Reconciling Data Privacy and the First Amendment

INTRODUCTION

Although private-sector databases containing large amounts of personal information have existed for several decades, a number of recent technological advances and cultural shifts have enabled the easier dissemination of such information and the creation of larger, more detailed, and more useful databases.1 While these advances permit ever-more efficient and valuable uses of consumer information by businesses, they also raise a cluster of undeniable but poorly¬defined legal issues about the rights of consumers to participate in, oversee, or control the ways in which data about them is used. Proposals attempting to grapple with and resolve this so-called “database problem”2 have been bedeviled by a range of practical and theoretical objections. Foremost among these objections is the widely¬held belief that because the First Amendment protects at its core the dissemination of truthful information, any right of “data privacy” is in direct conflict with the First Amendment because any attempt to regulate the flow of personal data would inevitably require the government to impose unconstitutional restrictions on speech. This position, which I call the “First Amendment critique” of data privacy, enjoys widespread currency in the legal academy, the private sector, and recent privacy jurisprudence. For example, Eugene Volokh has argued that “[w]e already have a code of ‘fair information practices,’ and it is the First Amendment, which generally bars the government from controlling the communication of information (either by direct regulation or through the authorization of private lawsuits).”3

This Article takes issue with the conventional wisdom that regulating databases regulates speech, that the First Amendment is thus in conflict with the right of data privacy, and that the Constitution

1 See, e.g., Philip E. Agre and Marc Rotenberg, eds., Technology and Privacy: The New Landscape (1997)

2 Scholars grappling with the “database problem” have argued that the rights of individuals are threatened by detailed private-sector databases containing profiles of their preferences, potentially embarrassing information about their health, political views, or sexual activities or inclinations. See sources cited id.

3 Eugene Volokh, Free Speech and Information Privacy: The Troubling Implications of a Right to Stop People from Speaking About You, 52 Stan. L. Rev. 1049, 1051 (2000).

Richards Reconciling Data Privacy and the First Amendment 3

thereby imposes an insuperable barrier to basic efforts to tackle the database problem. I argue that the relationship between privacy and the First Amendment is complex, but it is not irreconcilable. Much of the problem results from an underappreciation of the definitional murkiness that suffuses existing legal conceptions of “privacy” and “speech.” Such murkiness has allowed what are essentially consumer protection issues in the economic rights context to be transformed into civil rights issues of the highest magnitude, as opponents of data privacy regulation have seized upon the First Amendment as a handy means of derailing proposals to deal with the database problem. The First Amendment critics thus overstate the First Amendment issues at stake in the context of most database regulation proposals, because such proposals are not regulation of anything within the “freedom of speech” protected by the First Amendment. Putting First Amendment rights talk to one side allows us to look at data privacy rules more concretely. Such an approach reveals that a wide variety of these rules are fully justifiable under well-established First Amendment theory, either because they do not regulate “speech,” or because such regulations are consistent with existing doctrine.

My approach has, I believe, significant advantages for both data privacy and free speech. On the privacy side, harmonizing data privacy with free speech removes a significant theoretical and practical obstacle to constructive discussions about, and potential solutions to, the database problem. It also avoids the constitutionalization of domestic information policy, permitting that policy to be developed in a way that reflects the enormous complexity of the issue. And on the speech side, recognition of the murkiness in the way we perceive the existence or not of First Amendment problems allows us to more effectively assess both speech and non-speech issues. More fundamentally, resisting the creep of First Amendment analysis into the economic rights and commercial context preserves the basic and essential division between civil and economic rights at the core of modern constitutionalism.

I develop this claim in four parts. Part I sets forth the data privacy issues raised by the collection, aggregation, and use of large amounts of personal information by private-sector businesses. It then sketches the First Amendment critique, which posits that attempts to regulate the database problem through law run directly into the unyielding strictures of the First Amendment. Under this view, data privacy rules that give individuals the right to control how their personal information is used restricts communications between speakers and thus impermissibly burdens the First Amendment. The

Richards Reconciling Data Privacy and the First Amendment 4

critique suggests not only that legal protection of data privacy is contrary to current First Amendment jurisprudence, but also that creating new free speech exemptions to permit data privacy “speech restrictions” would have many unfortunate consequences, including providing powerful rationales to support other, less benign speech restrictions. I argue that although the critique raises a host of practical and theoretical problems for data privacy law, information policy, and even free speech theory itself, existing scholarly responses to the First Amendment critique of database regulation are either incomplete or unsatisfying because they grant too much ground to the First Amendment critics with respect to the scope of the First Amendment in this context.

Part II responds to the First Amendment critics by suggesting that the simple logic of privacy regulation being equivalent to speech regulation is incorrect. Indeed, I suggest that this is entirely the wrong way to frame the issue, as it rests on an overbroad conception of the types of rules that are perceived to implicate First Amendment analysis. The First Amendment critics’ assumption ignores not only the reality that few data privacy rules actually involve speech, but also significantly overstates the breadth of the protection afforded by the First Amendment. I argue that database regulation will only rarely implicate “speech” protected by the First Amendment, since large categories of regulations of what is commonly understood to be “speech” (such as criminal solicitation, anticompetitive offers, and copyright infringement) do not in reality trigger heightened First Amendment scrutiny. Building upon the work of the few scholars to have examined the First Amendment in this way, I suggest that much of this “speech” is either outside the scope of the freedom of speech protected by the First Amendment, or a hitherto unnoticed category of speech treated to rational basis scrutiny. I then defend this conception of the scope of First Amendment analysis against both First Amendment critics and their pro-privacy opponents.

Having reconceptualized the relationship between free speech and privacy, Part III responds to the First Amendment critique in more detail, demonstrating how existing doctrine fully supports a wide variety of privacy regulations without violating the First Amendment. In order to more easily assess and demonstrate the constitutionality of such rules, I divide privacy rules that implicate information flows into four categories: collection rules, use rules, disclosure rules, and telemarketing rules. Information collection rules, which govern the circumstances under which persons can collect information about others, create virtually no First Amendment problems, and have been

Richards Reconciling Data Privacy and the First Amendment 5

upheld in a wide variety of contexts. Similarly, information use rules also raise few issues of constitutional magnitude, as our law does not consider the use of information to make decisions to be “speech” any more than collecting information is “speaking.” While information disclosures are a harder case than use or collection, I demonstrate that, when properly conceptualized, nondisclosure rules in the database context do not significantly implicate the First Amendment. Regulating how two parties to a commercial transaction act with respect to information received during that transaction no more offends the Constitution than government regulation of other aspects of the commercial relationship. Indeed, our law is replete with instances where confidential information is protected against disclosure under a whole host of public and private law rules, few of which have ever been thought to involve restrictions on speech. Finally, I address direct regulation of telemarketing, and argue that although such regulation certainly implicates the commercial speech rights of telemarketers, the First Amendment nevertheless permits significant regulation of telemarketing activity. Accordingly, I argue, ordinary data privacy rules are fully consistent with the First Amendment.

Finally, Part IV contends with the First Amendment critique at a more abstract level, placing the critique in its historical and jurisprudential context. I argue that when viewed from the twin perspectives of privacy law and First Amendment law, the real theoretical problems of the First Amendment critique are made manifest. From the privacy law perspective, the modern First Amendment critique of data privacy regulation will, if it is unchallenged, prohibit discussion and resolution of the tremendously thorny database problem, thereby constitutionalizing national information policy and placing its resolution outside the democratic process. Indeed, the parallels between the strong form of the First Amendment critique and the discredited “liberty of contract” doctrine of the Lochner period are striking. Drawing upon recent scholarship treating legal history as a species of intellectual history, I argue that both Lochner and the First Amendment critique attempt to respond to the leading economic public policy issue of their day with a liberal theory of rights constitutionalism that is fundamentally flawed. Finally, looking at the critique from the First Amendment law perspective, I argue that the broad, expansive, and slippery conceptualization of the First Amendment at the core of the First Amendment critique is ultimately inconsistent with the basic dualist premise of modern constitutionalism – the bifurcated standards of judicial review given to civil versus economic rights. I assert that that

Richards Reconciling Data Privacy and the First Amendment 6

the critique paves the way for the obliteration of the distinction between economic and civil rights at the core of American Constitutional law since the New Deal. Serious recognition of the First Amendment critique would therefore, I argue, result not only in the constitutionalization of a major and complex policy issue, but would also threaten to unravel the basic premise upon which post-New Deal constitutionalism is based.

I. THE FIRST AMENDMENT CRITIQUE OF DATA PRIVACY REGULATION

First Amendment rights of free speech and press and data privacy rights have been locked in a seemingly irresolvable conflict ever since Charles Warren and Louis Brandeis sketched the basic contours of a common-law notion of privacy in their foundational 1890 article “The Right of Privacy.”4 Warren and Brandeis attempted to establish a common law tort of “privacy” to protect principally against intrusions by an overzealous media.5 Although a conflict between privacy and speech might thus seem inevitable, this conclusion is belied somewhat by the fact that both privacy law and modern First Amendment doctrine can trace their origins back to the turn of the twentieth century when both were guided significantly by the writings of Louis Brandeis. Thus, while Brandeis’ famous Harvard Law Review article is understood as the progenitor of twentieth century privacy jurisprudence, his concurrence in Whitney v. California6 has been equally influential in the development of modern free speech jurisprudence.7

Although privacy and speech have shared an uneasy coexistence in American law, I believe that much of this problem stems from the conceptual murkiness in both doctrines. Despite its recognition for over a century,8 privacy has remained a vague and poorly-articulated theory which modern commentators despair at being able to define coherently. 9 Although the First Amendment has received greater theoretical attention by judges and scholars, I argue

4 Charles Warren and Louis Brandeis, The Right of Privacy, 4 Harv. L. Rev. 193 (1890).

5 See id. at 195.

6 274 U.S. 257 (1927).

7 See G.E. White, The Constitution and the New Deal 143 (2000).

8 See Kent Gormley, One Hundred Years of Privacy, 1992 Wis. L. Rev. 1335 (1992).

9 See Jerry Kang, Information Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 1193, 1202 (1998)

Richards Reconciling Data Privacy and the First Amendment 7

that latent murkiness in First Amendment theory also persists that exacerbates the perceived tensions with privacy.10 Nevertheless, when the First Amendment and privacy have come into conflict in the past, most significantly in a long line of Supreme Court cases invalidating attempts to impose liability on the press for committing the tort of disclosure of private information, the First Amendment has universally triumphed.11 Such a result is undoubtedly consistent with the basic tenet of modern constitutional law that public discussions of issues of matters of public concern “should be uninhibited, robust, and wide¬open.”12 Modern First Amendment critics of data privacy regulation hearken back to this long tradition of privacy being in tension with the First Amendment, with privacy inevitably losing out when weighed against the constitutional primacy of free speech. And although defenders of privacy have struggled to articulate a theory whereby privacy rules can withstand First Amendment scrutiny, few scholars have been able to articulate persuasive justifications why any modern right of data privacy can survive when pitted against the robust modern First Amendment.

With this context in mind, I attempt in this Part to frame the basic problem facing scholars, judges and lawmakers confronting the conceptual intersection of data privacy and the First Amendment. First, I briefly describe the database problem in order to identify the practical stakes in this often theoretical debate. Second, I describe the First Amendment critique of data privacy regulation. I argue that no compelling response to the First Amendment critique has yet been fully articulated in the privacy literature

A. The Database Problem

There is a vast and often redundant literature describing the database problem, and I have no intentions of adding to it here.13 However, a brief overview of the contours of the problem will be helpful in setting up and contextualizing the analysis that follows. Governments have, of course been keeping records about their citizens

10 See infra Part II.

11 See, e.g., Bartnicki v. Vopper, 532 U.S. 514 (2001) (collecting cases).

12 New York Times v. Sullivan, 376 U.S. 254 (1964).

13 For a more detailed discussion of the database problem, see sources cited supra note 1. For more a slightly more recent treatment of this issue, see, e.g., Stan Karas, Privacy, Identity, Databases, 52 Am. U. L. Rev. 393 (2002).

Richards Reconciling Data Privacy and the First Amendment 8

for centuries, most notably tax and criminal records.14 The federal census, conducted since 1790, raised what we would today call privacy concerns at least as early as the nineteenth century, when federal law protected the confidentiality of information collected by the government.15 In the twentieth century, with the expansion of American government during and after the New Deal period, dozens of national government agencies including the FBI, the Internal Revenue Service, the military, and the Social Security Administration began keeping trillions of records on individual citizens.16 The invention and spread of increasingly cheaper and more capable computers only facilitated this process, particularly as the use of social security numbers as uniquely effective personal identifiers has enabled agencies to link records and integrate them with other databases, including state and private databases.17 As the Supreme Court has itself recognized, today, government possesses an “accumulation of vast amounts of personal information in computerized data banks or other massive government files” including that taken from “the collection of taxes, the distribution of welfare and social security benefits, the supervision of public health, the direction of our Armed Forces, and the enforcement of our criminal laws.”18 Although public sector databases create significant privacy problems, including increasing the risk of identity theft, chilling of expressive but eccentric behaviors, revelation of embarrassing information to private parties, and raising the spectre of an Orwellian state,19 such problems can be addressed (at least at a theoretical level) through ordinary public law rules without any significant constitutional impediments.2 0 No one suggests that the government has any right to publish any and all secrets it learns about its citizens absent a need to do so

14 Robert Ellis Smith, Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet 12 (2000)

15 See Act of Mar. 1, 1889, ch. 319, §§ 8, 13, 25 Stat. 760. (imposing $500 fine for disclosure of census information)

16 Joseph Campbell, The Growth of American Government 231-32 (1995).

17 Id. at 232.

18 U.S. Dept. of Justice v. Reporters Committee for Freedom of Press, 489 U.S. 749, 770 (1989).

19 Daniel J. Solove, Access and Aggregation: Privacy, Public Records, and the Constitution, 86 Minn. L. Rev. 1137, 1138 (2002).

20 For example, the Privacy Act of 1974, Pub. L. No. 93-579, 5 U.S.C. § 552a, gives individuals certain rights with respect to data about them in federal government databases.

Richards Reconciling Data Privacy and the First Amendment 9

Supreme Court has stated on several occasions that individuals have a constitutional right to prevent the government from making public at least certain kinds of information about themselves.21

The same technological advances that have permitted the creation of public sector databases have also allowed businesses and other private sector entities to keep ever larger and more detailed records about individuals. These records can be created in a variety of ways, including human resource databases, information collected from promotional activity such as contests and mass mailings, and perhaps most important, transactional data from non-cash purchases, frequent shopper programs, and Internet and telephone use.22 Such information often has more value as a saleable commodity than for the purposes for which it was originally collected. Indeed, corporations are eager to acquire many different kinds of information about consumers, including information about their lifestyles, tastes, and even psychological profiles.23 Such information is provided by the “profiling industry,” a group of companies that aggregate information contained in private databases to create consumer profiles that are then offered for sale to interested businesses. The level of detail contained in such profiles is striking, and can include information such as a person’s social security number, shopping preferences, health information including diseases and disorders suffered, financial information, race, weight, clothing size, arrest record, lifestyle preferences, hobbies, religion, reading preferences, homeownership, charitable contributions, mail order purchases and type, and pet ownership.24 Such information can be bought for as little as $65 per million names, categorized by the type of consumer sought by marketers.25 One profiling company was reported to have personal and private information about virtually every consumer in the United States, Britain, and Australia.26 In addition to being intrusive and deeply unsettling to many people, the multi-billion dollar profiling

21 Whalen v. Roe, 429 U.S. 589 (1977)

22 Philip E. Agre, “Introduction,” in Technology and Privacy: The New Landscape 3 (Agre & Rotenberg, eds. 1997)

23 Solove, supra note 1, at 1404.

24 Electronic Privacy Information Center, “Privacy and Consumer Profiling,” supra note 22.

25 Id.

26 See Michael Froomkin, The Death of Privacy, 52 Stan. L. Rev. 1461, 1473-74 (2000). See also Solove, Privacy and Power, supra note 1, at 1406-07 (collecting other examples).

industry provides the lifeblood of data on which the direct marketing industry survives.27

At the practical level, such activities raise at least four kinds of privacy concerns. First, databases can be used to process “sensitive information” – non-newsworthy but nonetheless potentially embarrassing or highly personal information that most people would be horrified were it to float freely from database to database. Second, “uber-databases” can be created, comprised of non-sensitive information in such enormous quantities that the database comprises a highly detailed dossier of a person’s entire existence.28 Third, the information contained in consumer profiles can be quite inaccurate.29 Finally, there are no real legal requirements that personal information in consumer profiles be kept securely. If used improperly, the sheer level of detail contained in consumer profiles can facilitate crimes such as identity theft,30 stalking,31 or harassment.32

In addition to the privacy threat posed by the database and profiling industries, large-scale private databases significantly raise the stakes for government surveillance. Governments have long used private records to spy upon their citizens – often with sinister consequences33 – and the availability of larger and more detailed

27 See Ely R. Levy & Norman I. Siber, Nonprofit Fundraising and Consumer Protection: A Donor’s Right to Privacy, 15 Stan. L. & Pol’y Rev. 519, 543-44 (2004).

28 See, e.g., Karas, supra note 13, at 437-39.

29 See, e.g., John Rothchild, Protecting the Digital Consumer: The Limits of Cyberspace Utopianism, 74 Ind. L.J. 893, 972-73 (1999).

30 See Daniel J. Solove, Identity Theft, Privacy and the Architecture of

Vulnerability, 54 Hastings L.J. 1227 (2003).

31 One of the most alarming incidents involves the case of Amy Boyer who was murdered at her workplace by man who received Boyer’s date of birth, social security number, home address, and work address, successively, from an information broker. The information broker had used pretexting—using already available information and lying about one’s identity and purpose—to get Boyer to reveal her employment information. See Remsburg v. Docusearch, Inc., 149 N.H. 148, 155 (N.H., 2003).

32 For example, in one case, a major profiling company used inmates to process consumer data surveys. One of the prisoners then used information from one woman’s survey, including her name, address, buying habits, and medical information to harass her, sending her a sexually-explicit letter sprinkled with personal, identifying details about her, and proposing a visit to her address upon his release. See Stanley Arkin, Misuse and Misappropriation of Electronically Stored Information, 226 N.Y.L.J. No. 15, at 3 (July 23, 2001).

