Skip to content

Individuals may know what information they post about themselves on the internet, but they have little to no idea what information about them is collected, processed, sold and used by a growing industry of data brokers and their customers.

Duke Sanford School of Public Policy Professor David Hoffman and Duke Kenan Institute of Ethics Professor Jolynn Dellinger have been leading a project and working with Duke students to determine how to give individuals more protections over that information, part of their overall privacy and democracy research. One of the goals: to make research available to Congressional staff and other stakeholders so that they find solutions to pass a federal privacy law.

“Privacy is a foundational and necessary pre-condition for democracy. Individuals need to understand the risks created for them by organizations using data in ways that may harm them. They also need the ability to obscure or remove inaccurate or harmful data that has been made public by others,” Hoffman said of the project.

The project – Exploring Options: Overcoming Barriers to Comprehensive Federal Privacy Legislation – includes faculty and students from Sanford and Duke School of Law, working directly with Federal Trade Commissioner Christine Wilson, who gave the keynote for the Fall 2021 Wilson Lecture.

Wilson described the work in this way: “I have been tremendously impressed with the skill, creativity, and poise of the student researchers on the project. Their work has added complexity and nuance to my thoughts in this arena, and creates a foundation on which Congress may be able to build compromise solutions to thorny problems.”

Zuo headshot

Tianjiu Zuo, PPS and Economics '23, is one of the student researchers on the project. He wishes some of the content posted about him online by organizations could be removed, but he knows the limits related to privacy law in the U.S. because of his studies and research at Duke.

“Because there is no comprehensive (federal) privacy law, companies like Facebook are not legally obligated to respond to my requests for removal. There are many individuals who want to remove their personal information from the internet, but have no recourse whatsoever,” Zuo said.

Currently, states are taking privacy matters into their own hands without comprehensive federal privacy legislation. Through research, Zuo learned three states have comprehensive data privacy legislation signed into law: California, Colorado and Virginia. Other states are in the process of moving privacy laws through their legislatures, and those laws vary greatly.

“Without a federal law, companies are largely free to collect and store information about you indefinitely. The vast majority of Americans have no say in how their data is used and cannot even request for data to be deleted,” Zuo said.

The two topics often mentioned as barriers to whether a federal law can be put in place are the degree to which that federal law will preempt state laws and whether the law will allow individuals to sue companies for privacy violations. The team explored these two issues and highlighted options for compromise in the research.

Scalzo headshot

Mark Scalzo JD ’23 is part of the research team. He says, “What drives me to study this is what we are not thinking about. We all have data – about us, what we are doing, what you are looking up online, where you are going. But we don’t have a law that says we own that info. Tech companies like Google are allowed to keep and use the data, on terms we have to agree to in order to use their services. The question is: What should those terms of service require of them?”

To explore this question, the research team explored what federal privacy legislation might look like. The students researched different options, such as:

  • What would happen if consumers sued directly, i.e. private right of action?
  • Should consumers be allowed to seek damages?
  • If a private right of action is not included, then what other remedies might accomplish the same goals?
  • What role should the states have?
  • What should the FTC be responsible for?
  • How might tech companies be monitored or supervised by the FTC or another entity?

Typically, policy proposals in this area include either broad preemption or a private right of action. Yet, Scalzo said the research showed him that solutions don’t have to be all or nothing. Legislation could include an array of remedy options that could both serve to protect consumers and provide uniform national standards.

Desai headshot

“We can have a combination of remedies and have a win-win solution, to protect interests of consumers and companies, but in a different way than has been proposed in Congress. There is a way to get there, with a different mix of policy levers instead of only robust preemption or a private right of action,” he said. “The hope is that legislators and the FTC will look at the research from our project and determine the combination of remedies that could work.”

Devan Desai PPS ’23 had participated in a Bass Connections project with Professors David Hoffman, Jolynn Dellinger and several other members of the public policy, computer science and law school faculties last year focusing on privacy implications of contact tracing related to COVID-19. He developed an interest in privacy policy, which led him to this project. He helped develop the website to display the resources, and his interest and passion for this area grew.

“It is important to explore federal privacy legislation due to the increasing digitization in all aspects of our life. Everything from our health information records to our phone records is being migrated online, which opens our personal information to countless dangers. Ensuring that we have legislation to protect our privacy is essential,” Desai said.

Ogorek headshot

Alexys Ogorek JD ’23 connected with Hoffman via a teaching assistant in her LARW (Legal Analysis, Research, and Writing) class.

“I came to law school without knowing which practice area I wanted to pursue. I was interested in the intersection of technology and policy. After meeting with Professor Hoffman, I realized what a fantastic opportunity this was!” she said.

“Before starting my research, I had no concept of how pervasive and far-reaching a comprehensive federal privacy legislation might be. Federal privacy legislation, to the extent that it exists currently, is largely sectoral except from the FTC’s broad consumer protection authority. While some may say that has worked in the past, it’s important to explore what omnibus privacy legislation would look like [i.e. a comprehensive national privacy law]. Since there hasn’t been omnibus privacy legislation, we looked to comprehensive statutes in other fields, such as the National Traffic and Motor Vehicle Safety Act to explore options on preemption and remedies,” Ogorek said.

Woman smiling

Joanne Kim 'PPS 22 is passionate about tech-ethics and advancing policies which make technology more accessible and safer for everyone. She has been able to work on tech policy issues as part of Professor Hoffman's Cyber Policy Research Program, helping to co-found the Duke Cyber Policy and Gender Violence Initiative and exploring research topics such as stalkerware regulation, data brokers and the ethical use of AI. She said this project presented new opportunities.

“This project was the perfect way to explore different means of approaching federal privacy legislation while also considering how we can best protect individuals,” she said.

“Federal privacy legislation that is comprehensive and thoughtful would help boost our national economy, restore individual trust in the market, and protect personal data,” Kim said. “I hope that this work continues to inform future research, increase dialogue on forming federal privacy legislation, and the best ways to enforce the law.”

In addition to curating possible solutions about a complex issue to help policymakers, the research team found another positive outcome – collaboration across disciplines. Law students gave valuable advice about legal research and a crash course in the law library, while public policy students provided law students with new ways to consider problems and solutions. Several of the undergraduate students are also studying computer science, which was helpful to the entire team.

Hoffman commented on the team, “One of Duke’s strategic advantages is the ability to create interdisciplinary research teams. Our Sanford cyber policy program is fortunate to have tremendous support in the computer science department, the engineering school, the ethics experts on campus, and the law school.”

The students agreed that the cross-disciplinary work was valuable.

“I found it helpful that we were working with people who were not law students, people who are thinking about policy proposals every day,” Scalzo said.

“I was thrilled to be a part of a project that looks at policy issues from multiple perspectives. It has been a great learning experience to wrap your brain around issues from different viewpoints,” Ogorek said.

“The mentorship and assistance I received from the law school students of this project not only made the end product more professional and usable, but they also fostered my intellectual passion for the law. This tremendous experience helped me apply my knowledge from my Sanford classes into reality, which reaffirmed my choice to dive deeper into policy,” Zuo said.

Desai said this project was public policy in action.

“Majoring in public policy has taught me how to view problems from a new perspective,” Desai said. “This project truly exemplified the interdisciplinary work at Duke.”

Learn more: Exploring Options: Overcoming Barriers to Comprehensive Federal Privacy Legislation