone calls (they can easily opt out) and consumers who enjoy calls (they need do nothing). Under the Rules, consumers who choose to place their numbers on a Do Not Call registry maintained by the FTC are entitled to a reduction in nonpolitical, noncharity calls by businesses with whom they have no preexisting relationship. The Rules pass a cost-benefit test: they are significantly welfare-enhancing at a low cost. Assuming that welfare implications are relevant to the desirability of privacy protections, we have normative grounds for praising the Rules.

Professor Strahilevitz’s positive analysis of winners and losers should be expanded to include all of them: telephone users, people who live with them who also suffer the distraction of unwanted calls, charities, politicians, prior businesses patronized, and telemarketers. Welfare improvements were realized with the Rules, but I argue elsewhere that a more paternalistic policy would have been more welfare enhancing.33 Policymakers with a broader understanding of the public’s privacy interests might have banned most telemarketing calls, doing away with the need for an opt-in registry and imposing beneficial privacy at home on phone customers.

The general consensus among privacy scholars is that the Do Not Call registry law was a good privacy law at the time it was enacted. I surmise that most would agree with Strahilevitz that the telemarketing Rules were as welfare enhancing. But not all of the privacy law innovations of the 2000s have been met with a similar appreciation. Many privacy scholars and officials bluntly denigrate the Gramm-Leach-Bliley34 (GLB) financial privacy law as a foolish law that “only lawyers could love”.35 GLB was not designed to be a robust privacy law. GLB was Title V of the Financial Services Modernization Act of 1999, demolishing walls between insurance, investment, and commercial banking. GLB is not stupid relative to its actual purpose of giving consumers some control over who has access to sensitive financial transactions and related personal information.36 What subjects the law to ridicule is that it requires written notices few read or act on. The notices offer an opportunity for opting out of certain third-party disclosures of some personal information. So few understand the opportunity and take time to exploit it that the notices reduce to useless formalism.37

If Congress or agency regulators wanted seriously to limit access by financial institutions to consumer data, a flat ban on sharing even with consent would have been enacted. One has to assume that Congress and regulators made self-conscious policy choices to allow firms access to sensitive information about consumers, for the good of those firms, the economy, consumers, and/or the nation. A full positive analysis of the design mechanism and the distributive implications of the policy implemented via GLB would be useful; consumers do not benefit and firms waste money. GLB regulations require privacy notices, but it bears emphasis that GLB also requires data safeguards and penalizes pretexting. Whatever the critique of the notices requirement, the security safeguards and antipretexting rules require their own separate positive assessments.

IV. Conclusion

The central observation of Lior Strahilevitz’s paper is sound: privacy rules have distributive implications. With careful empirical investigation and analysis we can better ascertain the true “winners and losers” of our privacy laws. But how should we really understand “winning” and “losing”? The winners and losers in the thin distributional senses at play in Strahilevitz’s article may not be winners and losers from ethical points of view he does not broach. Is it enough that a distribution furthers wealth maximization, or equalizes social power? Should we strive to enact policies that defy power and influence; that look to fundamental human rights rather than preferences and desires? There is plenty of work for philosophers in sorting through and interpreting the distributive implications of privacy rules. The question of individual responsibility in all of this — what ought I do in light of positive distributive consequences — is one of those calling out for further inquiry.

1. Lior Strahilevitz, Toward a Positive Theory of Privacy Law, 126 Harv. L. Rev. 2010 (2013).

2. See generally Duncan Black, The Theory of Committees and Elections (1958); Duncan Black, On the Rationale of Group Decisionmaking, 56 J. Pol. Econ. 23 (1948).

3. Cf. Paul M. Schwartz, Preemption and Privacy, 118 Yale L.J. 902 (2009); James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151 (2004) (accounting for EU/U.S. privacy law differences).

4. Anita L. Allen, Unpopular Privacy: What Must We Hide (2011); see also Anita L. Allen, Natural Law, Slavery, and the Right to Privacy Tort, 81 Fordham L. Rev. 1187 (2012) (arguing that common law historically aimed to protect natural and human privacy rights); Anita L. Allen, Meador Lecture in Morality: Is There a Duty to Protect Your Own Privacy, 64 Ala. L. Rev. (forthcoming 2013) (assessing claim of ethical duty to safeguard own privacy).

5. Princess Diana of Wales died on August 31, 1997, from injuries sustained in an automobile accident in the Pont de l’Alma road tunnel in Paris. On January 1, 1999, California Civil Code 1708.8, the first anti-paparazzi statute, went into effect. The law prohibits recording and photographing celebrities in and around their homes. Cal. Civ. Code § 1708.8 (West 2012). A second anti-paparazzi law enacted in 2005 provided penalties for assaults in the course of celebrity-chasing. Cal. Civ. Code § 1708.8(c) (West 2012). Later laws increased penalties for using images obtained as a result of invading privacy.