33 Perhaps the most sinister such use of business records was in 1940, when the invading German armies used business records among other sources to identify Jews for roundup by the Gestapo. See Richard Sobel, The Degradation of Political Identity under a National Identification System, 8 B.U.J. Sci. Tech. L. 37, 52 (2004)

private records about people naturally makes such forms of surveillance easier for governments to engage in. Indeed, recent activities by the federal government to investigate and forestall terrorism have frequently relied on computerized private sector customer records containing financial, airline passenger, and other data.34

But database privacy is a complex problem, and database regulation would be costly.35 This is particularly true insofar as privacy regulations by their very nature would tend to keep information away from individuals who would like to see it, be they employers, credit card companies, potential spouses, or even journalists. In addition, it seems clear that regulation of profiling practices would provide at a minimum, significant economic costs to that industry. But many scholars have argued that there are other costs to privacy regulation. Kent Walker asserts that “[l]egislating privacy comes at a cost: more notices and forms, higher prices, fewer free services, less convenience, and, often, less security.”36 Some commentators have argued that broad privacy rules would not only be costly, but also could lead to unintended consequences.37 In addition, most law and economics scholars who have considered the issue conclude that because privacy rules decrease the total supply of information, they are inefficient and thus undesirable because they increase transaction costs and encourage fraud.38 Others extend this

see also Wayne Madsen, Handbook of Personal Data Protection 22-23 (Macmillan Publishers Ltd. 1992).

34 Robert O’Harrow, Jr., In Terror War, Privacy vs. Security: Search for Illicit Activities Taps Confidential Financial Data, Wash. Post, June 3, 2002, at A1

35 For varying estimates, see Industry Studies Attack Web-Privacy Laws, WALL STREET JOURNAL, March 31, 2001, at B6 (regulation would cost the 90 largest financial institutions $17 billion per year), see, e.g., Walker, The Costs of Privacy, 25 Harv. J. L. & Pub. Pol’y 87, (2002) (estimating $17.6 billion cost of privacy legislation relating to medical information costs)

36 Kent Walker, The Costs of Privacy, 25 Harv. J. L. & Pub. Pol’y 87, 88 (2002).

37 Robert W. Hahn & Anne Layne-Farrar, The Benefits and Costs of Online Privacy Legislation, 54 Admin. L. Rev. 85, 158-61 (2002).

38 See, e.g., Richard A. Posner, The Right of Privacy, 12 Ga. L. Rev. 393 (1978)

argument and claim that the inefficiency of privacy rules actually means that consumers are better off with less privacy regulation than with more, as the free, unfettered flow of information leads to a socially optimal result of lower prices for consumers.39

B. The First Amendment Critique

My purpose thus far has been not to advocate solutions to the database problem, but merely to suggest that the problem is a complex and important one that demands serious and thoughtful deliberation before a satisfactory resolution can be achieved. However, although the database problem has certainly produced no shortage of proposals attempting its solution,40 virtually all such proposals run squarely into a constitutional claim that because the creation, assembly, and communication of information is at the core of the First Amendment, data privacy rules that restrict this expressive activity improperly burden free speech and are thus largely or entirely unconstitutional. This position, which I call the “First Amendment critique” is a significant theoretical obstacle to data privacy regulation insofar as it asserts that the resolution of the database problem is foreordained by the First Amendment. The simplicity and salience of the critique have resulted in its becoming part of the conventional wisdom in the data privacy debate.41 Indeed, privacy scholars have been unable to refute the critique, which has influenced both constitutional jurisprudence and democratic policymaking.

The most prominent First Amendment critic is Eugene Volokh. Volokh starts from the proposition that although data privacy sounds unthreatening in the abstract, “the difficulty is that the right to information privacy—my right to control your communication of personally identifiable information about me—is a right to have the government stop you from speaking about me.”42 Accordingly, while

39 See Paul H. Rubin & Thomas M. Lenard, Privacy and the Commercial Use of Personal Information 8-10 (2001)

40 See Hahn & Layne-Farrar, supra note 37 (collecting and assessing numerous such proposals).

41 See, e.g., Julie E. Cohen, Examined Lives: Informational Privacy and the Subject as Object, 52 Stan. L. Rev. 1373, 1375-76 (2000).

42 Volokh, supra note 3, at 1050-51.

private agreements to restrict speech are enforceable under express and implied contract principles, any broader, government-imposed code of fair information practices that restricts the ability of speakers to communicate truthful data about other people is inconsistent with the most basic principles of the First Amendment.43 Indeed, Volokh goes so far as to conclude that “despite their intuitive appeal, restrictions on speech that reveals personal information are constitutional under current doctrine only if they are imposed by contract, express or implied.”44 Volokh’s argument thus can be boiled down to two basic elements: First, data privacy regulation that restricts the communication of information and which is not grounded in contract violates the First Amendment

Other scholars make arguments similar to Volokh’s. Relying on the Supreme Court cases invalidating the privacy tort in the context of media publication of truthful facts, Fred Cate has argued more bluntly that electronic information flows should be entitled to full First Amendment protection and that any attempt to restrict the communication of truthful data faces a high (if not insurmountable) First Amendment obstacle.46 Solveig Singleton also suggests that efforts to regulate consumer privacy in the database context run squarely into established First Amendment limits on government power.

43 Id. at 1051.

44 Id. at 1122.

45 Volokh, supra note 3, at 1051. See also id. at 1049 (“the creation of “codes of fair information practices” to protect privacy rights would not only be contrary to the First Amendment, but would also make it “much easier for people to accept ‘codes of fair reporting,’ ‘codes of fair debate,’ ‘codes of fair filmmaking,’ ‘codes of fair political criticism,’ and the like.”)

46 Cate, supra note 1, at 68-71 Cate concludes that “[a]ny government effort to protect privacy, either directly or through the passage or enforcement of laws permitting suits by private parties, faces significant First Amendment obstacles.” Id. at 71.. See also Fred H. Cate, The Privacy Problem: A Broader View of Information Privacy and the Costs and Consequences of Protecting It, 11-20 (Freedom Forum/First Amendment Center 2003)

47 Solveig Singleton, Privacy Versus the First Amendment: A Skeptical Approach, 11 Fordham Intel. Prop. Media & Ent. L.J. 105, 105-06 (2000).

intended to protect privacy by outlawing or restricting the transfer of consumer information would violate rights of free speech.”48 The critique has resonated not just with numerous scholars of a conservative or pro-business bent,49 but also with liberal First Amendment scholars such as Robert O’Neil,50 Rodney Smolla51 and Michael Froomkin.52 Laurence Tribe has also publicly argued that the processing of personal data by telephone companies is speech entitled to full First Amendment protection because such data is created and assembled by telephone companies for purposes of marketing, and “the First Amendment protects [the speakers’] right not only to advocate their cause but also to select what they believe to be the most effective means of so doing.”53 Finally, other scholars who might not adopt the strong Volokh-Singleton formulation of the First

48 Solveig Singleton, Privacy as Censorship: A Skeptical Analysis of Proposals to Regulate Privacy in the Private Sector, Cato Institute Policy Analysis No. 295 (January 22, 1998), available at <http://www.cato.org/pubs/pas/pa-295.html>. See also Solveig Singleton, Privacy as Censorship: A Skeptical View of Proposals to Regulate Privacy in the Private Sector, 7-8 (Cato Institute Policy Study No. 295, 1998) (same)

49 In addition to Volokh, supra note 3, and Solveig Singleton, supra notes 47-48, see, e.g., Robert A. Levy, The Do-Not-Call Solution: Turn the Ringer Off, Tech. Knowledge No. 60 (October 3, 2003), available at <www.cato.org/tech/ tk/031003-tk.html> (arguing that the FCC’s Do-Not-Call Registry violates the First Amendment)

50 Robert M. O’Neil, The First Amendment and Civil Liability 74-90 (2001).

51 Rodney Smolla, Privacy and the First Amendment Right to Gather News, 67 Geo. Wash. L. Rev. 1097, 1138 (1999) (“As matters stand today, strong First Amendment doctrines stand in the way of many of the most meaningful privacy reforms.”).

52 Froomkin, supra note 26, at 1521-23 (2000) (concluding that the First Amendment raises serious questions about the constitutionality of existing Federal privacy statutes).

53 See Brief of Appellant U.S. West, Inc., U.S. West v. F.C.C., at 6 (10th Cir. 1999).

Amendment Critique nevertheless accept its basic premise that data privacy raises real First Amendment issues, and that regulation of consumer privacy needs to be carefully crafted to avoid constitutional objections.54

The significance and salience of the First Amendment critique in academic and legal discourse has influenced both courts and policymaking, leading to the unmistakable conclusion that the First Amendment critique is a major obstacle to coherent data privacy regulation. Two recent cases illustrate the uncertainty in the law in this area that the critique has fomented. In the U.S. West case,55 the Tenth Circuit struck down as an unconstitutional burden on commercial speech a rule imposing a duty of confidentiality upon telephone companies with respect to customer data collected in the course of providing telephone service.56 Similarly, the First Amendment Critique played a significant role in the recent litigation over the FCC’s “Do-Not-Call” Registry, which allows consumers who do not wish to receive commercial telemarketing calls to place their telephone numbers on a list of numbers that telemarketers are forbidden from calling.57 Applying the critique, a federal district court invalidated the registry as another infringement on commercial speech.58 Although the Tenth Circuit correctly (as I have elsewhere argued59) reversed on appeal, 60 the ultimately satisfactory resolution

54 See, e.g., Vera Bergelson, It’s Private, But Is It Mine? Towards Property Rights in Personal Information, 37 U.C. Davis L. Rev. 379, 396-400 (2003) (noting the First Amendment problems identified by Volokh, Singleton, and others should significantly shape the legal response to consumer privacy issues)

55 U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999).

56 See id.

57 16 C.F.R. 310.4(b)(1)(iii)(B).

58 Mainstream Marketing Servs. Inc. v. Federal Trade Comm’n, 283 F. Supp. 2d 1151, 1167-68 (D. Colo. 2003), rev’d Mainstream Marketing Services Inc. v. Federal Trade Commission, 358 F.3d 1228, 1241 (10th Cir. 2004).

59 See Caroline E. Mayer, National No-Call List Upheld: Judges See No Violation of Telemarketers’ Rights, Wash. Post, Feb 18, 2004, at E01 (“‘The court

of the Do-Not-Call litigation from a privacy perspective was nevertheless complicated by the First Amendment critique. Courts remain deeply divided over the salience of the critique, 61 and the Supreme Court has said little with respect to this issue, and has not granted certiorari to clear up the divergence among the lower courts.62 In addition to its effects on litigation, the First Amendment critique is a potent weapon against privacy rules in the legislative process. Perhaps because the critique is both an easy political argument for opponents of regulation to make, and because it threatens expensive and protracted litigation upon enactment of a measure, lawmakers and regulators are likely to take it into account in drafting privacy rules, thereby skewing the outcome of such deliberative processes. For example, when Washington State attempted to pass a privacy bill in early 2000, the attempt was scuttled by business groups proffering Professor Volokh’s claims that the free flow of commercial information is constitutionally compelled.63 These examples illustrate the practical significance of the First Amendment critique – the confusion and discord that it is causing in both democratic policymaking and the courts.

[correctly] concluded that the right of people to enjoy their homes outweighs the right of companies to intrude upon that privacy to try and sell them things,’ Richards said.”).

60 Mainstream Marketing Services Inc. v. Federal Trade Commission, 358 F.3d 1228, 1241 (10th Cir. 2004).

61 United Reporting Publ ‘g Corp. v. Cal. Highway Patrol, 146 F.3d 1133, 1136-1137 (9th Cir. 1998) (holding California statute prohibiting release of arrestee names and addresses for commercial purposes unconstitutional under the Central Hudson test), rev’d on other grounds sub nom. Los Angeles Police Dep’t v. United Reporting Publ ‘g Corp., 528 U.S. 32 (1999). Other courts have accepted in the context of regulation of credit reports the critique’s premise that the sale of databases is “speech,” but have applied intermediate scrutiny and have found the privacy interests sufficient to outweigh the business speech interests. See, e.g., Trans Union Corp. v. FTC, 245 F.3d 809 (D.C.Cir. 2001), reh ‘g denied, 267 F.3d 1138 (D.C. Cir. 2001), cert. denied sub nom. Trans Union L.L.C. v. FTC, 536 U.S. 915 (2002) (restriction on consumer reporting agency’s sale of targeted marketing lists did not violate the First Amendment)

62 See, e.g., Trans Union L.L.C. v. FTC, 536 U.S. 915 (2002) (Kennedy, J. dissenting from denial of certiorari).

63 See Bruce E.H. Johnson, The Battle Over Internet Privacy and the First Amendment, 18 No. 4 Comp. & Internet Law. 21, 23-24 (2001).

Perhaps because of the inherent appeal of First Amendment arguments generally to legal academics (especially those who tend to support privacy rights),64 surprisingly few scholars have challenged the First Amendment critique in any detail. Indeed, although a handful of scholars have disagreed with the arguments of Volokh and others, they have done so either in short essays or in sections of longer pieces.65 This is unfortunate, because the First Amendment critique asserts a simple, constitutionalized solution to a complex and thorny social problem of the first importance. To be clear, I believe that the simplistic mantra of “freedom of information” is indeed no more of a satisfying solution to the complex database problem facing the digital age than the “freedom of contract” was to the industrial age a century ago. In the rest of this Article, I attempt to lay out a series of doctrinal, conceptual, and jurisprudential responses to the First Amendment critique – a way of reconceptualizing the First Amendment issues at stake in the database context that reveals, I believe, that the policy choices facing the regulation of private information in the computer age is not foreordained by the First Amendment.

II. ARE PRIVACY RULES SPEECH RULES?

One of the basic assumptions of the First Amendment critics is that regulating privacy is the same as regulating speech. This view is best summarized by Eugene Volokh, who argues:

64 See, e.g., Thomas Emerson, Toward a General Theory of the First Amendment 76 (1963) (“Any society sincerely interested in protecting the right of privacy is hardly likely to be at the same time hostile to the right of free expression. Both interests tend to have the same friends and the same enemies.”).

65 The only piece which challenges the critique in depth is Daniel J. Solove, The Virtues of Knowing Less, 53 Duke L.J. 967 (forthcoming 2004) (hereinafter “Solove, Knowing Less”). Solove’s concern, however, is to justify privacy nondisclosure rules more generally (i.e., outside the database context) not only against a First Amendment critique, but also against other normative challenges to keeping information private. See id. at ms. 2. As I explain infra Part II, my approach to the First Amendment diverges significantly from Solove’s, as I believe he grants too much ground to the First Amendment critics. Other scholars to have addressed the First Amendment critique of data privacy in a more abbreviated fashion include Paul Schwartz, Free Speech vs. Information privacy: Eugene Volokh’s First Amendment Jurisprudence, 52 Stan. L. Rev. 1559 (2000) (symposium comment to Volokh’s article) (hereinafter “Schwartz, Freedom of Speech and Information Privacy”)

[T]he right to information privacy—my right to control your communication of personally identifiable information about me—is a right to have the government stop you from speaking about me. We already have a code of “fair information practices,” and it is the First Amendment, which generally bars the government from controlling the communication of information (either by direct regulation or through the authorization of private lawsuits), whether the communication is “fair” or not. While privacy protection secured by contract is constitutionally sound, broader information privacy rules are not easily defensible under existing free speech law.66

My purpose in this Part is to tackle and rebut this assumption at the conceptual level. Although there exists much ambiguity in not only privacy but also the scope of the First Amendment, there are significant areas in which the two do not conflict. I hope to show that substantial regulation of privacy rights is possible without implicating the First Amendment at all, and to thereby set the stage for a doctrinal and jurisprudential reconciliation between the First Amendment and the right of data privacy in subsequent Parts.

In Section A, I address the fundamental but implicit assumption of the First Amendment critics that privacy regulation means speech regulation. I argue that while much data privacy regulation in the form of a “code of fair information practices” does involve the regulation of information, much does not and has nothing to do with free speech under anyone’s definition. In Section B, focusing on the regulation of information flows, I suggest that the First Amendment accords heightened scrutiny to far fewer regulations of “speech” than previous scholars have assumed. I argue that both First Amendment critics and the few privacy scholars who have tried to disagree with the critique improperly conflate information flows such as the sale of a database with the “freedom of speech” protected by the First Amendment. In my view, there are valid First Amendment reasons for drawing distinctions between speech and information flows, and the recognition of such distinctions provides a superior way of conceptualizing the issue.

A. Privacy Regulation through Codes of Fair Information Practices

Regulation of the collection, use, and disclosure of personal data is often proposed in the form of a code of fair information

66 Volokh, supra note 3, at 1051.

practices.67 Such proposals regulate the relationship between the individuals who provide data and the entities that would collect, use, and disclose it through some combination of tort and public law.68 The first code of fair information practices was envisioned by the federal Department of Housing, Education, and Welfare in 1973, which that organizations collecting data should adhere to a series of norms including a prohibition on secret data collection, a right of access by individuals to view data about themselves and correct false data, and a right to prevent information collected for one purpose being used for other purposes.69 This report was the basis for the federal Privacy Act of 1974,70 which established general rules for the collection, retention, use, and disclosure of personal information held by the federal government.71 Indeed, Section (e) of the Privacy Act mandates that federal agencies follow fair information practices.72

The norms established by the Housing Department’s report and the Privacy Act have been tremendously influential in both the United States and other countries, and many scholars agree that there is a global consensus regarding the basic standards of fair information practices.73 Joel Reidenberg has summarized this consensus as guaranteeing four protections against data misuse – (1) standards for data quality, which ensure that data is acquired legitimately and is used in a manner consistent with the purpose for which it was acquired, (2) standards for transparency or openness of processing, such as giving individuals meaningful notice regarding how their information is being used, (3) special protections for sensitive data, such as requiring opt-in consent before such data (such as race, sexual preference, political views, or telephone numbers dialed) may be used or disclosed, and (4)

67 See Schwartz, Free Speech vs. Information Privacy, supra note 65, at 1561.

68 See Marc Rotenberg, Fair Information Practices and the Architecture of Privacy (What Larry Doesn’t Get), 2001 Stan. Tech. L. Rev. 1, 40-41 (2001).

69 U.S. Dept. of Health, Educ., & Welfare, Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Comm. on Automated Personal Data Systems (1973).

70 5 U.S.C. § 552a et. seq.

