The Inadequate, Invaluable Fair Information Practices
For the past thirty years, the general advice for those seeking to collect, use, and share people’s personal data in a responsible way was relatively straightforward: follow the fair information practices, often called the “FIPs.” These general guidelines were designed to ensure that data processors are accountable for their actions and that data subjects are safe, secure, and endowed with control over their personal information. The FIPs have proven remarkably sturdy against the backdrop of near-constant technological change. Yet in the age of social media, big data, and artificial intelligence, the FIPs have been pushed to their breaking point. We are asking too much of the FIPs, yet they are far too entrenched and important to be abandoned.
New privacy risks present an opportune moment to assess the state of the FIPs in the modern world and ask whether they are up to the task. This Essay is an attempt to identify the practical virtues and limitations of the FIPs in order to help privacy law evolve while retaining traditional notions of data accountability. I argue that while we cannot do without the FIPs, it is time for lawmakers to stake out new ground. They should pay more attention to things like anti-competitive behavior and the design of information technologies. The FIPs are necessary, but not sufficient. To make privacy law whole, the FIPs must be treated as one of several frameworks to protect our personal information and people's ability to consent to data practices must be treated as a finite