- Today’s privacy laws are failing because they demand individuals manage their own data in a digital ecosystem too complex to navigate — AI can infer health status, religion, and political views from seemingly innocuous purchase data, without the user’s knowledge or consent.
- The author argues the effective model is product safety regulation: food and auto makers were forced to innovate for safety through liability and pre-market review, and the same framework applied to AI and data could work.
- Meaningful reform would include data minimization requirements, liability for negligent algorithmic design, mandatory pre-launch privacy and safety testing, and restrictions on dark patterns that trick users into sharing data.
- Progress is happening: the “right to delete” — once considered un-American — is now standard in every state consumer-privacy law, and ~40% of states have passed broad consumer privacy statutes.
What Happened?
Writing in the WSJ’s USA250 series, George Washington University law professor Daniel Solove — author of “On Privacy and Technology” — argues that the decade-long effort to protect consumer privacy through notice-and-consent frameworks has failed and that the rise of AI makes the failure definitive. The core problem: AI can now reconstruct intimate personal attributes — health, religion, political views — from data that users reasonably believe to be innocuous, such as soap or soft drink purchases. Meanwhile, privacy laws across roughly 40% of US states ask individuals to manage opt-outs and consent forms across thousands of companies, a task that is practically impossible. The result is a system that creates the appearance of privacy protection while delivering almost none of it.
Why It Matters?
The analogy to food and auto safety is instructive and underappreciated. Before regulation, rancid milk was sweetened with formaldehyde; cars were death traps. The law didn’t solve those problems by asking consumers to test their own milk or inspect their car’s brakes — it imposed liability on manufacturers and required pre-market safety review. That forced innovation toward safety. Solove argues the same logic applies to AI and data: if companies face real liability for deploying algorithms that cause harm, they will build privacy in from the start, just as automakers invented seat belts and airbags in response to safety mandates. Without accountability — either pre-launch review or post-harm lawsuits — there is no incentive to protect users.
What’s Next?
Congress has repeatedly failed to pass comprehensive federal privacy legislation. The most promising path may be state-level momentum: the right-to-delete, once dismissed as impractical, is now universal in state laws. Solove identifies several mechanisms that would constitute genuine progress: data minimization requirements that restrict collection to stated purposes; liability for reckless algorithmic design; bans on dark patterns; and industry standards developed through multi-stakeholder processes. Age verification laws, he warns, can backfire by requiring more data collection rather than less. The core ask is a shift from “user control” to “company accountability” — a reframing that has political support on both left and right but has yet to produce federal action.
Source: The Wall Street Journal