71 For an assessment of the Privacy Act, see Robert Gellman, Does Privacy Law Work?, in Technology and Privacy: The New Landscape (Philip E. Agre & Marc Rotenberg, eds. 1997)

72 Schwartz, Free Speech vs. Information Privacy, supra note 65, at 1561 n.12

73 See Gellman, supra note 71, at 196.

Richards Reconciling Data Privacy and the First Amendment 20

some standards of enforcement whereby compliance with the standards is ensured.74

Although the initial codes of fair information practices were developed in the context of public-sector databases, the similarity between the privacy issues in the public and private-sector contexts has produced numerous state and federal statutes establishing codes of fair information practices in a variety of private-sector contexts, protecting consumers from inappropriate uses of personal data by businesses, including the Fair Credit Reporting Act.,75 the Electronic Communications Privacy Act (“ECPA”),76 the Video Privacy Protection Act.,77 and the Family Educational Rights and Privacy Act.78 79 Violations of such federal codes of fair information practices for the private sector enforced through both criminal law prosecutions and private tort law actions authorizing significant minimum statutory damages and punitive damages.80

Statutes that embody the fair information principles do far more than merely regulating information flows or preventing disclosures. Paul Schwartz has argued that under Reidenberg’s four

74 Joel Reidenberg, Setting Standards for Fair Information Practice in the U.S. Private Sector, 80 Iowa L. Rev. 497, 515 (1995). For an alternate but equivalent formulation of these principles, see Gellman, supra note 71, at 195-202.

75 15 U.S.C. § 1681-1681t (regulating disclosure and use of consumer credit information, and giving consumers right to receive copies of credit records and to correct erroneous information contained in such records).

76 See 18 U.S.C. § 2511 (prohibiting, inter alia, intentional interception of contents of telephone conversations or e-mail, and disclosure of contents of such communications to others).

77 18 U.S.C. § 2710 (prohibiting video stores from disclosing to third parties videos that its customers have rented). The great irony of the VPPA is that it was passed in reaction to the disclosure of Supreme Court nominee Robert Bork’s video records during his confirmation. Bork’s nomination was defeated in part because of his opposition to a constitutional right of privacy. See Richard C. Turkington and Anita L. Allen, Privacy Law, 338 (1999).

78 20 U.S.C. § 1232g (regulating the disclosure of educational records maintained by primary, secondary, and post-secondary institutions that receive federal funds).

79 For a comprehensive overview of the many federal statutes governing private sector records, see generally Daniel J. Solove & Marc Rotenberg, Information Privacy Law, 491-566.

80 See, e.g., ECPA, 18 U.S.C. §§ 2511(4)(a) (criminally punishing violations with fines up to $10,000 and up to five years’ imprisonment)

Richards Reconciling Data Privacy and the First Amendment 21

part taxonomy of fair information practices, principle #1 (ensuring data quality), principle #2 (ensuring transparency of processing), and principle #4 (ensuring enforcement) simply have nothing to do with speech.81 Only principle #3 (providing protection against the use or disclosure of sensitive data) “corresponds to Volokh’s idea of information privacy as the right to stop people from speaking about you.”82 Although I would agree with this general approach, if the First Amendment critics are correct that principle #3 nondisclosure rules at least are speech restrictions that violate the First Amendment, it would necessarily follow that government enforcement of such rules under principle #4 by either direct regulation or the enforcement of tort judgments would similarly violate the First Amendment. Of course, as I demonstrate below, I believe that nondisclosure rules, just like other elements of fair information practices applied to commercial databases, are fully consistent with the First Amendment. The important point to take from this, however, is that even if one accepts that nondisclosure rules create First Amendment problems, large and significant chunks of the information privacy protections envisioned by codes of fair information practices and protected by current laws have nothing whatsoever to do with the First Amendment under anyone’s reading of it.

B. The Constitutional Metaphysics of “Speech “

The insight that information privacy rules are usually modeled upon a code of fair information practices is useful as it allows us to separate out many of the things that such regulations would do that would have nothing to do with speech. But Schwartz and Reidenberg’s typology merely tells us that while some parts of a code of fair information practices regulate information flows, much of a typical code has nothing to do with information flows. Their model does not ultimately help us with the constitutional status of the information flow regulation that most concerns the First Amendment critics.83 The First Amendment critics argue that regulation of information flows is regulation of speech, and that free information flows are therefore as constitutionally mandated as free speech. What then do we make of the claim that information flow regulation is speech – a “right to stop other people from speaking about you”84? Although there are few if any cases directly on point, I believe that

81 Schwartz, Free Speech vs. Information Privacy, supra note 65, at 1562.

82 Id.

83 See, e.g., Volokh, supra note 3, at 1054-55.

84 Id. at 1049.

Richards Reconciling Data Privacy and the First Amendment 22

much privacy regulation that interrupts information flows in the context of an express or implied commercial relationship is neither “speech” within the current meaning of the First Amendment,85 nor should it be viewed as such.86 By contrast, the handful of previous scholars to have dealt with this question have tended to assume that all such information flows are speech, and then disagreed about whether the First Amendment allows or prohibits the sorts of regulations at issue, and have rejected treating these transfers as outside the First Amendment.87 I believe that this is entirely the wrong way to approach the issue, and that looking at it in terms of the boundaries of the First Amendment sheds significant light upon the problem.

Is it conceptually possible to treat commercial information flows as falling outside the “freedom of speech” that the First Amendment protects? That is, even if the critics are correct that the creation or sale of a database is a “communication” of information, is that communication necessarily speech that warrants heightened scrutiny under the First Amendment? In order to make this determination, we must first assess the boundaries of the First Amendment protection. Unfortunately, in spite of the importance of the First Amendment to American legal and political culture,88 very little has been written on the line between the “freedom of speech” protected by the First Amendment, and that which is not protected. This phenomenon is perhaps doubly surprising when one considers the large number of First Amendment cases decided by the Supreme Court alone over the past four decades,89 as well as the even more voluminous bulk of First Amendment scholarship by legal and other academics.90

Nevertheless, the handful of scholars who have studied this issue have argued that any First Amendment issue91 involving a

85 See infra Part III.

86 See infra Part IV.

87 See Volokh, supra note 3, at 1080-87 (considering and rejecting this approach)

88 And indeed to American society more generally, see, e.g., Frederick Schauer, First Amendment Opportunism, in Lee C. Bollinger & Geoffrey Stone, eds., Eternally Vigilant: Free Speech in the Modern Era (2002).

89 Daniel Farber estimates that the Supreme Court has decided “well over two hundred First Amendment cases, most of them since 1970. See Daniel A. Farber, The First Amendment 2 (2d. ed. 2003).

90 One leading casebook cites 395 principal articles in its Table of Authorities. See Geoffrey R. Stone et al., The First Amendment 633-41 (2d ed. 2003).

91 Or indeed any issue of the applicability of a constitutional right more generally, see Frederick Schauer, The Boundaries of the First Amendment: A

Richards Reconciling Data Privacy and the First Amendment 23

regulation challenged as abridging the freedom of speech requires a court to answer two questions. The first question is whether we even have a First Amendment issue in the first place – whether the regulation infringes upon the “freedom of speech” that the First Amendment protects. The scholarship to have identified this issue has termed it a question of the “coverage,”92 the “ambit,”93 or the “scope”94 of the Amendment. This question – what I call for clarity the First Amendment’s scope – asks whether the activity in question is speech that the First Amendment protects at all, and thus whether we even have a First Amendment issue.

Once the court has answered the scope question in the affirmative – but only after it has done so – it must then answer a second question. This question focuses on the question of the “level”95 or “strength”96 of First Amendment “protection.”97 Thus, given that the First Amendment applies to the legal problem at hand, a court must then determine what portion of “the full arsenal of First Amendment rules, principles, standards, distinctions, presumptions, tools, factors, and three-part tests becomes available to determine whether the particular speech will actually wind up being protected.”98 I call this question the “level of protection” question.

Courts and scholars invariably focus upon the level of protection question in First Amendment analysis, with the unfortunate result that the scope question has been significantly under-studied. However, its importance is difficult to understate. The initial work done in this area by Kent Greenawalt on language, speech, and crime concluded that even though much of what the criminal law punishes is “speech” within the common dictionary or lay understanding of the term, imposition of criminal punishment for speech is rarely if ever considered to raise First Amendment concerns. 99 Thus, we do not

Preliminary Exploration of Constitutional Salience, 117 Harv. L. Rev. 1765, 1769-72 (2004) (hereinafter “Schauer, Boundaries of the First Amendment”).

92 Schauer, Boundaries of the First Amendment, supra note 91, at 1769.

93 Harry Kalven, Jr., The Reasonable Man and the First Amendment: Hill, Butz, and Walker, 1967 Sup. Ct. Rev. 267, 278.

94 Laurent Frantz, The First Amendment in the Balance, 71 Yale L.J. 1424, 1444 (1962).

95 Kalven, supra note 91, at 278.

96 Frantz, supra note 94, at 1444.

97 Schauer, Boundaries of the First Amendment, supra note 91, at 1769. See generally id. at 1769 & nn.10-11 (collecting sources).

98 Schauer, Boundaries of the First Amendment, supra note 91, at 1769.

99 See Kent Greenawalt, Speech, Crime, and the Uses of Language (1989)

Richards Reconciling Data Privacy and the First Amendment 24

perceive the speech used to engage in fraud, to make criminal threats, to form and advance conspiracies, or to solicit criminal acts as First Amendment speech.100 Punishment imposed on such speech is, both doctrinally and theoretically, not an “abridge[ment]” of the “Freedom of Speech.”101 Frederick Schauer has expanded Greenawalt’s list beyond the criminal context, noting that although speech is regulated extensively by the government in the contexts of securities, antitrust, labor organizing, copyrights, trademarks, sexual harassment, the regulation of doctors, lawyers, and other professionals, and vast amounts of evidence and tort law, the First Amendment is rarely considered to apply.102 Schauer argues that the fact that the First Amendment’s boundaries are much narrower than merely “speech” suggests the need for further study of the concept of “constitutional salience” – “the often mysterious political, social, cultural, historical, psychological, rhetorical, and economic forces that influence which policy decisions surface as constitutional issues and which do not.”103

Unfortunately, calling things “speech” or “not speech” and thus labeling large areas of speech as outside the scope of the First Amendment tends to make people nervous.104 There is however an alternative method of approaching the inquiry. Rather than looking at which communications are “speech” and which are “not,” we could view the category of “unprotected” speech as something like the rational basis category which exists in other areas of rights jurisprudence but which has never been articulated in the context of the First Amendment. Under this approach, all things which are “speech” would be covered by the First Amendment, but the scope question could be viewed merely as a threshold for invoking heightened scrutiny in much the same way that suspect classification analysis performs this role in equal protection and due process jurisprudence. “Speech” in the ordinary sense of the term which fails the scope question would receive rational basis review. Thus, to take the example of Equal Protection Clause jurisprudence, the basic analytic approach a court takes in assessing the constitutionality of a classification is to compare the type of classification with the list of so¬called “suspect classes.” While racial classifications receive strict

Greenawalt, Criminal Coercion and Freedom of Speech, 78 Nw. U. L. Rev. 1081 (1983).

100 See Kent Greenawalt, Speech, Crime and the Uses of Language (1989) chapters 4-8 (collecting cases).

101 See U.S. Const. Amd. I.

102 Schauer, Boundaries of the First Amendment, supra note 91, at 1777-84.

103 Schauer, Boundaries of the First Amendment, supra note 91, at 1768.

104 See, e.g., Solove, supra note 65, at ms.12.

Richards Reconciling Data Privacy and the First Amendment 25

scrutiny and classifications made on the basis of sex receive intermediate scrutiny, classifications involving economic rights receive minimal judicial scrutiny.105 Similarly, in the Due Process context, economic rights are assessed under rational basis review, while the existence of a “fundamental right” such as reproductive autonomy or the right to vote increases the level of scrutiny.106 Viewed in this way, the scope and level of protection questions in First Amendment analysis operate in a similar manner: The scope question determines whether heightened scrutiny is warranted, and if it is, the level of protection question allocates the appropriate doctrinal formulation with which to assess the constitutionality of the speech restriction. For example, regulation of the content of political speech broadcast from a loudspeaker van would be assessed under a strict scrutiny standard, while a content-neutral regulation of the noise level emanating from such a van would be assessed under intermediate scrutiny.107 Critically, just as a classification falling outside one of the suspect categories in equal protection analysis would receive rational review, so too would regulations of speech falling outside the scope of the First Amendment. Speech in this category, whether we call it “unprotected speech” or “speech outside the scope of the First Amendment” is merely speech within the dictionary definition of the term that does not warrant heightened protection against government regulation. This might be the case because the speech is threatening,108 obscene 109 or libelous110 (and thus part of the “established” categories of “unprotected speech”), but it might also be the case because the speech is an insider trading tip,111 a false statement in a proxy statement,112 an offer to create a monopoly in

105 See Erwin Chemerinsky, Constitutional Law 450 (2000).

106 See generally id. at 695.

107 See Kovacs v. Cooper, 336 U.S. 77, 97 (1949) (Frankfurter, J., concurring).

108 See Virginia v. Black, 538 U.S. 343 (2003) (holding that state bans on ‘true threats’ are compatible with the First Amendment)

109 See Roth v. United States, 354 U.S. 476, 485 (1957) (holding that obscene materials are outside the scope of First Amendment protection)

110 See New York Times v. Sullivan, 376 U.S. 254, 268 (1964) (stating that libelous speech is not protected by the Constitution but must not be used as a guise for punishing criticism).

111 See U.S. v. Stewart, 2004 WL 113506, 2 (S.D.N.Y. 2004).

112 Ohralik v. Ohio State Bar Ass’n, 436 U.S. 447, 456 (1978) (citing SEC v. Texas Gulf Sulphur Co., 401 F.2d 833 (C.A.N.Y 1968)).

Richards Reconciling Data Privacy and the First Amendment 26

restraint of trade,113 or a breach of the attorney-client privilege.114 In either case, the speech would be outside the boundaries of the First Amendment and could be regulated as long as a rational basis existed for so doing. Such an approach to First Amendment analysis is not just descriptively accurate, but is entirely defensible under current doctrine, as the freedom of speech is one of the “fundamental rights” protected by the Fourteenth Amendment against the states.115

If the question of the First Amendment’s scope is thus underappreciated, looking at information flows first in terms of the scope question can provide a way of resolving their First Amendment status without forcing them into existing doctrinal categories of “speech” into which they might not well fit. Looking carefully at whether regulation of information flows and databases is really a regulation of speech within the scope of the First Amendment could thus produce a potentially doctrinally satisfying response to the First Amendment critique, allowing us to separate the easy, non-speech cases away from the minority of cases in which free speech and information privacy are in conflict. Such an approach has two advantages. First, by separating the non-speech regulations from the speech regulations, it is possible to have a more honest debate about the public policy implications of additional privacy protections in the database context. Such a discussion is, as I have suggested, currently being short-circuited by constitutional objections at the drafting stage and by needless First Amendment litigation after the enactment of such rules. 116 Second, by separating out the easy cases, we can more easily focus on providing doctrinal and theoretical solutions to the really difficult (and important) ones – cases in which the First Amendment and privacy are actually in conflict.

The First Amendment critics, however, would have two responses to this approach. First, they would argue that the exceptions to the scope of the First Amendment, few and narrowly construed, and cover only such established doctrinal categories as obscenity, “incitement, false statements of fact, or the like.”117 Second, they would argue that even though new exceptions could certainly be created, this would create a pernicious and dangerous precedent for

113 Id. (citing Mills v. Electric Auto-Lite, 396 U.S. 375 (1970)).

114 Id. (citing American Column & Lumber Co. v. United States, 257 U.S. 377 (1921)).

115 See Chemerinsky, supra note 106, at 695.

116 See supra notes 55-63 and accompanying text.

117 Cf. Eugene Volokh, The First Amendment: Problems, Cases and Policy Arguments 2 (2001).

Richards Reconciling Data Privacy and the First Amendment 27

other, more nefarious exceptions to protected free speech in the future. 118

With respect to the first argument, I am not convinced that the critics accurately describe the universe of free speech cases. The First Amendment critics are correct that the Supreme Court has held that much of what we think of as communicative speech falls within the scope of the First Amendment, and the Court has also held a few categories to be outside the scope and thus to constitute “unprotected speech.” But the Court has never held in a blanket fashion that all communications fall within the scope of the First Amendment and are thus subject to heightened protection. Indeed, as the examples identified by Greenawalt and Schauer reveal, there are many areas of law regulating the content of speech that are not thought to be within the scope of the First Amendment as either a doctrinal or theoretical matter.119 And as Schauer has argued in responding to an analogous claim, to take the position of the First Amendment critics

is to be afflicted with the common ailment of spending too much time with the casebooks – defining the domain of constitutional permissibility by reference to those matters that have been considered viable enough to be litigated in, and close enough to be seriously addressed by, the courts, especially the Supreme Court. But if we are interested in the speech that the First Amendment does not touch, we need to leave our casebooks and the Supreme Court’s docket behind

If the First Amendment critics are thus wrong as a descriptive or interpretive matter about the universe of speech, what about their second claim that creating “new” exceptions to existing doctrinal categories would be a bad idea? Eugene Volokh argues that the changes in jurisprudence necessary to reconcile data privacy with the First Amendment – whether by creating new data privacy exceptions to existing free speech doctrine, or expanding existing exceptions such as commercial speech doctrine – would open the door for a variety of other, more sinister speech restrictions. For example, Volokh argues that widening the exception for speech on matters of private concern would give a strong argument to those who wish to restrict other types of “private” speech that does not address matters of public concern, such as sexually-themed speech ranging from “pornography to art to

118 Volokh, supra note 3, at 1084.

119 See supra notes 99-103 and accompanying text.

120 Schauer, Boundaries of the First Amendment, supra note 91, at 1777-78.

Richards Reconciling Data Privacy and the First Amendment 28

sexual humor.”121 Similarly, he suggests, broadening commercial speech doctrine to accommodate data privacy speech restrictions would stretch the doctrinal category to such a degree that many types of socially-beneficial speech and commentary about economic matters would also fall into the category of regulatable commercial speech, “[g]iving the government an ill-defined but potentially very broad power to restrict such speech.”122

I am not convinced by Volokh’s slippery slope argument for three reasons. First, it would be inaccurate to describe the treatment of the sale of a consumer database as outside the First Amendment as a “new exception” to existing doctrine. The fact that there is very little authority assessing rules of this sort suggests that these regulations more than likely fall as a descriptive matter into what Schauer terms the “speech that [the First Amendment] ignores more quietly.”123

Second, Volokh’s argument takes issue with the very process by which the Supreme Court has structured First Amendment review since at least New York Times v. Sullivan, in which it first articulated the modern formulation for how state tort rules that implicate First Amendment concerns should be evaluated. Rather than engaging in the often treacherous task of balancing the values and harms of speech in particular cases, the Supreme Court in Sullivan first articulated the theory of what scholars have called “definitional”124 or “categorical”125 balancing, under which the Court balances the interests involved in a class of speech and sets the level of scrutiny for all cases that fall within the class. In the context of privacy rights, just as in the context of the intersection between tort law and free speech generally, the Supreme Court has settled on a categorical balancing approach to resolve the conflict between privacy claims and free speech.126

121 Volokh, supra note 3, at 1098.

122 Volokh, supra note 3, at 1087.

123 Schauer, Boundaries of the First Amendment, supra note 91, at 1768.

124 Melville Nimmer, The Right to Speak from Times to Time: First Amendment Theory Applied to Libel Law and Misapplied to Privacy, 56 Cal. L. Rev. 935, 942-43 (1968).

