Key Takeaways: Chapter 31 — Privacy as a Right
Core Concepts
1. Privacy as a legal right is a modern invention. Warren and Brandeis's 1890 article "The Right to Privacy" created the foundational legal argument for privacy as a right grounded in personhood. Before this, legal protections for personal information came only indirectly through property and contract law. Their framework — privacy as protection of "inviolate personality" — remains foundational a century later.
2. The Fourth Amendment protects people, not places, but only where expectations are "reasonable." Katz v. United States (1967) untethered Fourth Amendment analysis from physical property, establishing that constitutional protection follows wherever people have a reasonable expectation of privacy. But this standard is vulnerable to erosion through normalization: as surveillance becomes common, courts may find expectations of privacy increasingly unreasonable.
3. The third-party doctrine is the central vulnerability of digital privacy under U.S. law. Smith v. Maryland (1979) held that information voluntarily shared with third parties loses Fourth Amendment protection. In an era when virtually all digital communication, commerce, and movement is mediated by corporate third parties, this doctrine effectively strips constitutional protection from most of digital life.
4. Carpenter v. United States (2018) partially corrected the third-party doctrine without overruling it. The Supreme Court required warrants for long-term cell site location information, finding it qualitatively different from the phone numbers in Smith. But the decision is explicitly narrow, leaving unresolved whether warrants are required for other categories of digital third-party records.
5. The U.S. uses a sectoral approach to statutory privacy law, with significant gaps. HIPAA (health), FERPA (education), COPPA (children's online data), ECPA (electronic communications), and other sector-specific laws protect specific types of information in specific contexts. Data brokers, behavioral advertising, and most commercial data collection operate largely outside these sectoral protections.
6. GDPR represents the most comprehensive privacy framework in the world — with real limitations. The EU's General Data Protection Regulation establishes genuine individual rights (access, deletion, rectification, portability, objection) and imposes meaningful obligations on data processors. Its enforcement record includes historically large fines. But enforcement is slow, geographically concentrated, and hampered by the "one-stop shop" mechanism that concentrates cases in industry-friendly Ireland.
7. California's CCPA/CPRA is the strongest U.S. privacy law and the closest American analog to GDPR. The California framework establishes opt-out rights for sale/sharing, access and deletion rights, and a private right of action for breaches. Approximately twenty other states have passed similar (often weaker) legislation as of 2026. No federal law matches this protection.
8. International human rights law establishes privacy as a universal right, but enforcement is weak. Article 12 of the UDHR and Article 17 of the ICCPR protect privacy from arbitrary interference. The UN Human Rights Committee has found that mass surveillance programs violate Article 17. But international human rights mechanisms lack the enforcement power of domestic courts.
9. The United States lacks comprehensive federal privacy legislation — this is a political choice, not a technical gap. Attempts to pass federal privacy law have repeatedly failed due to industry lobbying, preemption disputes between federal and state levels, and partisan disagreements about enforcement mechanisms. The gap between what GDPR provides and what U.S. federal law provides is not an accident.
10. Individual rights can be exercised, but doing so is deliberately difficult. Data access requests, opt-out forms, Global Privacy Control signals, and complaints to regulatory authorities are real tools that produce real results. But they require knowledge, effort, and repetition that most people cannot or will not sustain. An opt-out system — where surveillance is the default — is a political choice that favors surveillance over privacy.
Key Cases
| Case | Year | Holding | Significance |
|---|---|---|---|
| Katz v. United States | 1967 | Fourth Amendment protects reasonable expectations of privacy | Replaced physical trespass doctrine |
| Smith v. Maryland | 1979 | Third-party doctrine: shared information loses 4th Am. protection | Gutted digital privacy protection |
| Carpenter v. United States | 2018 | Warrants required for long-term cell site location data | Partial correction of third-party doctrine |
Key Laws
| Law | Coverage | Key Rights |
|---|---|---|
| HIPAA | Health info held by covered entities | Access, breach notification |
| FERPA | Student education records | Access, correction, disclosure consent |
| COPPA | Children's online data (under 13) | Parental consent required |
| GDPR (EU) | All personal data, all sectors | Access, deletion, portability, objection |
| CCPA/CPRA (CA) | California residents, commercial entities | Know, delete, opt out, correct |
Jordan's Arc in This Chapter
Jordan moves from passive awareness to active agency: they learn they have legal rights, discover how to exercise them, attempt to do so, and encounter the gap between formal rights and practical reality. Their data broker opt-out experience — requiring a driver's license photo, repeated submissions, inevitable reaccumulation — is a microcosm of the broader privacy-law landscape: real rights, real limitations, designed friction.
Looking Ahead
Chapter 32 moves from legal frameworks to practical tools: encryption, anonymization, VPNs, and the behavioral and technical strategies available for counter-surveillance. Where this chapter asked "what does the law protect?", the next asks "what can you actually do?"
One-Sentence Summary
Privacy law in the United States is a patchwork of sectoral protections, constitutional doctrines eroded by the third-party doctrine, and state laws that partially compensate — all of which fall significantly short of the comprehensive protection that the scale of contemporary surveillance demands and that the EU's GDPR attempts to provide.