Lindsey Barrett


In scope, ambition, and animating philosophy, U.S. privacy law and Europe’s General Data Protection Regulation are almost diametric opposites. The GDPR’s ambitious individual rights, significant prohibitions, substantive enforcement regime, and broad applicability contrast vividly with a scattershot U.S. regime that generally prioritizes facilitating commerce over protecting individuals, and which has created perverse incentives for industry through anemic enforcement of the few meaningful limitations that do exist. A privacy law that characterizes data collectors as information fiduciaries could coalesce with the commercial focus of U.S. law, while emulating the GDPR’s laudable normative objectives and fortifying U.S. consumer privacy law with a moral valence it often lacks. Similar to classic fiduciaries like doctors or lawyers, information fiduciaries would owe duties of loyalty, care, and confidentiality to their clients—affirmative commitments to individuals that the laissez-faire approach of U.S. privacy law generally does not require. Fiduciary duties are also derived from the context of commercial relationships, where the law balances the professional prerogatives of the fiduciary with the rights (and vulnerabilities) of the client. Crucially, an information fiduciary model can strengthen protections for privacy, equality, and autonomy in the digital age, echoing the GDPR’s normative objectives, while balancing those principles with the competing aims (and constraints) of the U.S. legal ecosystem.