125 Laurence Tribe, Constitutional Law 792-93 (2d ed. 1988)

126 See, e.g., Bartnicki v. Vopper, 532 U.S. 514, 534 (2001) (“In these cases, privacy concerns give way when balanced against the interest in publishing matters of public importance.”). The Court also considers privacy (or at least the line between that which is public and that which is private) as a critical element in allocating the standard of review in defamation cases – public figures must plead and prove additional elements than private figures to recover for damage due to their reputations. Compare Sullivan, 376 U.S. at 279-80 (requiring a public figures to prove actual malice to recover for defamation), with Gertz v. Robert Welch, 418 U.S.

Richards Reconciling Data Privacy and the First Amendment 29

Volokh may disagree with this approach, but to the extent he argues that creating privacy exemptions under the First Amendment violate the First Amendment, his slippery slope argument appears to criticize a significant portion of the same free speech jurisprudence he seeks to protect.

Third, Volokh’s argument rests on the dubious premise that creating new “exceptions” from the protection of the First Amendment creates “doctrinal, political, and psychological” arguments for creating other exceptions to the First Amendment by analogy.127 Although he claims that he is not making a slippery slope argument of a “today this speech restriction

323 (1974) (requiring private figures to prove only something more than strict liability to recover).

127 Volokh, supra note 3, at 1052.

128 Volokh, supra note 3, at 1052.

129 See, e.g., U.S. v. O’Brien, 391 U.S. 367 (1968) (applying intermediate scrutiny to conviction for burning a draft card)

130 See, e.g., Time, Inc. v. Hill, 385 U.S. 374, 387 (1967) (libelous statements made with “actual malice”)

131 See, e.g., Neil M. Richards, The Good War, the Jehovah’s Witnesses, and the First Amendment, 87 Va. L. Rev. 781 (2001)

132 315 U.S. 568 (1942).

Richards Reconciling Data Privacy and the First Amendment 30

Chaplinski, it has never subsequently upheld a conviction under its theory.133 Thus, in Gooding v. Wilson, when the Court addressed a conviction under a statute substantively identical to the one it upheld in Chaplinski, it declared the statute unconstitutional under the overbreadth doctrine, even though the petitioner in that case had undeniably engaged in activity outside the First Amendment under the “fighting words” doctrine.134 Similarly, although the Supreme Court held in Valentine v. Chrestensen that commercial speech was unprotected speech,135 subsequent decisions have brought commercial speech within the protections of the First Amendment,136 with the relaxed intermediate scrutiny of Central Hudson137 giving way over time to greater and greater protection for commercial speech. As a result, the central issue of commercial speech doctrine has gradually but fundamentally shifted over the last twenty years from whether commercial speech should be protected at all to whether it warrants protection on a par with “core” political speech, as several members of the Court have argued.138 The robust protection that the courts have given to free speech in the past suggests that refinement of the categories of unprotected or partially-protected speech is quite unlikely to create serious free speech consequences down the road through any significant slippery slope problem. Indeed, the practical problem at

133 See Street v. New York, 394 U.S. 576 (1969)

134 See 405 U.S. 518 (1972).

135 316 U.S. 52 (1942)

136 Virginia State Bd. Of Pharm. v. Virginia Citizens Consumer Council, 425 U.S. 748 (1976).

137 Central Hudson Gas v. Public Serv. Comm’n, 447 U.S. 557 (1980).

138 See, e.g., Thompson v. Western States Medical Center, 535 U.S. 357, 367-68 (2002) (noting that “several Members of the Court have expressed doubts about the Central Hudson analysis and whether it should apply in particular cases, see, e.g., Greater New Orleans Broadcasting Assn., Inc. v. United States, 527 U.S. 173, 197, 119 S.Ct. 1923, 144 L.Ed.2d 161 (1999) (Thomas, J., concurring in judgment)

Richards Reconciling Data Privacy and the First Amendment 31

the intersection of speech and privacy is not a problem of protecting speech from privacy, but of safeguarding some privacy protection under a juridical regime in which free speech always wins.

Although most privacy scholars believe that privacy rights are not extinguished by the First Amendment, the handful of such scholars who have explicitly disagreed with the First Amendment critique would also reject an approach to the problem that focuses on the boundaries of the First Amendment. Paul Schwartz and Daniel Solove concede that information disclosure rules raise First Amendment problems, but believe that an adjusted right of data privacy can stand up to the First Amendment. Schwartz argues that nondisclosure rules can survive balancing against the First Amendment because they “help maintain the boundary between public discourse and the other realms of communication” and because “standards of fair information practices serve to safeguard deliberative democracy by shaping the terms of individual participation in social and political life.” 13 9 Solove argues that in the context of information disclosure rules, privacy interests should be balanced against First Amendment rights, focusing on the relationships in which information is transferred and the uses to which information is put. Although he considers it “tempting” to categorically exclude disclosures of private information from the definition of “speech” under the First Amendment, Solove ultimately rejects this approach as “conceptually sloppy or even dishonest unless there is a meaningful way to distinguish [unprotected speech] from other forms of expression.”140 According to Solove, “[d]ealing with privacy issues by categorizing personal information as non-speech is not a permissible approach because it cloaks the real normative reasons for why we want to permit greater regulation of certain communicative activity.”141 Solove argues that it is both preferable and more intellectually honest to engage in pragmatic, contextual balancing between speech and privacy.142

Solove and Schwartz’s arguments are thoughtful, but I believe they grant too much ground to the First Amendment critique, and may ultimately prove to be underprotective of privacy interests, particularly in the database context. First, to the extent these scholars share the same view of the boundaries of the First Amendment as the critics do, I have already addressed these objections supra. Second, to the extent we disagree whether the sale of databases constitute “speech” within

139 Schwartz, supra note x, at 1564.

140 Solove, Knowing Less, supra note 65, at ms. 12.

141 Id.

142 Id. at ms. 8.

Richards Reconciling Data Privacy and the First Amendment 32

the scope of the First Amendment, I argue below that under current doctrine, the sale or transfer of most commercial databases would not be regarded as falling within the protections of the First Amendment.

Third, I doubt that Solove’s balancing approach would provide meaningfully increased protection for privacy protection in the courts. Solove urges courts to depart from the current paradigms under which they balance privacy against the First Amendment – whether the individual is a public or private figure and whether the information is public or private – and to replace them with an approach focusing on “the relationships in which information is transferred and the uses to which information is put.”143 However, such an approach merely substitutes one vague set of criteria for another and risks an over¬contextualized jurisprudence. As Solove concedes, “[if] social norms about the propriety of disclosures are too diffuse and contestable, then a law protecting against ‘improper’ disclosures may become too unpredictable and even unworkable.”144 Solove’s solution to this problem of “hyper-contextualism” is essentially the one put forth by Warren and Brandeis over 100 years ago – that courts can articulate the contours of murky rules like negligence on a case-by-case basis.145 I am skeptical that such an approach would work significantly better under Solove’s contextually pragmatic approach than the categorically pragmatic approaches applied by existing jurisprudence. And even though some form of balancing in the hard cases pitting privacy against the First Amendment is perhaps inevitable, I believe it is not only important to separate out the easy cases from the hard cases, but also that an approach which treats private information differently is more consistent with the “categorical balancing” approach courts have taken in the First Amendment context since New York Times v. Sullivan. In the next Part, I show how this approach works in practice.

III. CATEGORIZING PRIVACY RULES UNDER THE FIRST AMENDMENT

The previous Part attempted to complicate the argument of the First Amendment critics that privacy rules necessarily regulate speech protected by the First Amendment. First, I argued that many sorts of privacy rules have nothing to do with information flows, and thus nothing to do with speech. Second, I tried to demonstrate conceptually that privacy rules regulating information flows are not necessarily

143 Solove, Knowing Less, supra note 65, at ms. 29.

144 Id. at ms. 39.

145 Id. at ms. 40.

Richards Reconciling Data Privacy and the First Amendment 33

within the scope of the First Amendment either. Having sought to reconceptualize the issue in this manner, in this Part I attempt to demonstrate more specifically why privacy rules will rarely if ever create a problem under the First Amendment.

Given the slipperiness of the term “privacy,”146 it is necessary to impose some sort of order on the analysis which follows. Every information flow in the database context can be broken down into a series of stages, which are helpful categories to assess the different kinds of privacy rules that can apply to the various stages of a transaction in personal information. Information is first collected by companies, then used to assemble databases, disclosed to companies wishing to use the information (either for marketing or the creation of larger databases), and then often used as the basis for direct marketing, such as telemarketing or junk mail. Accordingly, possible regulations of information flows can be divided into into four categories, corresponding to the four stages of information processing performed by the database industry – (1) rules governing the collection of information, (2) rules governing the use of such information, (3) rules governing the disclosure of information, and (4) regulation of direct marketing.

This approach has at least two significant advantages. First, looking at the problem in this way reveals that information collection and information use rules are not speech rules at all. Information disclosure rules are closer to speech, but in the commercial context are usually outside the scope of the First Amendment. Finally, while direct regulation of telemarketing is undeniably regulation of commercial speech within the scope of the First Amendment, under current doctrine the First Amendment nevertheless permits quite extensive regulation of such speech. Second, regardless of whether individual or categorical sorts of privacy rules ultimately pass muster under the First Amendment or not, separating out the various types of information privacy restrictions on the free flow of information allows us to take a careful look at the constitutional issues raised by four very different types of information privacy rules. In this regard, I hope that this taxonomy is a useful (and hopefully value-neutral) contribution to the discourse on information flows.

146 Privacy scholars have struggled for decades to come up with a workable definition of privacy, and have failed to reach a consensus. See, e.g., Daniel J. Solove, Conceptualizing Privacy, 90 Cal. L. Rev. 1087 (2002) (collecting sources).

Richards Reconciling Data Privacy and the First Amendment 34

A. Information Collection Rules.

Information collection rules govern the process of gathering data and assembling databases. They represent the legal regime covering the ways in which entities acquire information, and specify when collection is permissible and when it is not. For example, a rule requiring a customer’s permission to make certain disclosures before a company may make a record of their data would be an information collection rule

Information collection rules do not pose any significant First Amendment issues, particularly in the database context. A wide variety of rules that operate, directly or indirectly, to restrict access to information are not considered to raise First Amendment issues. Most fundamentally, generally applicable property and tort law prohibits information collection by separating the public sphere from the private. It is no defense to a claim of trespass for the trespasser to assert that he infringed the property rights of another to gain information. In addition to trespass, most states recognize the intrusion into seclusion tort,147 one of the four “privacy torts” created by Warren and Brandeis’ influential 1890 article.148 The intrusion tort goes much further than trespass and imposes liability upon anyone “who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, … if the intrusion would be highly offensive to a reasonable person.”149 Courts have held this tort to apply to mail tampering,150 eavesdropping,151

147 See Doe v. High-Tech Institute, Inc., 972 P.2d 1060, 1067 (Colo. App. 1998) (noting that the “vast majority of jurisdictions” have recognized not only other types of privacy claims, but also specifically “intrusion upon seclusion” claims). Indeed, with Minnesota most recently adopting the privacy tort via the common law in 1998, see Lake v. Wal-Mart Stores, 582 N.W.2d 231, 235 (Minn. 1998), only North Dakota and Minnesota have never recognized a cause of action for invasion of privacy. O’Neil, supra note 50, at 77 (2001).

148 See Warren & Brandeis, supra note 4.

149 Restatement (Second) of Torts § 652B (1977).

150 Brinbaum v. United States, 436 F. Supp. 967 (S.D.N.Y. 1977) (recognizing an invasion of privacy when the Central Intelligence Agency opened and copied plaintiff’s mail).

151 McDonald ‘s Corp. v. Levine, 439 N.E.2d 475 (Ill. App. 2d Dist. 1982) (violations of the Illinois Eavesdropping Act of 1977 can constitute an actionable intrusion upon seclusion)

Richards Reconciling Data Privacy and the First Amendment 35

non-consensual entry into homes,152 sexual harassment,153 repeated intimidating phone calls,154 overzealous surveillance or “shadowing”,155 and sexual voyeurism.156 Other sorts of information collection rules regulate unfair business practices such as industrial espionage. For example, the tort of misappropriation of trade secrets “protects a person’s right to keep certain information ‘secret,’ by providing a cause of action against anyone who misappropriates a reasonably-protected secret.”157

In addition to state tort law, certain forms of eavesdropping (including industrial espionage)158 are also prohibited by federal law. The Fair Credit Reporting Act regulates the assembly of credit reports.159 The Electronic Communication Privacy Act prohibits the use of any “device” to intercept the contents of an aural conversation.160 ECPA has been held to outlaw, inter alia, secret tape recording of meetings,161 hidden microphones,162 the surreptitious

152 Ford Motor Co. v. Williams, 132 S.E.2d 206 (Ga. App. 1963) (establishing liability for non consensual entrance into plaintiff’s home, even though no one was there).

153 Pearson v. Kancilia, 70 P.3d 594 (Colo. App. 2003)

Philips v. Smalley Maintenance Services Inc., 435 S.2d 705 (Ala. 1983) (defendant’s conduct was “an examination into [plaintiff’s] private concerns and improper inquiries into her personal sexual proclivities and personality”).

154 Carey v. Statewide Finance Co., 223 A.2d 405 (Conn. Cir. Ct. 1966) (creditor made harassing phone calls to plaintiff’s home and the hospital)

155 Nader v. General Motors Corp., 255 N.E.2d 765 (N.Y. 1970) (surveillance may be “so overzealous as to render it actionable”)

156 Harkey v. Abate, 346 N.W.2d 74 (Mich. App. 1983) (installation of see¬through panels in women’s restroom)

157 Pioneer Hi-Bred Int’l v. Holden Found. Seeds, Inc., 35 F.3d 1226, 1239 n.42 (8th Cir. 1994).

158 The Supreme Court has noted that the need to protect information from industrial espionage is one of the core interests that the federal Wiretap Act was enacted to address. See Bartnicki v. Vopper, 532 U.S. 514, 531 n.16 (2001).

159 15 U.S.C. § 1681b(3).

160 18 U.S.C. § 2511.

161 See, e.g., Earley v. Exec. Bd. of United Trans. Union, 957 F. Supp. 997 (N.D. Ohion 1996) (surreptitious tape recording of arbitration panel)

162 See, e.g., Cross v. Alabama, 49 F.3d 1490 (11th Cir. 1995).

Richards Reconciling Data Privacy and the First Amendment 36

eavesdropping on or recording of telephone conversations,163 and the participation of telephone companies in illegal government wiretapping.164 Furthermore, many states also have statutes providing analogous civil actions165 that in some instances offer more protection than ECPA. 166

In the consumer context, information collection rules can also be used to police transactions in which information changes hands, requiring disclosures by businesses, informed consent by consumers, or even outlawing commercial transactions that are deemed to be unfair or unconscionable. For example, fraud law governs the receipt of any thing of value (including personal data) under false pretenses.167 The use of fraud or other deceptive practices in obtaining consumer data could also constitute a violation of both state fraud law and the

163 See, e.g., Glazner v. Glazner, 347 F.3d 1212 (2003) (recording wife’s telephone conversations without her consent)

164 See, e.g., Jacobson v. Rose, 592 F.2d 515 (9th Cir. 1978).

165 See, e.g., CAL. PENAL CODE § 631 (2004)

166 The Massachusetts wiretapping statute, Mass. Gen. Laws. ch. 272, §99 (2004), has been held more restrictive than ECPA, and thus not subject to preemption by the federal law. See United States v. Smith, 726 F.2d 852, 862 (1st Cir. 1984). Accord, Minn. Stat. §§ 626A.13, 626A.32 (unlike ECPA, provides civil remedy for violations involving intrastate communications).

167 See, e.g., William Farnsworth, Contracts § 4.28 (2d. ed. 1990)

Richards Reconciling Data Privacy and the First Amendment 37

Uniform Deceptive Trade Practices Act,168 and fall under the Federal Trade Commission’s power to deter and punish unfair trade practices under section five of the Federal Trade Commission Act.169

A variety of federal laws regulate information collection in the electronic context. Anti-hacking laws such as the Computer Fraud and Abuse Act (“CFAA”) impose criminal penalties on hackers by essentially exporting trespass law to the electronic world. For example, the CFAA imposes criminal punishment on anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from a protected computer.”170 Another federal criminal statute restricts the use of pen registers,171 devices used to capture “dialing, routing, addressing, or signaling information” in electronic or wire communications.172 Federal wiretapping law, of which ECPA is a significant part also proscribes the intentional interception of the contents of an electronic communication such as an e-mail or telephone conversation,173 without the consent of one of the parties to the communication,174 and punishes a violation through both criminal175 and tort law remedies.176 The Children’s Online Privacy Protection Act regulates the collection of information from children by websites, imposing notice and express parental consent requirements.177 And to the extent that websites make representations about their information collection practices in their privacy policies, the Federal Trade Commission reviews these policies under its unfair trade practice jurisdiction.178 One could

168 See, e.g., Hatch v. Fleet Mortgage Group, 158 F.Supp.3d 962 (bank’s failure to disclose to customers that it planned to share customer information with telemarketers stated claim under UDTPA and state fraud law)

169 See Federal Trade Comm’n Act § 5, codified at 15 U.S.C. § 45. The FTC has indicated that it understands the Act to grant it such authority, and has brought actions pursuant to this authority. See, e.g., In re: Gateway Learning Corp, FTC File No. 042-3047 (2004).

170 18 U.S.C. § 1030.

171 18 U.S.C. §§ 3121-27.

172 18 U.S.C. § 3127.

173 18 U.S.C. §§ 2511(1)(a)

174 Id. § 2511(2)(d).

175 Id. § 2511(1) (parenthetical discussing criminal sentence – five years?).

176 Id. § 2520(c)(2). Successful plaintiffs can obtain damages equal to the greater of (1) the sum of the actual damages and the defendant’s profit as a result of the violation or (2) statutory damages equal to the greater of $100 per day of violation or $10,000. Id.

177 15 U.S.C. §§ 6501-06.