6. See sources cited supra note 5.

7. Convention for the Protection of Human Rights and Fundamental Freedoms, Nov. 4, 1950, 213 U.N.T.S. 221, art. 8 (“Right to respect for private and family life”) of the European Convention on Human Rights provides that “[e]veryone has the right to respect for his private and family life, his home and his correspondence.”).

8. See generally Steven Wall, Perfectionism in Moral and Political Philosophy, in Stanford Encyclopedia of Philosophy (2012), http://plato.stanford.edu/archives/win2012/entries/perfectionism-moral/.

9. Robert Johnson, Kant’s Moral Philosophy, in Stanford Encyclopedia of Philosophy (2012), http://plato.stanford.edu/archives/sum2012/entries/kant-moral/.

10. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890).

11. Id. at 196.

12. Robert P. George, Making Men Moral 1 (1995).

13. U.S. Dep’t of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 780 (1989) (holding that the media were not entitled under FOIA to obtain “rap sheets” compiled by FBI, even though criminal history is publicly available in uncompiled forms). Inconvenience secrets criminal histories in “practical obscurity”. See id. at 762.

14. See Briscoe v. Reader’s Digest Ass’n, Inc., 483 P.2d 34, 41 (Cal. 1971), overruled by Gates v. Discovery Commc’ns, Inc., 101 P.3d 552 (Cal. 2004) (“Another factor militating in favor of protecting the individual’s privacy here is the state’s interest in the integrity of the rehabilitative process. Our courts recognized this issue four decades ago in Melvin v. Reid. There, plaintiff had been a prostitute. She was charged with murder and acquitted after a long and very public trial. She thereafter abandoned her life of shame, married, and assumed a place in respectable society, making many friends who were not aware of the incidents of her earlier life.” Id. at 40 (citation omitted)).

15. African American’s privacy and bodily integrity is one of the concerns civil libertarians raised respecting police deployment of “stop and frisk” and “stop and identify” powers. See, e.g., Ctr. for Constitutional Rights, Stop and Frisk (2012), available at http://stopandfrisk.org/the-human-impact-report.pdf; see also Floyd D. Weatherspoon, Racial Profiling of African-American Males: Stopped, Searched, and Stripped of Constitutional Protection, 38 J. Marshall L. Rev. 439 (2004).

16. Allen, supra note 4, at 155.

17. Id. at 131.

18. See, e.g., So-Called “Racial Privacy” Initiative Will Fail to Qualify for November 2002 Ballot, ACLU N. Cal. (May 30, 2002), https://www.aclunc.org/news/press_releases/so-called_racial_privacy_initiative_will_fail_to_qualify_for_november_2002_ballot.shtml (“The initiative, which would bar public agencies in California from utilizing information that refers to race, ethnicity or national origin, is the brainchild of Ward Connerly, a Pete Wilson appointee to the UC Board of Regents. Opponents argue that the initiative would devastate the state’s public health and education programs, and rob the state of information about its progress in rooting out disparities based on ethnicity and race.”).

19. Allen, supra note 4, at 143.

20. Anita L. Allen, Commercial Speech Bruises Health Privacy in the Supreme Court, 41 Hastings Center Rep. 8, 9 (2011) (suggesting that data mining may jeopardize medical privacy).

21. Strahilevitz, supra note 1, at 2023.

22. Id. at 18.

23. 131 S. Ct. 2653 (2011).

24. Strahilevitz, supra note 1, at 2021.

25. Id. at 2032.

26. Under the EU Lisbon Treaty, the protection of personal data is recognized as a fundamental right. Article 16B of the Treaty provides: “Everyone has the right to the protection of personal data concerning them.” Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Community art. 16B, Dec. 13, 2007, 2007 O.J. (C 306) 1, 51.

27. See Sorrell, 131 S. Ct. at 2656; U.S. West Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999) (holding that commercial speech rights under First Amendment bar state action to limit access to information).

28. U.S. West, Inc., 182 F.3d at 1228.

29. Id. at 1230.

30. Id. (citing 47 U.S.C. § 222(a) (2006)).

31. Mainstream Mktg. Servs., Inc. v. FTC, 358 F.3d 1228 (10th Cir. 2004).

32. Do-Not-Call Implementation Act of 2003, Pub. L. No. 108-10, 117 Stat. 557 (codified at 15 U.S.C. § 6101—6155 (2006)).

33. See Allen, supra note 4, at 36—37.

34. Gramm-Leach-Bliley Act, Pub. L. No. 106-102, Title V, 113 Stat. 1338, 1436 (1999) (codified at 15 U.S.C. § 6801 (2006)).

35. Timothy J. Muris, Chairman, Fed. Trade Comm’n, Remarks at The Privacy 2001 Conference (Oct. 4, 2001), available at http://www.ftc.gov/speeches/muris/privisp1002.shtm.

36. Accord Peter P. Swire, The Surprising Virtues of the New Financial Privacy Law, 86 Minn. L. Rev. 1263 (2002).

37. See generally Edward J. Janger & Paul M. Schwartz, The Gramm-Leach-Bliley Act, Information Privacy, and the Limits of Default Rules, 86 Minn. L. Rev. 1219 (2002).