0069

“I certify that I have prepared this exam in accordance with course procedures and the Wash. U. Law Honor Code. This examination is entirely my own work (except where I have quoted and/or cited other sources), and I have neither given nor received exam help from any other student, nor have I used an AI-text generator such as (such as ChatGPT) in any manner on the exam. I also understand that the failure to comply with this certification will be treated as a form of academic dishonesty and a violation of Wash. U. Law Honor Code. and the University’s Student Code of Conduct. My word count is [2240].”

PART ONE

(theory and doctrine)

What does Hill have to teach Cofone? (facial recognition)

From Hill’s book, we can learn that the widespread use of facial recognition technology raises significant privacy concerns, as it allows individuals to be identified without their consent. This technology has the potential to be abused, with the ability to track and identify people in various situations. Unlike the E.U., which has passed the GDPR, the U.S. privacy laws have been more developed at the state level due to a fear of hindering the technology industry, which is a cornerstone of the American economy. The government is also reluctant to pass laws limiting its ability to collect data for security and safety purposes. Facial recognition technology can be used for security purposes. However, there are concerns about its use in crime-solving because it might lead to wrongful arrests and discrimination. Besides, it can identify individuals in real-time, raising concerns like political or personal discrimination. Moreover, much data collection and tracking happen through online activities, such as purchases, browsing, and social media interactions. The data can be used to predict and target individuals, even in very personal situations like pregnancy or searching for engagement rings. Companies like Facebook/Meta potentially use audio recording and other methods to gather data. The potential for sensitive conversations to be overheard and identified through facial recognition technology threatens personal privacy. Governments’ use of facial recognition to track individuals, including at protests, could have a chilling effect on free speech and freedom of assembly. Hence, opt-out options, like the one provided by pimeyes.com, allow people to remove their information from databases. For example, if one’s face is showing up in PimEyes’s search results, he can request to have it removed. This provides people more control over their

1

0069

personal data and biometric information rather than having it freely available for any company or organization to use without their knowledge or consent.

State privacy laws, such as California, Connecticut, Colorado, and Virginia, allow individuals to access and delete their information from facial recognition databases. But, this right is available in limited locations. Therefore, stronger privacy laws, such as the Biometric Information Privacy Act (BIPA) in Illinois, are necessary to control the use of facial recognition technology and protect individual rights. The ability to control one's level of public recognition, such as through customizable privacy settings, could be a potential solution.

What does Cofone have to teach Hill? (consent model and the nature of privacy harm)

From Cofone’s book, we learn that the underlying principle of the consent model is simple - individuals should have control over their personal data and be able to decide how it is collected and used through the act of consent. This model has been widely adopted, with privacy policies and user agreements serving as the primary means for companies to obtain user consent. However, it has significant limitations in the modern information economy. For example, in the case of Pamela Anderson, where her intimate video was stolen and distributed without her consent, the court ruled that she had no legal interest in the pictures since they were already online. This case shows how it failed to recognize the dignitary harm, which is a common issue in the information economy.

Next, regarding the relational nature of data. Data about an individual is often also about their family, friends, and social connections. This means that the individual cannot truly consent on behalf of others whose information is intertwined. For example, in the 23andMe hack, when hackers gained access to users' genetic data, they also obtained sensitive information about the users' relatives, who had not consented to having their data compromised. This relational aspect of data makes it impossible for individuals to have meaningful control over how their information is used and shared.

Another limitation of the consent model is its failure to account for the power of inferences and connotative information. Data can be used to make identifying and potentially harmful inferences and abstractions about an individual, even if the data itself is not directly about that person. For example, facial recognition software can identify hundreds of photos of an individual despite not being the focus of many of the images found. This shows how innocuous data can be used to create a detailed profile of an individual. This "connotative" information is difficult for individuals to anticipate or control, undermining the premise of the consent model.

2

0069

Also, the consent model failed to address the collective harms, such as the Cambridge Analytica scandal, affecting large groups of people in dispersed and less visible ways. Because the consent model is based on a one-to-one relationship between the individual and the company collecting the data, it fails to account for the collective nature of these harms, as individuals cannot meaningfully consent on behalf of the broader groups that may be impacted. This can be seen in the TransUnion case, where the Supreme Court rejected a class action lawsuit due to the lack of a clear common harm.

And how should we regulate new facial recognition technologies going forward to ensure the protection of privacy?

Regulating new facial recognition technologies to safeguard privacy requires a multifaceted approach grounded in fundamental principles of privacy law. Firstly, a regulation made to adhere to data minimization (such as in GDPR Art. 5) is fundamental. This principle stipulates that collecting and processing personal data, such as biometric information obtained through facial recognition, should be limited to what is strictly necessary to achieve the specified purpose. For example, the unchecked scraping of billions of photos from the internet by companies like Clearview AI, without the knowledge or consent of the individuals

3

0069

mechanisms for individual redress (private right of action - allowing individuals to sue for damages) and penalties for non-compliance.