178 For example, in 1998 the FTC filed a complaint against a company called GeoCities in 1998 after it “misrepresented the purposes for which it was collecting personal identifying information from children and adults.” GeoCities and the FTC

Richards Reconciling Data Privacy and the First Amendment 38

imagine an expansion of FTC jurisdiction not only to require privacy policies, but also to dictate the substantive content of the trade practices that these policies address.179 Similarly, as part of regulating the commercial relationship between customers and businesses, the law could undoubtedly require that businesses disclose their privacy policies with respect to the subsequent uses and disclosures of data they collect. No one would seriously suggest that regulation of the commercial relationship in this manner implicates the First Amendment, even though one could imagine the disclosures as a kind of forced or compelled speech. Yet no one seriously considers either these privacy examples or examples from outside the privacy context such as SEC or TILA disclosures or FDA labelling requirements to raise First Amendment issues.

My purpose in this discussion of information collection rules has not been to attempt to catalog them systematically, but rather to suggest their ubiquity. Information collection rules are a common feature of both common and statutory law. Perhaps unsurprisingly, then, rules of this sort are not considered to fall within the scope of the First Amendment under either current First Amendment doctrine or theory. Such rules are rules of “general applicability” that neither discriminate against nor significantly impact the freedoms guaranteed by the First Amendment. 180

In at least two cases, however, certain types of information collection rules might be thought to cross over into territory patrolled by the First Amendment. First, reporters engaged in newsgathering, which is one form of information collection, have argued that they have a First Amendment right under the Free Press Clause of the First

settled in 1999. See Federal Trade Commission, Internet Site Agrees to Settle FTC Charges of Deceptively Collecting Personal Information in Agency’s First Internet Privacy Case: Commission Establishes Strong Mechanisms for Protecting Consumers’ Privacy Online, (Aug. 13, 1998), available at <http://www.ftc.gov/opa/1998 /08/geocitie.htm>. Although the settlement has been criticized by scholars for being little more than a slap on the wrist, see, e.g., Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 Vand. L. Rev. 1609, 1637-38 (1999), the larger point is that information collection regulation of this sort is already within the purview of the FTC, and is not considered to be constitutionally infirm. More recently, the FTC has brought charges against a company called Gateway Learning Services for allegedly renting out customer information collected from its web site to direct marketers, despite promises to the contrary in its privacy policy. See In the Matter of Gateway Learning Corp. No. 042-3047, available at <http://www.ftc.gov/os/caselist/0423047/0423047.htm>.

179 See, e.g., Stephen Hetcher, The FTC as Internet Privacy Norm Entrepreneur, 53 Vand. L. Rev. 2041, 2046-47 (2000).

180 Cohen v. Cowles Media, 501 U.S. 663 (1991).

Richards Reconciling Data Privacy and the First Amendment 39

Amendment to do so. This issue has been particularly salient of late where undercover investigative journalists have been alleged to have committed torts in their pursuit of a story. 181 However, although mindful of the importance of a free and vigorous press corps, courts have declined to grant the press an immunity from lawbreaking in pursuit of a story, even a newsworthy one.182 For example, in the high-profile case of Food Lion, Inc. v. Capital Cities/ABC, Inc.,183 the Fourth Circuit held that investigative journalists who obtained jobs at a grocery store under false pretenses in order to videotape and publish suspected sanitary abuses trespassed and violated the duty of loyalty under state law.184 Although the law is unclear with respect to whether a fraudulently-induced consent to enter onto land is valid,185 and the press may get the benefit of the doubt at the margins,186 no case recognizes a First Amendment investigative privilege granting immunity from generally applicable property and tort rules like trespass.187

The Supreme Court’s First Amendment jurisprudence is clear that although laws singling the press out for special unfavorable treatment are constitutionally suspect,188 even media defendants enjoy no privilege as members of the press against the application of ordinary private law rules in the collection of even newsworthy

181 See O’Neil, supra note 50, at 76-90

182 See, e.g., Dietmann v. Time, Inc., 449 F.2d 245 (9th Cir. 1971) (the First Amendment provides the news media no license to trespass or intrude into the dwelling of another)

183 194 F.3d 505 (4th Cir. 1999).

184 Id. at 510.

185 See Food Lion, 194 F.3d at 517 (collecting cases).

186 Food Lion, 194 F.3d at 517-18.

187 Thus, in Food Lion, although the panel divided on whether the elements of the various state-law torts had been met, compare Food Lion, 194 F.3d at 519-520 with id. at 524 (Niemeyer, J., dissenting), the panel was unanimous in rejecting the media defendants’ argument that the First Amendment created a press privilege to commit torts in the process of newsgathering, see id. at 520-22 (panel op.)

188 Where a law singles out the press for special, unfavorable treatment, it is likely to be invalidated. See Minneapolis Star & Tribune Co. v. Minnesota Comm’r Of Rev., 460 U.S. 575 (1983) (special use tax on ink and paper levied only against periodic publications violates the First Amendment).

Richards Reconciling Data Privacy and the First Amendment 40

information. The Court recognized this principle in Branzburg v. Hayes, when it noted that “[i]t would be frivolous to assert…that the First Amendment, in the interest of securing news or otherwise, confers a license on either the reporter or his news sources to violate valid criminal laws. Although stealing documents or private wiretapping could provide newsworthy information, neither reporter nor source is immune from conviction for such conduct, whatever the impact on the flow of news.”189 Similarly, in Cohen v. Cowles Media, the Court held that “the press may not with impunity break and enter an office or dwelling to gather news.”190 The Court reaffirmed this principle most recently in Bartnicki v. Vopper, expressly quoting its validation of generally applicable information collection rules.191 The Court’s public law cases also imply a similar reasoning. In the Pentagon Papers case, some members of the Court suggested that even though the prior restraint doctrine prevented the government from halting the publication of the secret report, the case might have been quite different had the reporters come before the Court on criminal charges for illegally using classified government documents.192 Similarly, in Wilson v. Layne, the Supreme Court held that police who brought newspaper reporters into a private home during a search pursuant to a valid warrant nevertheless violated the Fourth Amendment.193 The newsmen were in effect trespassers, and their media status was deemed irrelevant to the illegal nature of their presence. These cases establish the principle that ordinary information collection rules create no constitutional problems, even as applied to the press. They are thus an important check on the risk that overbroad First Amendment arguments might constitutionalize the interactions between the press, and the whole of the private law – not to mention the risk that the malleable definition of the “press” could constitutionalize all information collection.

189 408 U.S. 665, 691 (1972)

190 501 U.S. 663, 669 (1991).

191 Bartnicki, 532 U.S. at 532 n.19.

192 New York Times v. United States, 403 U.S. 713, 730 (1971) (several criminal laws protecting government property and preserving government secrets, although not before the court, “are of very colorable relevance to the apparent circumstances of these cases”).

193 Wilson v. Layne, 526 U.S. 603, 614 (1999).

Richards Reconciling Data Privacy and the First Amendment 41

Second, even neutral rules regulating conduct such as information collection fall within the scope of the First Amendment when they have a substantial effect upon “conduct with a significant expressive element.”194 In such cases the Court applies intermediate scrutiny consistent with its content neutral speech restrictions jurisprudence.195 One can imagine science fiction-style hypotheticals that would bring information collection rules within this doctrine – for example a law forbidding the keeping of records or outlawing cameras. But such laws would probably violate the First Amendment as well under the overbreadth and vagueness doctrines or might even fail rational basis review without calling into question the undeniable constitutionality of ordinary information collection rules.196

The larger point to be drawn from these counter-examples is not that ordinary information collection rules raise First Amendment issues. To the contrary, even reporters have had a difficult time asserting a First Amendment privilege against neutral information collection rules. Information collection by non-media entities raises even fewer First Amendment concerns than does newsgathering by the 197 And if there are essentially no First Amendment problems press. with subjecting the press to the basic principles of generally-applicable laws, privacy rules regulating data collection by non-media entities would fall outside the scope of the First Amendment as well. Thus, since reporters cannot claim such a privilege as within the scope of the First Amendment, it is difficult to envision businesses mounting a colorable free press challenge to consumer-protective privacy rules regulating information transactions. This is particularly the case where many such rules regulate the commercial relationship between consumer and businesses. In sum, because there are no First Amendment problems with using generally-applicable property and tort law to separate the private sphere from the public sphere, the First

194 Arcara v. Cloud Books, Inc., 478 U.S. 697, 706-707 (1986).

195 In addition to id., see also City of Ladue v. Gilleo, 512 U.S. 43 (1994) (ordinance prohibiting residents from installing yard signs warrants heightened First Amendment review because it closes off an entire important medium for expression)

196 See Rodney A. Smolla, Privacy and the First Amendment Right to Gather News, 67 Geo. Wash. L. Rev. 1097, 1128 (1999).

197 Cf. Food Lion, 194 F.3d at 520 (noting that application of ordinary private law rules to newsgathering does not violate the First Amendment, even though newsgathering by the media is a protected activity under the Press Clause of the First Amendment).

Richards Reconciling Data Privacy and the First Amendment 42

Amendment critique is simply inapplicable to information collection rules.

B. Information Use Rules

The second category of information flow restrictions are restrictions on information use placed on recipients of data. Information use is an analytically distinct activity from information collection, but it is similarly unproblematic from a First Amendment perspective. Information use rules regulate the ways in which data about individuals can be processed, applied, or otherwise used by a person or organization. This category of rules does not include the transfer, sale, or disclosure of the data to third parties.198 Information use rules that might be relevant to the data privacy debate would include the so-called “secondary use prohibition”:199 the requirement that data collected for one purpose may be used for that purpose only, absent consent. For example, the secondary use prohibition might operate to bar an Internet Service Provider from using the fact that a person visits political fringe or sex-oriented websites from using that information to send them personalized advertisements. Alternatively, a use rule might prevent either my bank or a company that collects my personal information as part of purchase of a novel from using that information to create a customer marketing database.200 Still other sorts of information use rules could include a prohibition on the use of Social Security Numbers as a globally unique personal identifier to more easily organize, combine, assemble and process consumer data profiles.201

As with information collection rules, information use rules permeate the common law and statute books of federal and state law.202 For example, it is a violation of the professional ethics regulating the bar for a lawyer to use information obtained from their

198 These are the information disclosure rules that I discuss in the next Section.

199 See Peter P. Swire, The Surprising Virtues of the New Financial Privacy Law, 86 Minn. L. Rev. 1263, 1294-1314 (2002).

200 See generally id.

201 Concern about the improper use of Social Security Numbers dates back to the 1973 Department of Health, Education, and Welfare report discussed supra. See U.S. Dept. of Health, Educ., & Welfare, Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Comm. on Automated Personal Data Systems (1973), available at <http://www.epic.org/privacy/hew1973report/c8.htm>.

202 See Cal. Stat. § 19-11-710 (regulating use of confidential information by employers).

Richards Reconciling Data Privacy and the First Amendment 43

client for any purposes unrelated to the client’s interests.203 It is also a violation of numerous federal and state antidiscrimination laws to use the fact that a person is a member of a protected class in order to deny them equal treatment with others or take any one of a variety of other actions.204 Trade secret law prohibits the use or disclosure of another’s trade secrets.205 Similarly, it is a violation of federal patent law to use the information contained in someone else’s patent to build the invention described in that patent.206 States place use conditions on information obtained from their motor vehicle records,207 and Federal law places similar use restrictions on census data. 208 None of these rules are thought to create constitutional problems, or to implicate activity falling within the scope of the First Amendment.

203 The current (2002) Model Rules of Professional Conduct impose both a duty of confidentiality and a duty not to use information, which varies depending on whether the client is a “prospective client,” current client or former client. MRPC 1.18 governs prospective clients, MRPC 1.6 and 1.8(b) govern current clients and MRPC 1.9(c) governs former clients.

204 See, e.g., See Civil Rights Act of 1964, Title VII, 42 U.S.C.A. §2000e-2 (1964) (“It shall be an unlawful employment practice for an employer– (1) to fail or refuse to hire or discharge any individual, or otherwise to discriminate against any individual with respect to his compensation, terms, conditions, or privileges of employment, because of such individual’s race, color, religion, sex, or national origin…”)

205 Restatement (Third) of Unfair Competition § 39 (“A trade secret is any information that can be used in the operation of a business or other enterprise and that is sufficiently valuable and secret to afford an actual or potential economic advantage over others.”).

206 35 U.S.C.A. § 271(a) (2004). See also Nef Instruments Corp. v. Cohu Electronics, Inc., 269 F.2d 668 (9th Cir. 1959) (the bare manufacture of a single device protected by a patent is infringement, even if device is never used or sold).

207 See, e.g., R.I. Code § 4501.27 (Rhode Island statute regulating use of information obtained in connection with motor vehicle records).

208 See, e.g., 13 U.S.C.A. § 8 (barring “use” of census information “to the detriment of any respondent”).

Richards Reconciling Data Privacy and the First Amendment 44

The Electronic Communications Privacy Act also imposes a use restriction on information that is obtained in violation of its information collection prohibition on intercepting the contents of electronic, wire, or aural communications.209 ECPA’s information use prohibition has been upheld in a variety of contexts involving different uses of information, including the use of intercepted communications from a commercial rival to create a competing product,210 to read a document or listen to a recording obtained as a result of the interception, 211 to invest in securities,212 to take adverse employment actions against employees or subordinates,213 to use in family or criminal court proceedings,214 or criminal or administrative investigations,215 and to use as the basis for blackmail.216

Information use rules, just like information collection rules, are generally held to be outside the scope of the First Amendment under current doctrine. In Bartnicki v. Vopper,217 the Supreme Court assessed the First Amendment implications of the Wiretap Act’s prohibition of the use or disclosure of intercepted communications.218 The Court drew a sharp distinction between the use of a communication under § 2511(1)(c) of the Act from its disclosure under § 2511(1)(d), reasoning that while disclosures of information could certainly constitute speech, “the prohibition against the ‘use’ of the contents of an illegal interception in §2511(1)(d), … [is] a regulation of conduct.”219 As a content-neutral regulation of conduct, ECPA’s information use rule would fall outside the scope of the First Amendment unless, like the information collection rules discussed

209 18 U.S.C. § 2511(1)(c).

210 S. Rep. No. 1097, 90th Cong., 2d Sess. 67 (1968).

211 Thompson v. Dulaney, 838 F. Supp. 1535 (D. Utah 1993) (holding such activities to constitute a violation of ECPA separate from the interception itself).

212 S. Rep. No. 90-1097 (1968), reprinted in 1968 U.S.C.C.A.N. 2112, 2115-16 nn.16-17.

213 Dorris v. Absher, 959 F. Supp. 813, 815-17 (M.D. Tenn. 1997), af’d in part, 179 F.3d 420 (6th Cir. 1999).

214 See, e.g., Bess v. Bess, 929 F.2d 1332 (8th Cir. 1991).

215 See In re Grand Jury, 111 F.3d 1066, 1077-1079 (3d Cir. 1997) (disclosure of illegally recorded conversation to grand jury, even where such disclosure would be in compliance with subpoena)

216 Fultz v. Gilliam, 942 F.2d 396, 400 n.4 (6th Cir. 1991).

217 532 U.S. 514, 526-27.

218 See 18 U.S.C. §§ 2511(1)(c) (use)

219 Bartnicki, 532 U.S. at 526-27 (footnote omitted).

Richards Reconciling Data Privacy and the First Amendment 45

above, it had a substantial effect upon expressive activity. As the Court strongly implied in Bartnicki, virtually all of the activities that prior cases have held to constitute a “use” of intercepted information would therefore be constitutionally unproblematic.220 I will return to the disclosure issue (and to Bartnicki) in Section D, but for present purposes, it is important to note the Court’s clear distinction between regulating the use of information – which regulates nonspeech conduct largely outside the scope of the First Amendment – and regulating the disclosure of information which in some circumstances (like the radio broadcast at issue in Bartnicki) regulates speech.

The issue of whether an information use rule violated the First Amendment was assessed peripherally in the U.S. West litigation, in which the telephone companies wanted to use customer information they had received for one purpose (as an incident to providing phone service) for an unrelated purpose (marketing). Laurence Tribe argued on their behalf that the processing of personal data by telephone companies is speech entitled to full First Amendment protection. 221 The Tenth Circuit accepted this version of the First Amendment critique and partially agreed. Perhaps unwilling to deal with Tribe’s argument that the use and processing of data within a company was speech entitled to greater protection than commercial speech, the court concluded that the regulations as a whole placed a restriction on U. S. West’s “targeted speech to its customers … for the purpose of soliciting those customers to purchase more or different telecommunications services,” and thereby burdened the company’s commercial speech rights.222 The use of the information, it asserted, was “integral and inseparable from” the commercial solicitation.223 Applying the Central Hudson test for commercial speech restrictions, the Court thus invalidated the regulation by determining that the opt-in requirement did not directly and materially advance the state interest in protecting consumer privacy,224 and that it was not narrowly tailored

220 Bartnicki, 532 U.S. at 526-27 &527 n.10 (citing favorably a long list of such examples proffered by the Solicitor General)

221 See Brief of Appellant U.S. West, Inc., U.S. West v. F.C.C., at 6 (10th Cir. 1999).

222 U.S. West, 182 F.3d 1224, 1232-33 (10th Cir. 1999).

223 Id. at 1233 n.4.

224 Id. at 1237-38.

Richards Reconciling Data Privacy and the First Amendment 46

because a less-restrictive alternative was readily available.225 The Court also questioned, without deciding, whether a vague interest in protecting consumers from the embarrassment of the disclosure of their data amounted to a substantial government interest.226

Such reasoning appears to be clearly wrong under existing law. The FCC rules allowed the telephone companies to advertise to all of their customers, but only prohibited them from using the information to target the advertisements without approval – an ordinary example of the secondary use prohibition common to codes of fair information practices.227 The only relevant burden placed on the telephone companies in this context by the FCC’s regulations was on their ability to use, absent advance customer approval, the customer information they collected from those customers in the course of their commercial relationship to “target” advertisements to them – that is, to select the customers most likely to be receptive to such advertisements.228 The rules were thus not a regulation of speech at all, but rather a regulation of information use – a business activity in deciding to whom to market their products. The only burden placed upon the telephone companies was that their advertisements had to be sent to all of their customers, thus making those advertisements less cost-effective. Conduct (and economic conduct at that) was thus all that was regulated, and the Supreme Court has made clear that conduct can be regulated without implicating the First Amendment. The U.S. West example is thus but another example of the First Amendment critique persuading courts to ask the wrong questions about the First Amendment – that is, to ask the protection question first without asking the scope question and considering whether the activity being regulated is really speech within the scope of the First Amendment.

In sum, under established precedent, the conduct of using information, like the conduct of gathering information, can be regulated through generally-applicable laws without implicating the First Amendment in most cases, because information use rules generally regulate non-expressive conduct rather than speech.

