Privacy Beyond Consent: Cofone’s Call for Privacy Torts

Guest Blogger

For the Balkinization Symposium on Ignacio Cofone, The Privacy Fallacy: Harm and Power in the Information Economy Cambridge University Press (2023).

Nikolas Guggenberger

In her seminal work on boilerplate contracts, Margaret Jane Radin distinguishes between World A and World B to illuminate the fundamental tension between contract theory’s ideals and modern contractual reality. World A embodies the classical paradigm: contracts emerge through meaningful negotiation between informed equals. Here, parties exercise genuine autonomy, carefully reviewing terms before signaling informed consent. This world reflects contract law’s theoretical foundation—voluntary agreements between parties who comprehend and actively shape their obligations. In World A, freedom of contract justifies the enforcement of promises against people’s future selves, as Kaiponanea Matsumura put it.

World B depicts contemporary consumer contracting: dense boilerplate terms imposed unilaterally, often buried in clickwrap agreements or fine print. Consent becomes illusory, autonomy a farce. Recognizing boilerplate as binding contracts, Radin argues, fundamentally undermines contract law’s moral premises. Sheer ignorance cannot justify the waiver of rights or the creation of duties. When “consent” means blind subordination, contract law no longer serves its intended function of facilitating voluntary exchange. Or, as Friedrich Kessler observed some 80 years ago, modern contracting “enables enterprisers to legislate by contract ... in a substantially authoritarian manner without using the appearance of authoritarian forms.”

In his tour de force through privacy law’s systemic shortcomings, The Privacy Fallacy, Ignacio Cofone squarely locates contemporary data management practices in the privacy equivalent of World B, that of meaningless acquiescence to unread privacy policies. And he is right in his assessment. ‘Notice and choice’ is inherently deficient. It indeed provides neither notice nor choice. Worse, it is inept to address informational capitalism’s threats to the common good, from democratic self-governance to social equality. However, Cofone’s critique extends far beyond the current ‘notice and choice’ framework in the US or the privacy equivalent of World B more generally. He launches a fundamental challenge to consent as a regulatory mechanism for informational privacy across sectors and jurisdictions. His “book’s core premise,” he explains in the introduction, “is that rather than grounding privacy law on concepts from contract law, which sets the rules for voluntary agreements, we need to ground it on concepts from tort law, which sets the rules for harms caused to others.” (p. 4)

Cofone’s comprehensive manifesto against consent enriches privacy discourse with too many interesting observations for me even to attempt to discuss adequately. So, let me focus on three aspects central to Cofone’s argument: the nature of consent, the impact of consent requirements (or lack thereof), and the potential tensions between rejecting consent and endorsing tort liability.

First, consider Cofone’s conceptualization of data consent. He identifies consent as “contract-like” (p. 3), “base[d] on … contract law” (p. 3), steeped in “contractual logic” (p. 5), and defined by a “contractual paradigm” (pp. 10, 127, 162). The realities of data management based on privacy policies indeed mirror Radin’s World B, that of boilerplate contracting. However, reducing data consent to a contractual artifact overshoots. Contracts are based on mutual promises. They create duties and bind our future selves. We trade our future liberty for our current autonomy to shape that future through contracts. Data consent is better understood as permission. Although permission also functions as a means of individual control and is often (especially in the US) tied to a contract, it conceptually differs. And this difference matters.   

Under the GDPR, which Cofone frequently invokes, the data relationship between the data subject and data processor is decisively non-contractual. Instead, data consent creates an independent legal relationship. As Cofone explains (p. 64), the GDPR allows users to withdraw their consent—freely and at any time. Put differently, consent is not legally binding for the future under the GDPR. Like in the areas of bodily integrity or sexual self-determination, consent does its moral magic only at the very moment. Even if we want to, we cannot bind our future selves. However, the practically more relevant difference between data consent and contract under the GDPR results from the different thresholds for consent’s legal validity, which Cofone analyzes in detail (p. 58, 89-96). None of this sounds very contractual. Consequently, in Meta v. Bundeskartellamt, the ECJ has expressly rejected a contractual construction of the data relationship between users and social media platforms that enables personalized advertising.

