The Limits of a Voluntary Framework in an Unethical Data Ecosystem

Document Type


Publication Date





Taylor & Francis




The need for greater privacy protections in the United States has never been greater. In their work, “Ethical Responsibilities for Companies That Process Personal Data”, McCoy et al. (Citation2023) correctly conclude that existing privacy laws and data protections are insufficient. Their proposed framework is an important scholarly contribution. We agree with their ideas about the practical imperatives, principles, recommended actions, and the promise of this work to inform policy. However, we worry that an emphasis on industry self-regulation could detract from full-throated advocacy for strong privacy legislation. Companies have collected and monetized personal data for years, not simply because they do not understand the ethical questions these practices raise or because they require better definitions. We believe the bioethics community must make legislative and regulatory change the primary focus for privacy protections. To support this position, we discuss the perverse economic incentives that may cause companies to advertise privacy protections they do not actually offer, the information asymmetries and knowledge gaps that prevent people from taking personal privacy precautions, and how the practical realities of the data economy minimize the likelihood and impact of a small number of companies opting for meaningful change. We bolster these three arguments with examples involving reproductive data.

This document is currently not available here.

Link to Publisher Site