C. Information Disclosure Rules.

The third category of information restrictions implicated by fair information practices are restrictions on the disclosure of personal information. Information disclosure rules regulate the ability of

225 Id. at 1238-39.

226 Id. at 1234-36.

227 See Swire, supra note 199, at 1294-1314.

228 16 C.F.R. § 310.4(b)(1)(iii)(B).

Richards Reconciling Data Privacy and the First Amendment 47

persons in possession of information to communicate, sell, or otherwise transfer that information to others. Information disclosure rules can take a variety of forms, including evidentiary privileges, Warren & Brandeis’ tort of nondisclosure of private facts, The Video Privacy Protection Act, and duties of confidentiality and nondisclosure placed upon lawyer and financial advisers.

Information disclosure rules run throughout American law, which is replete with legal obligations placed on one person not to disclose information about another. While parties are of course generally free to create consensual contracts that regulate their ability to disclose information,229 public and private law regimes impose many other mandatory duties of confidentiality that go beyond contract to prevent the disclosure of information through speech or other means. For example, doctors,230 lawyers,231 and other professionals owe their clients duties of confidentiality, and can be punished through administrative and tort law remedies if they breach these duties by telling these confidences to others. These duties of nondisclosure are buttressed by analogous evidentiary privileges, which give clients the ability to prevent their lawyers232 and doctors,233 from speaking against their interests, presumably even when the content of the testimony would be quite newsworthy. Evidence law of course goes further and grants testimonial privileges to present and former spouses, family members, psychotherapists,234 and others.235

229 See, e.g., Volokh, supra note 3, at 1057.

230 See AMA Code of Medical Ethics, §5.05 (1994) (“The physician should not reveal confidential communications or information without the express consent of the patient, unless required to do so by law.”).

231 See supra note 203 and accompanying text.

232 See, e.g., Upjohn Co. v. United States, 449 U.S. 383, 389 (1981) (“The attorney-client privilege is the oldest of the privileges for confidential communication known to the common law.”)). See also CAL. EVID. CODE §954 (Deering 1997 & Supp. 1998) (codifying attorney-client privilege)

233 See, e.g., CAL. EVID. CODE §994 (Deering 1997 & Supp. 1998) (codifying doctor-patient privilege)

234 Jafee v. Redmond, 518 U.S. 1, 17 (1996) (recognizing psychotherapist¬patient privilege with licensed psychologists, psychiatrists, and licensed social workers in the course of psychotherapy). See also, MASS. GEN. LAWS ch. 233, §20B (West 2000) (codifying psychotherapist-patient privilege)

235 Some states recognize a priest-penitent privilege. See, e.g., IND. CODE § 34-46-3-1 (1999)

Richards Reconciling Data Privacy and the First Amendment 48

In the commercial context as well, many legal rules impose duties of nondisclosure or confidentiality. For example, agency law imposes a general duty of confidentiality upon agents not to disclose their principal’s information.236 State trade secret law enforces a mandatory regime of nondisclosure that prohibits, inter alia, the disclosure of trade secrets to competitors.237 The federal Economic Espionage Act also prohibits the disclosure, sale, or receipt of trade secrets, and punishes individual violations with up to 10 years’ imprisonment and institutional violations with fines of up to $5 million.238 Federal securities laws, antitust laws, and labor law impose numerous duties of nondisclosure of truthful information upon corporations.239

Federal statutory law imposes numerous duties of confidentiality under the federal commerce power. Recent federal statutes place nondisclosure obligations upon banks with respect to customer information240 and hospitals with respect to patient medical information.241 Federal law also imposes duties of confidentiality upon cable companies and video stores, charging them with keeping confidential the videos watched by their customers.242 ECPA provides that the disclosure of an intercepted communication is a separate violation from the interception and use of that communication.243 Another provision of federal wiretapping law places a duty of confidentiality upon Internet Service Providers with respect to the content of e-mails sent and received by their customers.244

privilege. See, e.g., 225 ILL. COMP. STAT. 450/27 (2004)

236 See Restatement (Second) of Agency § 395 (1958) (“Unless otherwise agreed, an agent is subject to a duty to the principal not to use or to communicate information confidentially given him by the principal or acquired by him during the course of or on account of his agency or in violation of his duties as agent….”).

237 See supra note 205.

238 18 U.S.C. §§ 1831-32.

239 See Schauer, supra note 91, at 1778-81 (collecting examples).

240 See Financial Servs. Modernization Act of 1999, Pub. L. No. 106-102 (codified at U.S.C. §§ 6801-09) (more commonly known as the “Gramm-Leach-Bliley Act”).

241 See Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified in scattered sections of 18, 26, 29, and 42 U.S.C.A.)

242 See Video Privacy Protection Act of 1988, Pub. L. No. 100-618, codified at 18 U.S.C. § 2710-11

243 18 U.S.C. § 2511.

244 See 18 U.S.C. § 2701.

Richards Reconciling Data Privacy and the First Amendment 49

Most commercial nondisclosure or confidentiality rules have never been thought to cause any First Amendment problems, and thus fall outside the scope of the First Amendment’s protection

245 Schauer, supra note 91, at 1777-84

246 See, e.g., Bartnicki v. Vopper, 532 U.S. 528, 526-28 (2001).

247 See Bartnicki v. Vopper, 532 U.S. 528, 526-28 (2001) (radio station cannot be prohibited from publishing newsworthy information of public concern, even where such information had been illegally obtained by a third party)

248 491 U.S. 524 (1989).

249 Volokh, supra note 3, at 1051

Richards Reconciling Data Privacy and the First Amendment 50

solutions – are cognizable options given the dictates of the First Amendment.

The contemporary First Amendment critique is part of a larger tradition of scholarship and jurisprudence regarding the tension between the First Amendment and the classic formulation of the privacy tort. Indeed, to properly understand the critique, as well as some of its core assumptions and limitations, a brief exploration of its origins is helpful. Although American law has long protected various aspects of privacy (including data privacy),250 modern thinking about the right of privacy is often traced to Warren and Brandeis’ privacy article, in which their concern was not primarily data privacy, but rather media use of private information. 25 1 In particular, Warren and Brandeis sought to use common law tort rules as a possible remedy for the collection and publication of personal details about famous persons by newspapers and magazines.252 Although such a clear attempt to regulate the publication of truthful information by the press would appear in direct tension with modern First Amendment doctrine, the Supreme Court at that time had yet to begin its project of giving the First Amendment pre-emptive force over tort law.253 Thus, although cases implicating the privacy tort during the first half of the twentieth century largely involved to address the problem of “appropriation privacy,” the appropriation of another’s likeness for commercial 254 the tort was given its real birth as a result of the work of purposes, William Prosser in the period immediately after the Second World War.255 Prosser revised and restated the privacy tort into four separate strands – “appropriation privacy”

250 See, e.g., Note, The Right to Privacy in Nineteenth Century America, 94 Harv. L. Rev. 1892 (1981) (arguing that the right of privacy identified by Warren and Brandeis was predated by the broad protection given under nineteenth century law to private property, confidential communications, and personal information).

251 See Warren & Brandeis, supra note 4, at 195.

252 Id.

253 See, e.g., Neil M. Richards, “The Good War,” The Jehovah’s Witnesses, and the First Amendment, 87 Va. L. Rev. 781 (2001) (noting that the Supreme Court’s solicitude for First Amendment rights did not begin in earnest until the Second World War).

254 See G. Edward White, Tort Law in America, 174 (1985) (citing Roberson v. Rochester Folding Box Co., 171 N.Y. 538 (1902)

255 See White, supra note 254, at 173-76.

256 William Prosser, The Law of Torts 638 (1955).

Richards Reconciling Data Privacy and the First Amendment 51

of the third strand – the tort punishing the publication of truthful but private information – rejuvenated the argument of Warren and Brandeis. Indeed, Prosser expressly credited Warren and Brandeis with the “origins” of the privacy tort,257 even though he had done almost as much to establish it as a recognized and refined body of law.258 Prosser’s taxonomy of the tort of privacy in the various editions of his treatise between 1941 and 1960 gave order to the various strands of doctrine at a time when the Supreme Court was beginning to address the role of the First Amendment in tort law. Prosser and others warned of the tension between the First Amendment and the tort of publication of private information,259 and the Supreme Court seemed to confirm this warning in its line of privacy cases, in which the private plaintiffs lost and the newspapers 260 As a result, there is an enormous literature discussing whether won. the post-New York Times v. Sullivan First Amendment dooms the disclosure tort completely.261

In light of these cases, scholars – and privacy scholars in particular – have been quite gloomy about the prospects of privacy. However, such a prognosis tends again to confuse the outcomes of a handful of reported cases with the full extent of the law in actual practice.262 As noted above, while privacy and speech have been in famous conflict involving the nondisclosure tort as applied to newspapers, privacy and speech have coexisted harmoniously throughout the overwhelming majority of nondisclosure rules, which have never raised constitutional challenges.263 The Supreme Court may have held in favor of press immunity from privacy rules in each of the Florida Star/Bartnicki line of cases, but it certainly does not follow from this fact that nondisclosure rules applied in other circumstances – for example, to non-press entities engaged in ordinary commercial activity – are constitutionally suspect. First, the Court has made quite clear in each of these cases that it was ruling narrowly believing “that the sensitivity and significance of the interest presented in clashes between [the] First Amendment and privacy rights counsel relying on limited principles that sweep no more broadly than the

257 William Prosser, the Law of Torts 1050 (1941).

258 See White, supra note 254, at 173, 175.

259 See William Prosser, Privacy, 48 Calif. L. Rev. 383, 389, 422 (1974)

260 See cases cited supra note 247.

261 See Peter Edelman, Free Press v. Privacy: Haunted by the Ghost of Justice Black, 68 Tex. L. Rev. 1195 (1990).

262 See supra Section II.B.

263 See supra notes 230-245.

Richards Reconciling Data Privacy and the First Amendment 52

appropriate context of the instant case.”264 Second, in light of these concerns, the Court has repeatedly declined to address the issue of “whether truthful publication may ever be punished consistent with the First Amendment.”265 Third, all of these cases involve media defendants publishing allegedly newsworthy facts, which will rarely be the case in the vast majority of nondisclosure rules, even though it will tend to produce a few high-profile cases from time to time.

Where, then, do nondisclosure rules fall under current doctrine? If the privacy tort is dead, why is our law filled with nondisclosure rules we find constitutionally unproblematic, and, indeed, have never envisioned fell within the scope of the First Amendment? As Schauer might put it, why have we not perceived the constitutional salience of other nondisclosure rules like the attorney-client privilege or the Video Privacy Protection Act? Some privacy scholars have proffered the concept of “private speech” as a justification for sustaining nondisclosure rules against the First Amendment. 266 Building upon Warren and Brandeis’ distinction between matters of public and matters of private interest,267 these scholars suggest that courts should develop a category of speech that is “private” or at least not a matter of public concern that could rejuvenate the tort of disclosure of private facts against the press. Although the Supreme Court has declined to hold categorically whether truthful speech on a matter not of public concern may ever be restrained consistent with the First Amendment,268 the “private speech” theory has some support in First Amendment doctrine. For example, in Dun & Bradstreet v. Greenmoss Builders,269 a plurality of the Court noted in a private-figure trade libel case that speech not on matters of public concern receives “less stringent” First Amendment protection.270 Even in Bartnicki v. Vopper, a case received gloomily by most privacy scholars,271 the Court strongly implied that the First Amendment could only defeat privacy where the speech being

264 Bartnicki, 532 U.S. at 529 (quoting Florida Star, 491 U.S. at 532-33).

265 Id.

266 See, e.g., Edelman, supra note 261, at 1229-30

267 Cf. Warren & Brandeis, supra note 4, at 214.

268 See, e.g., Bartnicki, 532 U.S. at 529 (noting “this Court’s repeated refusal to answer categorically whether truthful publication may ever be punished consistent with the First Amendment”).

269 472 U.S. 749 (1985).

270 Id. at 760.

271 See, e.g., Katy J. Lewis, Bartnicki v. Vopper: A New Bully In the Schoolyard of Private Expression, 70 Tenn. L. Rev. 859, 886 (2003) (Court diminished individual privacy rights in Bartnicki).

Richards Reconciling Data Privacy and the First Amendment 53

regulated was a “unquestionably a matter of public concern.”272 However, such a theory is mostly unhelpful to the protection of the vast majority of consumer data privacy laws for a couple of reasons. First, by attempting to justify privacy rules against media disclosures, it lumps the easy case of consumer privacy rules with the hard case of privacy against the press. In so doing, it necessarily concedes that privacy rules are speech rules. Second, requiring courts to determine whether speech was “public” or “private” would be incredibly difficult and likely lead to indeterminate and inconsistent outcomes.

It is not necessary to develop a new jurisprudence of private speech to sustain consumer privacy rules, as existing doctrine is more than adequate to protect such rules without entering into the scope of First Amendment protection. With the historical context of privacy and speech in mind, I believe that two additional factors help explain not only why consumer privacy rules have not been thought to implicate the First Amendment, but also why such rules do not in fact do so. First, many forms of nondisclosure rules are indeed enforceable through express or implied contracts. Second, generally applicable law can operate to create a kind of “information contraband”273 to which nondisclosure obligations can be attached without encroaching upon the scope of the First Amendment.

1. Contract-based Nondisclosure Rules. Contract as a basis for nondisclosure rules is an uncontroversial proposition in the privacy literature, even among the First Amendment critics.274 Two parties can certainly create an information nondisclosure contract that the courts will enforce, even if the party agreeing to keep the information secret is a newspaper and the information is newsworthy. Indeed, the Supreme Court has made clear that there does not even need to be an enforceable contract to hold the media liable for damages under such circumstances. In Cohen v. Cowles Media,275 the Court upheld the application of promissory estoppel principles to allow a plaintiff to recover against a newspaper that had broken its promise of confidentiality to him. The plaintiff had disclosed embarrassing information relating to the state Lieutenant Governor’s prior criminal

272 Bartnicki, 532 U.S. at 535. See also Glickman v. Wileman Brothers, 521 U.S. 455 (1997) (First Amendment analysis inapplicable to mandatory assessment to business used for generic pro-industry advertising)

273 See Rodney Smolla, Information as Contraband: The First Amendment and Liability for Trafficking in Speech, 96 Nw. U.L.Rev. 1099 (2002).

274 See Volokh, supra note 3, at 1057.

275 501 U.S. 663 (1991).

Richards Reconciling Data Privacy and the First Amendment 54

record in exchange for the newspaper’s promise to keep his identity secret. The newspaper then published the allegations along with the plaintiff’s name. Writing for the Court, Justice White held that the state’s “generally-applicable law” of promissory estoppel could be enforced against the newspaper because “generally applicable laws do not offend the First Amendment simply because their enforcement against the press has incidental effects on its ability to gather and report the news.”276

Eugene Volokh reads Cohen as merely establishing the principle that the First Amendment does not generally prohibit the enforcement of express or implied speech-restricting contracts against the press.277 Volokh acknowledges that this principle allows government to impose statutory default nondisclosure rules upon a variety of relationships in which ordinary social conventions include an expectation of confidentiality, including doctors, lawyers and even video stores at the outer limits.278 However, he suggests that this general principle is subject to two significant limitations. First, it only allows people to restrict the speech of persons with whom they have a contract, and does not cover third parties who are outside the scope of contractual or quasi-contractual privity. Second, it does not justify mandatory government-imposed nondisclosure rules that the parties cannot waive.279

Volokh’s category of unobjectionable speech restrictions based on a contract theory is significantly broader than it might appear at first blush. First, his use of contracts as a limiting principle is unpersuasive on its own terms. Volokh concedes that implied contracts are also outside the First Amendment. Viewing “implicit” contracts, broadly defined, as falling outside the scope of the First Amendment thus includes not only contracts that can be implied from the circumstances surrounding a transaction, but also default statutes setting up the terms of a transaction but giving parties the option of bargaining around the rule.280 Volokh also admits that the government can supply default rules to relationships that social convention considers confidential, and suggests that the U.S. West case was incorrectly decided.281 However, this additional concession gives

276 Id. at 669

277 Volokh, supra note 3, at 1057-58.

278 Id. at 1058-60.

279 Id. at 1061-62.

280 See Schwartz, supra note 65, at 1569-71.

281 Volokh, supra note 3, at 1060 n.37.

Richards Reconciling Data Privacy and the First Amendment 55

away most of the game, because virtually all nondisclosure rules outside the media context tend to reinforce implicit social conventions of confidentiality – for example, as Volokh recognizes that the Video Privacy Act recognizes such an arrangement in keeping video rentals secret.282 But once the law can modify such a relationship, it is hard to see where such a principle would stop, other than to render all default rules constitutional. Moreover, to the extent that law can reinforce social norms, a privacy rule applied to an area where there is no existing social convention of confidentiality could, over time, create new such norms. For example, scholars have argued that this is exactly what FTC regulation of privacy policies achieves in the Internet context.283 And terms should be able to be supplied to constructive “relationships” as well. Just as the law can unremarkably impose duties of confidentiality upon a lawyer when the client reasonably believes that an attorney-client relationship exists, it would seem to follow that other duties could be given to regulate the ways profiling and marketing companies use sensitive customer data including massive profile databases. Thus, Volokh’s acceptance of implied contracts seems to permit the government to supply a whole range of default rules to any relationship involving privacy that the government thinks reasonable to regulate.

Volokh’s second limiting principle is that while default rules may be permissible, mandatory rules violate the First Amendment. This argument is also unpersuasive. First, Volokh offers little justification for the claim that mandatory rules are somehow different from default rules from a First Amendment perspective, other than to note that the essence of contract is consent, which the Court in Cohen recognized.284 But other regimes operate to supply mandatory nondisclosure rules without falling within the scope of the First Amendment. For example, trade secret law places a mandatory obligation on those who come across trade secrets not to disclose them to others, even where the person who comes across the secret has no relationship to the trade secret holder.285 Similarly, contract law supplies a whole host of mandatory terms in the consumer context where there is reason to believe that diminished capacity exists with no constitutional issues being raised.286 This includes the legislative

282 Id. at 1059.

283 See, e.g., Stephen Hetcher, The FTC as Internet Privacy Norm Entrepreneur, 53 Vand. L. Rev. 2041 (2000).

284 See Volokh, supra note 3, at 1062 &n.3 (citing Cohen).

285 See generally Roger E. Schechter & John R. Thomas, Trade Secret Law § 24.3 (West 2003).

286 See generally William Farnsworth, Contracts § 1.10 (2d. ed. 1990).

Richards Reconciling Data Privacy and the First Amendment 56

prohibition of certain types of transactions where the bargain itself is thought to be unconscionable.287 In analogous contexts involving consumer privacy, then, mandatory rules should be equally unproblematic – for example the Children’s Online Privacy Protection Act, which does not give children the right to waive their privacy rights and prohibits companies from collecting information about children without parental consent.288 Similarly, scholars have noted that the fact that many consumers do not understand the technology of the Internet, the legal language of privacy policies, or the nature of the trade in personal information leads to a form of “privacy myopia,” in which consumers sell their data too frequently or too cheaply.289 This leads to the phenomenon where consumers who care deeply about privacy nevertheless sell their information bit by bit for frequent flier miles.290 If a legislature were to conclude that consumers were behaving myopically in information transactions, it could certainly conclude that they might not be capable to waive their privacy rights in the context of such a transaction, just as a legislature might police standard-form contracts or consumer credit transactions in the offline context. In all of these examples, economic policing of the risk of unconscionability would be assessed under the rational basis review reserved for economic regulation generally.291

Contract thus provides a quite expansive rationale for regulating consumer privacy transactions outside the scope of the First Amendment. Particularly when we recognize the enormous power that legislatures possess to structure and regulate the terms of economic transactions, the regime of contract law grants policymakers a wide variety of regulatory tools, including the power to supply both default and mandatory terms to transactions. Such instances of contractual commercial regulation are well outside the scope of the First Amendment.