The same holds for various US privacy regimes, albeit to a lesser extent. The non-discrimination provision in California’s Consumer Privacy Act necessarily presumes a data relationship distinct from the consumer contract and not governed by contractual imperatives. HIPAA restricts the conditioning of services on data usage authorizations, suggesting that there is more than just a contract. Similar to the GDPR, HIPAA allows individuals to revoke authorizations freely, albeit with exceptions. Whatever one might think of the effectiveness of data consent, characterizing it as contractual remains a stretch.

Second, Cofone is correct when he laments the current privacy framework’s inadequacy. To date, control is an illusion for all the reasons Cofone provides. That, however, speaks more to the current framework’s lax consent requirements than it does to the capacity of consent as a regulatory tool to prevent privacy harm. Actual, meaningful consent requirements, which World A is built on, would be radical—much more so than any liability regime for privacy harms. The reason is simple: World A-type consent does not scale.

If we wanted to, we could require that platform representatives sit down with every user and explain the privacy risks associated with personalized advertising before serving an ad. After all, we require anesthesiologists to go through the potential side effects of anesthesia before surgery. What may sound absurd on its face goes to show that meaningful consent is possible. It is incompatible with informational capitalism’s dominant business model of data extraction for behavioral manipulation.

For evidence of the impact of consent requirements, consider Illinois and Texas. Because of relatively strict consent requirements in biometric privacy laws (but far short of what is required in the medical context), companies have pulled several applications from the market and paid billions of dollars in fines. The consent requirements effectively work as data usage limitations. And it is well plausible that Meta v. Bundeskartellamt will end personalized advertising as we know it in Europe. All that is to say, requiring real consent is possible. It would not manifest as control but as a data usage limitation for many, if not most, practical purposes. And, for better or worse, it would be radical.

Third, Cofone advocates for a dual regulatory approach to replace consent-based governance: (1) ex-ante prohibitions to reduce privacy risks and (2) robust liability rules when harms occur. “Ideally,” he asserts, “data protection law would abandon consent provisions, make data protection rights independent of individual control, shift from procedural mandates into substantive ones, and expand systemic provisions” while establishing a complementary civil liability regime (p. 89). With a blend of theory, doctrine, and colorful examples, Cofone excellently illustrates the loopholes in today’s torts regime and convincingly argues for an expansion of tort liability.

Nevertheless, I see some tension between the unabashed rejection of consent and the endorsement of tort law expansion. Cofone preempts invocations of consent as a justification for privacy harm by pointing at product liability. We also cannot “accept the risk that [our] car engine may combust” when purchasing a new vehicle, he argues (p. 88). However, the difference between product liability for cars and data lies in the type of harm. For injuries from vehicles, we can safely assume that no one wants to express their identity by having their arm dismembered. For privacy harm, this question is more complicated. It requires an inquiry into the individual’s expressive preferences.

In many cases, this inquiry will be straightforward. For example, no one wants their information hacked. This is why cybersecurity, as Cofone points out, is a low-hanging fruit for tort liability. For the same reason, it comes as little surprise that the FTC first managed to maneuver beyond consent and toward substantive fairness in this domain. Concerning the sharing or usage of intimate photos or information about our sexual identity, however, I remain unsure how we can assess harm without reverting to individuals’ expressed preferences (i.e., consent). Thus, at least in some cases, consent will necessarily continue to feature prominently, albeit implicitly.

Cofone’s The Privacy Fallacy is an essential read for anyone grappling with the complexities of privacy law in the digital age. It challenges entrenched assumptions, proposing bold shifts that could redefine how we regulate data and protect individuals from harm. By blending rigorous theoretical analysis with practical legal insights, Cofone not only critiques the current reliance on consent but also charts a compelling path forward. The book’s comparative perspective, enriched by examples and thoughtful engagement with existing frameworks worldwide, makes it a standout contribution to privacy discourse.

Nikolas Guggenberger is Assistant Professor, University of Houston Law Center. You can reach him by e-mail at nguggenb@central.uh.edu.