wsj.com web signal

Solove urges corporate liability to fix AI-era privacy law

TL;DR

  • Daniel Solove argues in the WSJ that consumer-control privacy laws are failing because digital technologies have become too complicated for individuals to manage.
  • His fix shifts responsibility to companies whenever they create an unreasonable risk of harm through uses of data or through AI algorithms.
  • Proposed measures include rigorous data minimization, fiduciary duties, liability for negligent design, liability for harmful algorithms, and multi-stakeholder review.

Privacy law's default fix, hand users more control over their data and let them opt in, has been quietly failing for years, and Daniel Solove argues in the Wall Street Journal that the AI age makes the failure hard to paper over. His diagnosis is blunt: laws that give consumers more control over their data aren't working, because the digital technologies those consumers are supposed to police have become too complicated.

Solove's proposal, as summarised in an outline of the piece, is to move the burden off individuals and onto the companies that build and profit from the systems. He argues privacy laws must hold companies accountable whenever a company creates an unreasonable risk of harm through uses of data or through AI algorithms, and he sketches a menu of measures to do it: rigorous data minimization, fiduciary duties toward users, liability for negligent or reckless technological design, liability for algorithms that cause harm, and multi-stakeholder review of new technologies.

Why this matters if you build with AI rather than write policy: every one of those measures reaches back into engineering choices. Data minimization constrains what you collect and retain. Fiduciary duties change the default of secondary use. Design liability puts a legal price on decisions that were previously just product calls. If a version of this framework ever got adopted, the compliance surface for an AI system would stop looking like a privacy-policy checkbox and start looking more like product safety law.

The honest caveat is that this is an opinion essay, not a bill. What the reporting doesn't give you is a mapping onto specific US federal or state proposals, an estimate of political feasibility, or how the fiduciary and design-liability ideas would interact with existing sectoral rules. The part worth watching is whether any of these ideas, especially algorithmic liability and data minimization as a default, start showing up in the next round of state privacy statutes, because that is where US privacy law tends to move first.

Shared on Bluesky by 3 AI experts