2. Creation of Nondisclosure Rules via Generally Applicable Law. Promissory estoppel is a broader theory of liability than contracts at law, but it is still essentially a contractual remedy, albeit one that imports concepts of reliance and equity.292 Another theory

287 See id. at § 4.28.

288 See Children’s Privacy Protection Act of 1998, 15 U.S.C. §§ 6501 et seq.

289 See Froomkin, supra note 26, at 1502.

290 Id.

291 See infra Part IV.B.

292 See Restatement (Second) of Contracts § 90 (“Obligations and remedies based on reliance are not peculiar to the law of contracts. This Section is often referred to in terms of ‘promissory estoppel,’ a phrase suggesting an extension of the doctrine of estoppel.”).

Richards Reconciling Data Privacy and the First Amendment 57

under which a wide variety of nondisclosure rules can be justified outside the scope of the First Amendment is the related concept of “generally applicable law.” Cohen did not rest on a theory that merely contract insulates speech restrictions from First Amendment difficulties, but rather a much broader theory that the larger category of generally applicable laws that do not have a significant impact on expressive activity do not violate the First Amendment, at least insofar as they do not impose a significant impact upon protected, expressive conduct.293 “Generally applicable laws” are a broader category, of which contract is but one doctrinal strand of several. Such a conclusion is confirmed by several other cases. For example, in Seattle Times Co. v. Rhinehart,294 the Court held that a protective order placed on a newspaper involved in litigation could be validly applied to the newspaper to prevent it from disclosing the contents of newsworthy information it learned as a result of the discovery process. Indeed, extrapolating from Rhinehart, Lucas Powe – no enemy of the press, to be sure – has argued that “if the press broke into a building and pillaged files – or planted bugs – and later published, then the publication could be taken as insult upon injury” and the press could therefore be subjected to liability for publication of the wrongfully obtained information.295 Such a principle is fully consistent with Bartnicki and the other cases in which the Court has invalidated public laws and tort actions that have interfered with the media’s First Amendment rights, because central to the holding in each of those cases is the fact that the information published by the media in violation of the information disclosure rule was lawfully obtained by the media.296 Read together, these cases suggest that information disclosure rules that are the product of generally applicable laws fall outside the scope of the First Amendment. Where information is

293 Although it did not say so expressly, the Court’s rejection of the claim made by Justice Souter in dissent that its holding would “inhibit truthful news reporting,” id. at 671, suggests that the Court determined that promissory estoppel did not have a significant impact on First Amendment values so as to subject it to intermediate scrutiny under Arcara/O ‘Brien. See supra notes 194-195 and accompanying text.

294 467 U.S. 20 (1989).

295 Lucas A. Powe, Jr., The Fourth Estate and the Constitution 176 (1991).

296 See, e.g., Cox Broad. Corp. v. Cohn, 420 U.S. 469, 496-97 (1975) (“Appellee has not contended that the name was obtained in an improper fashion or that it was not on an official court document open to public inspection. Under these circumstances, the protection of freedom of the press provided by the First and Fourteenth Amendments bars the State of Georgia from making appellants’ broadcast the basis of civil liability.”)

Richards Reconciling Data Privacy and the First Amendment 58

received by an entity in violation of some other legal rule – whether through breach of contract, trespass, theft, or fraud – the First Amendment creates no barrier to the government’s ability to prevent and punish disclosure. This is the case even if the information is newsworthy or otherwise of public concern.297 In this regard, the information is a kind of contraband, and traffic in it (at least by those with unclean hands) can be regulated.

Volokh argues that such a principle could be used to justify troubling laws in the name of “privacy,” such as a law providing that all questions by reporters would carry with them an implicit promise of confidentiality, or “a law providing that people who buy a product implicitly promise to give the seller equal space to respond to any negative article they publish about the product, unless the seller consents in writing after being given full disclosure of the true purpose for which the product is being bought.”298 However, unlike the law upheld in Cohen, neither of these examples are really laws of general applicability. Because both laws would have a significant impact upon expressive activity on matters of public concern, they would likely trigger intermediate scrutiny under current doctrine.299 Additionally, because the media confidentiality law singles the media out for special unfavorable treatment, it would be treated to strict scrutiny.300 Both examples are thus a long distance from the ordinary nondisclosure rules that permeate American law.

Ordinary nondisclosure rules (even mandatory ones) are a far distance from the speech restriction upheld in Cohen in another respect as well. Cohen did not just involve information that was unlawfully obtained, but also information that was disseminated by the press, which the Court has long recognized to fill an important social function of disseminating newsworthy information. From a First Amendment perspective, no such equivalently important social function (at least from a constitutional perspective) is played by database companies engaged in the trade in personal data. Indeed, a general law regulating the commercial trade in personal data by database, profiling, and marketing companies is far removed from the core speech protected by the First Amendment, and is much more like the “speech” outside the boundaries of heightened review.301

297 Cf. Bartnicki, 532 U.S. at 532 & n.19.

298 Volokh, supra note 3, at 1058.

299 See supra notes 194-195 and accompanying text.

300 See supra note 188.

301 Cf. Greenawalt, supra note 99

Richards Reconciling Data Privacy and the First Amendment 59

Thus, even though some information disclosures can be viewed as speech within the scope of the First Amendment, information disclosure rules regulating non-newsworthy information or disclosures of information that was not lawfully obtained (regardless of whether it is newsworthy or not) are outside the scope of the First Amendment and are thus constitutionally sound.

D. Regulation of Direct Marketing

Regulation of direct marketing – whether junk mail, a telemarketing call, unsolicited spam e-mails, or some other means – is undeniably regulation of speech. Indeed, it may seem odd to even categorize a telemarketing call as the regulation of an information flow, except insofar as the information flowing in this case is an invitation to purchase a product. However, because this issue is tied up in both the database problem, the First Amendment critique, and in the larger free speech and database privacy debate, it is worth some examination, if only to show the ways in which it differs from the other stages, and to demonstrate how the First Amendment critique is just as unpersuasive in this context as in the others. A telemarketing call is the final and most intrusive stage of the database problem, occurring sequentially after the collection of personal data by a profiling company, the use of that data to determine which consumers best fit a target profile, and the disclosure of the profile to a company that wishes to purchase it.

Unlike the three previous stages, a telemarketing call is undoubtedly “speech” within the scope of the First Amendment. As discussed supra, current doctrine answers the protection question by treating commercial speech restrictions with intermediate scrutiny by applying the four-part Central Hudson test, although the trend over the past two decades seems to be that the test is being applied with more heightened scrutiny. 302 The First Amendment interest in telemarketing is thus nevertheless greater than the corresponding interest for information collection, use, and disclosure rules.

On the other hand, the privacy interests at stake in the telemarketing context are not only stronger and more intellectually coherent, but are also more likely to resonate with a court. Although scholars have struggled to define “privacy,” there is a consensus that the general term “privacy” encompasses three separate “clusters.”303 “Substantive” or “decisional” privacy is the constitutional right to

302 See supra notes 135-138 and accompanying text.

303 See Jerry Kang, Information Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 1193, 1202 (1998).

Richards Reconciling Data Privacy and the First Amendment 60

make certain fundamental decisions free from government scrutiny or interference, and embodied in cases like Roe v. Wade304 and Griswold v. Connecticut.305 “Residential privacy” refers to the privacy interest individuals have in their homes against unwanted surveillance or interference by government, businesses, or other individuals. “Data privacy” (also known as “information privacy”) refers to the notion that the rights of individuals are threatened by detailed private-sector databases containing profiles of their consumer and other preferences, including not only information about which products they use, but also potentially embarrassing information about their health, political views, or sexual predilections.

While telemarketing implicates data privacy, it also implicates residential privacy, since telemarketing disturbs individuals in the enjoyment of their homes. And unlike data privacy, which is a poorly¬articulated right, residential privacy is a robust right of constitutional magnitude that can hold its own with free speech. Indeed, the Supreme Court has long been solicitous of residential privacy as a substantial regulatory and societal interest, not just in the Fourth Amendment context,306 but also as a bulwark to other constitutional privacy rights.307 And whereas the data privacy right embodied in the disclosure tort has traditionally failed to compete with the First Amendment in cases where the two rights have come into conflict, the privacy interests inherent in the home have long been able to defeat even core First Amendment speech. As early as 1943, the Supreme Court, although it invalidated a municipal ordinance prohibiting door¬to-door distribution of handbills, nonetheless reaffirmed the right of homeowners to exclude unwanted speakers from their property.308

304 410 U.S. 113 (1973).

305 381 U.S. 479 (1965).

306 See, e.g., Kyllo v. United States, 533 U.S. 27 (2001) (well-established residential privacy of the home embodied in Fourth Amendment prevents police from using thermal imagers from public streets to view into homes)

307 See, e.g., Griswold v. Connecticut, 381 U.S. 479, 485-86 (1965) (“Would we allow the police to search the sacred precincts of marital bedrooms for telltale signs of the use of contraceptives? The very idea is repulsive to the notions of privacy surrounding the marriage relationship.”)

308 Martin v. City of Struthers, 319 U.S. 141 (1943).

Richards Reconciling Data Privacy and the First Amendment 61

The Court was more explicit in Frisby v. Schultz,309 in which it declared that

One important aspect of residential privacy is protection of the unwilling listener. Although in many locations, we expect individuals simply to avoid speech they do not want to hear, the home is different. [A] special benefit of the privacy all citizens enjoy within their own walls, which the State may legislate to protect, is an ability to avoid intrusions. Thus, we have repeatedly held that individuals are not required to welcome unwanted speech into their own homes and that the government may protect this freedom.310

As a result, when the Court in Rowan v. Post Ofice assessed a First Amendment challenge to the constitutionality of a federal law allowing homeowners to prevent companies from sending them sexually-explicit junk mail and to have their names removed from the mailing lists, it upheld the law on residential privacy grounds.311

It should therefore be no surprise that even the Tenth Circuit, which has taken a less than glossy view of data privacy in the past,312 recently upheld the FCC’s Do-Not-Call regulations of telemarketers against a First Amendment challenge. Although the district court in that case had been swayed by the First Amendment critique,313 the Court of Appeals, relying on the tradition of residential privacy upheld314 the Do-Not-Call registry against the same Central Hudson challenge that had felled the FCC’s data privacy regulations in the U.S. West case.315 Indeed, other Supreme Court precedent suggests that the intrusiveness of telemarketing makes for a cognizable harm that can be

309 487 U.S. 474 (1988).

310 Id. at 484-85 (citations omitted).

311 Rowan v. United States Post Ofice Dept., 397 U.S. 728 (1970).

312 See, e.g., U.S. West v. F.C.C., 182 F.3d 1224, 1235 (10th Cir. 1999) (“We have some doubts about whether this interest, as presented, rises to the level of ‘substantial.'”)

313 Mainstream Marketing Services Inc. v. Federal Trade Commission, 283 F.Supp. 2d 1151, 1168 (D. Colo., 2003) (holding do-not-call registry unconstitutional under Central Hudson).

314 Mainstream Marketing Servs. Inc. v. Federal Trade Comm’n, 358 F.3d 1228, 1241 (10th Cir. 2004).

315 See U. S. West v. F.C.C., 182 F.3d 1224, 1239 (10th Cir. 1999) (regulations

were not narrowly tailored and thus failed the third prong of the Central Hudson

Richards Reconciling Data Privacy and the First Amendment 62

regulated under the First Amendment, despite the fact that telemarketing is undeniably commercial speech.316

IV. THE PERILS OF VOLOKHNER

Although information flows can be regulated in the consumer privacy context under current doctrine, the First Amendment critique has nevertheless attracted many adherents. Despite its simplicity (or perhaps because of it), scholars and judges tend to find it persuasive – after all, given the central importance of the First Amendment in American political and legal culture, who wants to be against the First Amendment, in any context?317 I have suggested that one of the dangers of the First Amendment critique is that it represents a constitutionalization of a thorny and tremendously important social issue, placing that issue beyond the regulatory authority of elected legislatures. In this respect, the First Amendment critique can be located within the larger strand of First Amendment thought that believes, drawing upon libertarian theory, that the First Amendment guarantees not just freedom of speech for individuals, but also business interests, and that many economic regulations are in conflict with this view of the First Amendment. But free speech doctrine is malleable and often indeterminate, and although the First Amendment critique is shaky under current First Amendment doctrine, it is neither absurd nor lacking in facial appeal. In light of this observation, it is essential to articulate justifications against both the constitutionalization of information policy and the stretching of First Amendment doctrine into areas where it does not fit.

In this Part, I explore some of the ramifications of the First Amendment critique for free speech and rights jurisprudence generally. I have argued that much of the confusion in the law at the intersection of privacy rights and the First Amendment comes from the conceptual murkiness at the core of both privacy law and (counter¬intuitively) the First Amendment itself. First Amendment critics are

316 See, e.g., Madigan v. Telemarketing Associates, Inc., 538 U.S. 600 (2003) (First Amendment does not bar fraud claim against telemarketers who make misleading statements about the way donations would be used)

317 Cf. Schauer, First Amendment Opportunism, supra note 88, at 176 (describing the First Amendment as an argumentative “showstopper.”). One possible exception to this rule is child pornography, where even zealous First Amendment absolutists tend to get off the bus. For an explanation, see generally Amy Adler, Inverting the First Amendment, 149 U. Pa. L. Rev. 921 (2001)

Richards Reconciling Data Privacy and the First Amendment 63

quick to apply seemingly analogous doctrinal tests to privacy rules, but less able to supply jurisprudential values advanced by the critique other than a vague notion of the “freedom of information.” In fact, when looked at from the perspectives of both privacy law and First Amendment law, the First Amendment critique of data privacy rules produces serious and pernicious jurisprudential consequences. In Part A, looking at the issue from the perspective of privacy law, I examine the broader implications of the First Amendment critique and its “freedom of information” principle for information policy. In so doing, I assess the argument that the First Amendment critique is merely Lochnerism in another guise. I conclude that although there are parallels between the First Amendment critique and the traditional understanding of Lochner, recent scholarship by legal historians has complicated this sort of claim, revealing that Lochner in practice was not as doctrinally illegitimate as its critics have charged. Nevertheless, to the extent that the First Amendment critique resembles the traditional view of Lochner, this remains a fairly significant criticism, suggesting that the First Amendment critique is out of step with many basic assumptions about the First Amendment. In Section B, I look at the problem from the other side – from the perspective of First Amendment law. I argue that examining the revisionist intellectual history of Lochner reveals the real jurisprudential threat of the movement of which the First Amendment critics are a part – an obliteration of the distinction between economic and political rights that rests at the core of modern constitutionalism.

A. The First Amendment Critique and “Freedom of Information ” as Lochner

Although much is contested at the intersection of data privacy and the First Amendment, one thing at least is clear: the First Amendment critics assert that because data privacy rules violate the First Amendment, the regulation of data privacy should be placed beyond the scope of normal regulatory policy and politics. They may couch the constitutional mandate apologetically because of the need to protect other, more important values,318 or they may state it unapologetically on the grounds that freedom of information is not just a constitutional command, but also good policy,319 but the claim is unequivocally stated. Privacy scholars have failed to point out the similarities between this freedom of information theory of the First Amendment and the freedom of contract theory of Due Process

318 See, e.g., Volokh, supra note 3, at 1050-51

319 See sources cited supra notes 46-49.

Richards Reconciling Data Privacy and the First Amendment 64

embodied in the Lochner line of cases.320 This is somewhat surprising given the striking parallels between the traditional understanding of Lochnerism and the First Amendment critique.

The traditional view of Lochner goes something like this: technological advances inherent in the industrialization of America around the turn of the last century created a series of serious social and economic dislocations, such as unsafe working conditions, unfairly low wages, child labor, sweatshops, and monopolistic trade practices. Reformers including Populists and Progressives sought to remedy these problems of poor working conditions and unequal bargaining power by enacting social legislation.321 Unfortunately, Supreme Court Justices interpreted the word “liberty” in the Due Process Clauses to mean “freedom of contract,” an inalienable right possessed by both workers and employers to buy and sell their labor in a marketplace unfettered by government controls. In so doing, the judges illegitimately read their own pro-business laissez -faire views of political economy into the Due Process Clauses. As a result, this interpretation of “‘liberty of contract,’ the story goes, erected a constitutional barrier to most early twentieth century state or federal legislation directed at hours, wages, or working conditions.”322 However, less activist judges in the mid-twentieth century consigned Lochner to the doctrinal scrapheap, and today Lochner is one of the worst charges that can be leveled against a doctrine or constitutional interpretation, an unequivocal normative repudiation of “courts that appear to be substituting their own view of desirable social policy for that of elected officials.”323

From this perspective, there are some fairly strong parallels between the traditional conception of Lochner and the First Amendment critique of data privacy legislation. Both theories are jurisprudential responses to calls for legal regulation of the economic and social dislocations caused by rapid technological change. Lochnerism addressed a major socio-technological problem of the industrial age – the power differential between individuals and businesses in industrial working conditions, while the First Amendment critique is addressed to a major socio-technological

320 See Lochner v. New York 198 U.S. 45 (1905) (invalidating a New York statute setting maximum hours for bakers on due process grounds).

321 See Barry Friedman, The History of the Countermajoritarian Difficulty, Part Three: The Lesson of Lochner, 76 N.Y.U. L. Rev. 1383, 1392 (2001).