The rise of companies like Clearview AI highlights the challenge regulators face. Regulators must address not only the practices of large tech giants but also the ethical boundaries pushed by smaller companies. In short, when regulating new facial recognition technologies, we must comply with the principles of data minimization, privacy by design, and accountability. Regulators must also balance technological advancement and privacy protection to safeguard individual privacy rights effectively.

PART TWO

(law of the future)

The five most important features that a comprehensive US privacy law should have (either state or national), and why?

To me, the most important feature is mandating privacy by design. According to the Federal Trade Commission (FTC), privacy by design refers to companies “promoting consumer privacy throughout their organizations and at every stage of the development of their products and services.” In the U.S., protecting privacy rights has always been an issue because courts have a limited view of what a data breach means and victims often have no right to sue. As seen in Spokeo, where the court denied standing to data breach victims because of an inability to demonstrate “concrete and particularized” harm resulting from the breach. Also, by making privacy by design a legal mandate to address the harms caused by data collection tools is just like product liability law, which retains manufacturer liability for defective products despite user influence on design, as long as the uses and modifications are foreseeable, this can answer privacy by design’s open questions – who is held responsible? The designer. The Rylands case can be used as an analog here that when new technologies create large "reservoirs of danger" that can cause widespread, unforeseeable harm, the law should impose proactive obligations on those reservoirs -

0069

Secondly, the Right to Erasure/Deletion (a.k.a “Right to be Forgotten”) is important, and privacy legislations such as the GDPR and the CCPA have adopted this. This right empowers individuals to request the deletion of their personal data held by organizations, ensuring greater control over their digital footprint and enhancing privacy protections. Under the GDPR, individuals have the statutory right to request the erasure of their personal information from organizations, known as data controllers. GDPR Art. 17 stipulates that organizations must promptly delete the requested data upon verification of the request's legitimacy, without undue delay and at no cost to the individual. Furthermore, organizations must inform third parties with whom the data has been shared about the erasure request, ensuring comprehensive removal of the individual's data. Similarly, the CCPA mandates that for-profit organizations collecting the personal information of California residents provide mechanisms for individuals to request the deletion of their data. The right to erasure enhances privacy rights and autonomy by allowing individuals to delete their personal data; this right enables them to mitigate privacy risks associated with data breaches, unauthorized access, and misuse of information. It also promotes transparency and accountability in data processing practices, as organizations must implement measures to verify and fulfill deletion requests promptly. It also builds trust between individuals and organizations.

Thirdly, data minimization is important - by collecting only the minimum amount of data necessary to fulfill a specific purpose. Under the current "notice and choice" regime, consumers are often presented with extensive privacy policies and expected to make binary decisions about online services or apps. However, these policies are often vague, expansive, and designed to protect companies from liability rather than inform consumers adequately. This lack of transparency makes it impossible for consumers to participate in the market while protecting their privacy meaningfully. Hence, data minimization is essential because it prevents the indiscriminate collection and storage of personal information, which can be exploited for secondary purposes without individuals' consent. Besides, Helen Nissenbaum argues that many data disclosures and secondary uses betray the original purpose of collection and individuals' expectations, disrupting what she describes as contextual integrity. When companies collect more data than necessary, they violate individuals' privacy, undermine trust, and erode the relationship between consumers and service providers. Organizations can mitigate the risks associated with data breaches, unauthorized access, and misuse of personal information by adhering to data minimization. It allows individuals to control their data more and reduces the likelihood of identity theft or discrimination.

5

0069

Next, purpose limitation is important because it ensures that data is collected and processed only for specified, explicit, and legitimate purposes. This is outlined in GDPR Art. 6, which establishes clear boundaries around the use of personal data, requiring organizations to define and communicate their purposes for processing data to individuals through privacy notices. Organizations must adhere closely to these stated purposes, limiting data processing activities accordingly. If there is a desire to use the data for a new purpose incompatible with the original one, explicit consent must be obtained again. While regulations such as the CCPA may not strictly require consent prior to data collection, they do mandate that consumers receive notice about the categories of personal information collected and the purposes for which it will be used. This highlights the importance of purpose limitation in safeguarding individuals' privacy rights, promoting transparency, and ensuring that personal data is used responsibly and ethically.

Lastly, allowing consumers to opt out of the processing of sensitive personal information is important. Last semester, we saw the Do-Not-Call Implementation Act enforced by the FTC, consumers who are annoyed by unsolicited phone calls can easily opt-out, and consumers who are okay with the calls they need to do nothing. Under the Act, consumers who choose to place their numbers on a Do Not Call registry maintained by the FTC are entitled to a reduction in non-political, non-charity calls by businesses with whom they have no pre-existing relationship. The Act passes a cost-benefit test: they are significantly welfare-enhancing at a low cost. By incorporating opt-out mechanisms for the processing of sensitive personal information, akin to the provisions of the Do-Not-Call Implementation Act, can greatly benefit future facial recognition laws. Because it can mitigate privacy concerns and enhance consumer welfare. Thus, promoting trust and accountability in developing and deploying facial recognition technology.

6