322 See White, supra note 7, at 241-42.

323 See, e.g., Friedman, supra note 321, at 1385-86 (collecting sources)

Richards Reconciling Data Privacy and the First Amendment 65

problem of our information age – the power differential between individuals and businesses over information in the electronic environment. Both theories place a libertarian gloss upon the Constitution, interpreting it to mandate either “freedom of contract” or “freedom of information.” Both theories seek to place certain forms of economic regulation beyond the power of legislatures to enact. And both theories are eagerly supported by business interests keen to immunize themselves from regulation under the aegis of Constitutional doctrine.324 To the extent that the First Amendment critique is similar to the traditional view of Lochner, then, its elevation of an economic right to first-order constitutional magnitude seems similarly dubious.

Although it might be both tempting and rhetorically effective to accuse the critics of Lochnerism and move on, in the interests of fairness and intellectual honesty it is important to admit that the conventional view of Lochner is probably quite erroneous, at least as a description of the jurisprudence in its actual operation. Legal historians examining the intellectual history of the late nineteenth and early twentieth centuries have significantly revised our understanding of not just Lochner, but also the orthodox legal epistemology that produced it and the ways in which that jurisprudential worldview evolved into the radically different vision of the Constitution and ultimately law itself that animates orthodox modern legal thought.325 Scholarship by these so-called “Lochner revisionists” has significantly revised our understanding of the intellectual contexts in which the cases were decided. Specifically, these scholars have uncovered and made great strides towards reconstructing a coherent vision of law that constituted jurisprudential orthodoxy during the late nineteenth and early twentieth centuries. Termed variously “orthodox legal thought,” “classical legal thought,” or “legal Formalism,” 326 this jurisprudential worldview was an interlocking system of doctrines327 that represented a functioning classical intellectual engine not unlike the estates system

324 See, e.g., Jack Balkin, Digital Speech and Democratic Culture: A Theory of Freedom of Expression for the Information Society, 79 N.Y.U. L. Rev. 1 (2004)

325 See, e.g., Charles W. McCurdy, The Roots of “Liberty of Contract” Reconsidered: Major Premises in the Law of Employment, 1867-1937, 1984 Y.B. of S.Ct. Hist. Soc’y 20 (1984)

326 William W. Wiecek, The Lost World of Classical Legal Thought: Law and Ideology in America, 1886-1937, at 3 (1998).

327 See Cushman, supra note 325, at 6-7.

Richards Reconciling Data Privacy and the First Amendment 66

in land law. Formalist legal theory posited that the Constitution had a fixed, essentialist, immanent meaning

Revisionist scholarship has described the formalist judges as engaging in “guardian review” in constitutional cases, glossing constitutional text with meaning derived from external sources in order to mark out the boundaries between public authority such as the police power and private rights like the liberty protected by the Due Process Clauses. Guardian review was quite different from the modern regime of bifurcated review, in which Courts do not believe that they divine law from external sources, but rather believe that they create it in many instances. Mindful of their countermajoritarian role under an epistemology where they create rather than divine law, modern courts applying bifurcated review generally treat legislative enactments regarding economic policy with deference, and only closely scrutinize enactments which interfere with political rights and thus threaten the operation of ordinary democratic processes.330 In the context of the Due Process Clauses at issue in the Lochner line of cases, the revisionists have demonstrated persuasively that these cases were not merely injections of reactionary pro-business politics into the Constitutional text, but were rather interpretations of the Constitution that were consistent with legitimate authority. Such decisions are, the revisionists argue, best explained as determined by settled existing doctrine rather than judges acting as political actors.331 Thus, as a descriptive explanation of Lochner, the behavioralist theory of “laissez-faire constitutionalism” is unpersuasive.332

Nevertheless, even in light of the tremendously valuable insights provided by the Lochner revisionists, the First Amendment critique retains enough similarities to the traditional view of Lochner

328 See White, supra note 7, at 167-70.

329 Id. at 170-74.

330 See generally White, supra note 7, at 3-4.

331 Friedman, supra note 321, at 1399-1400 (collecting sources).

332 Cushman, supra note 325, at 3,7

Richards Reconciling Data Privacy and the First Amendment 67

to be normatively questioned from a modern perspective as a jurisprudentially sound application of the First Amendment. Even if Lochner was not an illegitimate injection of pro-business libertarian ideology into constitutional decisionmaking by judges, it was widely condemned as such. Such critiques were made both by contemporaries who accused judges of importing their policy preferences and class biases into their decisions,333 as well as by later judges and scholars who replaced guardian review with bifurcated review in part in reaction to the perceived illegitimacy of Lochner. Thus, merely because the Lochner line of cases appears to have been legitimate under existing doctrine as a descriptive matter, it does not follow as a normative matter that judges should nevertheless be free to inject their view of good social and economic policy into constitutional interpretation. The Realists may have been wrong that “liberty of contract” was an empty vessel into which the policy preferences of conservative judges were poured, but this does not mean that judges today can legitimately pour ideological content into the Constitution to void the economic policy of elected representatives. To the extent that the First Amendment critique suggests judges should do something similar in the database context through shaky interpretations of the First Amendment as embodying a “freedom of information” rationale, such an assertion would be similarly illegitimate. In this regard, the traditional modern normative commitment against placing social and economic problems beyond the reach of democratic regulatory politics would still counsel against taking the First Amendment critique at face value.

Alternatively, one could also accept the insights of the Lochner revisionists and still quite rationally decide that Lochnerism (and thus the First Amendment critique) is as illegitimate as the conventional view would suggest for a couple of other reasons. First, as William Wiecek has argued, legal Formalism presented a worldview that was attractive to lawyers because it protected wealth and placed the regulation of property rights beyond the power of legislatures to redistribute.334 Thus, the reconstruction of the doctrinal coherence of Lochner would not displace the suggestion that lawyers could find Formalist jurisprudence attractive because it produced outcomes they favored.

333 See Friedman, supra note 321, at 1420-28.

334 See Wiecek, supra note 326

Richards Reconciling Data Privacy and the First Amendment 68

Second, even if Lochner was legitimate under established doctrine, it could nevertheless be illegitimate for other reasons. Barry Friedman has argued that even though the Lochner line of cases was consistent with Formalist doctrine, the jurisprudence was widely criticized as illegitimate by the larger public.335 Like Wiecek’s lawyers who found Lochner attractive because of its outcomes, Progressive critics also repudiated it because it created outcomes they found unjust. Friedman draws a distinction between “legal legitimacy” – whether legal decisions have “an established jurisprudential basis” – and what he calls “social legitimacy” – an inquiry that “looks beyond jurisprudential antecedents of constitutional decisions and asks whether those decisions are widely understood to be the correct ones given the social and economic milieu in which they are rendered.”336 Friedman points to the widespread contemporary popular disagreement with the outcomes of liberty of contract cases as an example of such illegitimacy.337 And in the modern context, the enormous public outcry and prompt Congressional action surrounding the judicial invalidation of the FCC’s “Do Not Call” list similarly suggests that there is little tolerance today for constitutionalizing information policy.

The parallels between the First Amendment critique and the traditional view of Lochner are not perfect, but they should at least serve to caution us against an uncritical acceptance of the First Amendment critique. The database problem represents a particularly thorny instance of a socioeconomic problem created by rapid advances in technology. Just as no simple regulatory solution is likely, so too is no simple constitutional solution likely to produce an optimal result. Where both coverage of the First Amendment and doctrine are unclear, facile mantras of simplistic constitutionalism like “freedom of information” are particularly ill-suited to resolve a complex problem in a means that is satisfactory to society as a whole. As I have argued above, it would be a great tragedy for the continued ascendance of the First Amendment critique to handicap or prohibit elected policymakers from exploring such a difficult question of social and economic policy.338

335 See Friedman, supra note 321, at 1453-56.

336 See id.at 1386-87.

337 Id.

338 See supra notes 28-39.

Richards Reconciling Data Privacy and the First Amendment 69

B. The First Amendment Critique and the Bifurcated Review Project

If the jurisprudential problems caused by the First Amendment critique seem significant from the perspective of privacy law, they are even more dire from the perspective of First Amendment law. Indeed, the same intellectual history of rights jurisprudence which complicates the traditionalist view of Lochner brings the real jurisprudential threat of the First Amendment critique into sharp focus. At stake in the database debate is not merely whether data privacy rules can be enforced consistent with the First Amendment, but rather what sorts of rights the First Amendment protects at all. At bottom, the First Amendment critique proffers a robust rationale of freedom of information that threatens the very structure of modern rights jurisprudence – the bifurcated system of judicial review that defers to legislatures with respect to economic rights but treats laws infringing upon political rights with greater scrutiny.

Modern legal historians have devoted significant attention to the task of reconstructing the jurisprudential universe of legal Formalism that produced Lochnerian rights jurisprudence, but have spent far less time examining the ways in which the Supreme Court laid the foundations for the rights jurisprudence that replaced it.339 As I have suggested elsewhere, much of this work was done by the Court in a series of cases that roughly corresponded with the Second World War, many of which involved Free Speech and Free Exercise challenges brought by the Jehovah’s Witnesses.340 Only a handful of modern scholars have devoted much serious effort to reconstructing this critical episode in the intellectual history of American law, but the work they have done sheds significant light on the origins of modern rights jurisprudence.

This revisionist rights scholarship has shown how the Supreme Court used the First Amendment as a bridge between the old regime of guardian review and the modern regime of bifurcated review.341 The Court outlined this new approach in “famous footnote four” of the 1938 case of United States v. Carolene Products,342 which posited a

339 See Richards, supra note 131, at 781-82. For exceptions, see Tony A. Freyer, The First Amendment and World War II, 1996 J. Sup. Ct. Hist. 83

340 See id.

341 See White, supra note 7, at 128-63

342 304 U.S. 144, 152 n.4

Richards Reconciling Data Privacy and the First Amendment 70

relaxed standard of review for economic regulation but a more stringent standard of review for laws that infringed upon rights guaranteed by the text of the Bill of Rights or otherwise interfered with the democratic process.343 As G.E. White explains, this system of “bifurcated review” embodied two of the central assumptions of the new jurisprudence:

By fostering judicial deference in the area of economic regulation, the project embraced the perceived truth that unregulated economic activity actually infringed upon the freedom of a significant number of actors in the economic marketplace and reinforced rational regulatory policies that were based upon that truth. By fostering judicial scrutiny of legislative restrictions on speech and other noneconomic liberties, the project underscored the centrality of freedom as a modernist goal, at least when freedom could be associated with the goals of democratic theory.344

Central to the dualism at the core of the new system of judicial review was a strict separation between economic and political rights. Thus, as noted above, 345 the Supreme Court initially excluded commercial speech from heightened First Amendment protection in Valentine v. Chrestensen346 and Breard v. Alexandria,347 in order to maintain this separation. In another case involving the distribution of literature, Justice Douglas drew a sharp distinction between religious texts covered by “the privileges protected by the First Amendment” versus advertising, which he dismissed as “the wares and merchandise of hucksters and peddlers.”348

The sharp line between economic and political rights critical to the intellectual coherence of bifurcated review has persisted, though it perhaps has not endured with the precise clarity that its drafters intended. Indeed, it is in the advertising cases that the greatest blurring of the line between political and economic rights has occurred. After a series of cases indicating that certain forms of advertising associated with the rights protected in Griswold and Roe warranted heightened scrutiny, the Court in Virginia Pharmacy brought “commercial speech” within the scope of the First Amendment.34 9 In drafting the opinion of the Court, Justice Blackmun was confronted with the

343 See Richards, supra note 131, at 784.

344 White, supra note 341, at 309.

345 See supra note 135 and accompanying text.

346 316 U. S. 52 (1942).

347 341 U.S. 622 (1951).

348 Murdock v. Pennsylvania, 319 U.S. 105 (1943).

349 Virginia State Bd. Of Pharm. v. Virginia Citizens Consumer Council, 425 U.S. 748, 762-63 (1976).

Richards Reconciling Data Privacy and the First Amendment 71

conceptual problem that as an economic right, the right to advertise was not supported by any of the existing justifications for free speech. He solved this problem by making one up, asserting that “[a]s to the particular consumer’s interest in the free flow of commercial information, that interest may be as keen, if not keener by far, than his interest in the day’s most urgent political debate. … Generalizing, society also may have a strong interest in the free flow of commercial information. Even an individual advertisement, though entirely ‘commercial,’ may be of general public interest.” Blackmun went on to add:

Advertising, however tasteless and excessive it sometimes may seem, is nonetheless dissemination of information as to who is producing and selling what product, for what reason, and at what price. So long as we preserve a predominantly free enterprise economy, the allocation of our resources in large measure will be made through numerous private economic decisions. It is a matter of public interest that those decisions, in the aggregate, be intelligent and well informed. To this end, the free flow of commercial information is indispensable.350

Taken at face value, Blackmun’s rationale for heightened constitutional protection for commercial advertising threatened to dissolve the line between economic and political speech, and with it any distinction between economic and political rights. In so doing, he opened the door to the resuscitation of Lochner-style economic rights (or at least the traditional understanding of those rights). This fact was not lost on a few contemporary observers, be they dissenting members of the Court351 or scholarly commentators.352 Indeed, in the aftermath of the decision, observers predicted the expansion of First Amendment analysis to other areas of business speech regulation like securities law. 353

350 Id. at 763-65.

351 See id. at 783-84 (Rehnquist, J., dissenting) (“The Court speaks of the importance in a ‘predominantly free enterprise economy’ of intelligent and well¬informed decisions as to allocation of resources. While there is again much to be said for the Court’s observation as a matter of desirable public policy, there is certainly nothing in the United States Constitution which requires the Virginia Legislature to hew to the teachings of Adam Smith in its legislative decisions regulating the pharmacy profession.”)

352 See, e.g., Thomas H. Jackson and John C. Jeffries, Commercial Speech: Economic Due Process and the First Amendment, 65 Va. L. Rev. 1, 40 (1979) (characterizing the case as “the revivification of economic due process in the guise of commercial speech”).

353 See Schauer, supra note 91, at 1780 (collecting sources).

Richards Reconciling Data Privacy and the First Amendment 72

However, the fears raised by these commentators failed to materialize. The line between economic and political rights has persisted, and remains central to the continued coherence of the modern system of bifurcated review. An expansive reading of Virginia Pharmacy as opening the floodgates to heightened review for other economic speech rights besides advertising was rejected, and the dividing line between economic and political rights was shored up in its new location, with commercial advertising placed upon the political rights side of the line. Thus, the feared treatment of securities speech as commercial speech did not come to pass, and the large categories of speech that fall outside the scope of the First Amendment have not been subjected to heightened constitutional review.354 Although the balance is a delicate one, non-advertising speech in the commercial context continues to be assessed with the rational basis review afforded to the other economic rights under the bifurcated review project.355

Looking at the issue from such a perspective allows us to fully appreciate the threat to the modern scheme of rights jurisprudence represented by the First Amendment critique – an attempt to clothe economic rights with the garb of political rights that would destroy the basic dualism on which the edifice of modern rights jurisprudence is built. This may not be the intent of the critics, but would be the likely effect of their success. In the database context, this might mean only that nondisclosure rules are treated with heightened scrutiny, but the advancement of a principle of freedom of information as a full¬blooded rationale for heightened First Amendment scrutiny would not be limited merely to that context. Every regulation that could be classified as restricting “speech” or information flows would be brought within the scope of First Amendment heightened review. Indeed, much of Volokh’s own First Amendment scholarship in addition to his influential privacy article has tracked such a prediction, subjecting previously non-salient areas of speech regulation to more searching doctrinal analysis.356

354 See id.

355 See id. at 1783-84.

356 See, e.g., Eugene Volokh, Speech as Conduct: Generally Applicable Laws, Illegal Courses of Conduct, “Situation-Altering Utterances,” and the Uncharted Zones (forthcoming)

Richards Reconciling Data Privacy and the First Amendment 73

A reasonable person could certainly argue that the First Amendment should apply to everything that the dictionary might deem to be “speech.” It might also be reasonable to argue that information flows generally should be treated to heightened constitutional protection, although this would complicate regulation of not only the database problem but also the entire information economy, with spillover effects into areas such as intellectual property.357 However, such a system would not be our system, and it would likely mean the end of bifurcated review’s distinction between political and economic rights. If we are to make such a change legitimately and coherently, it should come overtly, rather than by allowing the Virginia Pharmacy rationale of freedom of information to gradually undermine the distinction between political and economic rights.

CONCLUSION

Over four decades ago, before the advent of the Internet or the introduction of freedom of information as a theoretical justification for the First Amendment, Thomas Emerson examined the intersection of privacy and the First Amendment. Emerson noted that

[a]ny society sincerely interested in protecting the right of privacy is hardly likely to be at the same time hostile to the right of free expression. Both interests tend to have the same friends and the same enemies. The chief danger is that the right of privacy will be used as a screen, by those not really interested in either interest, to infringe upon legitimate expression. This danger can be met if the courts actively insist upon a careful definition of a genuine right of privacy and upon a fair accommodation of the two interests.358

Emerson had in mind the same paradigmatic privacy case as his contemporary Prosser – the case against a newspaper for publishing private facts.359 However, the data privacy cases envisioned by the First Amendment critics are in some respects the mirror image of what Emerson describes. In these cases, the First Amendment is being used as the screen, to infringe upon legitimate modes of government privacy regulation.

Freedom of Speech and Independent Judgment Review in Copyright Cases, 107 Yale L.J. 2431 (1998) (with Brett McDonell)

357 file-trading constitutionally privileged? Sct has rejected this principle in Eldred 1A section.

358 Thomas I. Emerson, Toward a General Theory of the First Amendment 76 (1963).

359 See supra note 259.

Richards Reconciling Data Privacy and the First Amendment 74

This Article has attempted to follow Emerson’s advice in the modern context, and argue that when we subject both data privacy regulations and the First Amendment to careful scrutiny, they can be reconciled without sacrificing either. Furthermore, the real danger presented by the tension between privacy and the First Amendment is not that we must choose one over the other, but that we must instead avoid constitutionalizing important public law issues. Lurking behind the façade of seemingly neutral arguments by First Amendment critics is a theory of free speech and rights jurisprudence more generally that has the potential to topple the edifice of modern constitutionalism. If we do not reject such a theory, we may lose both our “genuine right of privacy” and our system of bifurcated review, under which civil and political rights are protected from legislatures, but economic rights are generally left to resolution by the political process.

At the level of policy, however, resolving the conceptual problem does little to reduce the complexity of the database problem. Indeed, looking at the constitutional issues in the way I propose only allows policymakers to face the true challenges of the database problem and the regulation of information flows. Such a challenge will likely be as thorny in the information age as the problem of regulating industrial capitalism has been for over a century. And there are likely to be no easy answers to this new problem. In fact, in many instances freedom of information may well be the best policy