The Privacy “Duty of Loyalty”

The draft American Data Privacy and Protection Act has a section called “duty of loyalty.” What the heck is that?

In the draft it’s a collection of specific requirements to minimize data collection and prohibit the use and transfer of social security numbers, precise geolocation, etc. See Sections 101, 102, 103 in the Discussion Draft.

But the “duty of loyalty” as a data privacy concept is broader. It means that data collectors must use data in a way that benefits users and places their interests above the interests of making a profit, much like a duty of loyalty (or a fiduciary duty) that a lawyer must have to their client.

Neil M. Richards and Woodrow Hartzog explain the concept in a 2021 paper:

Put simply, under our approach, loyalty would manifest itself primarily as a prohibition on designing digital tools and processing data in a way that conflicts with a trusting party’s best interests. Data collectors bound by such a duty of loyalty would be obligated to act in the best interests of the people exposing their data and engaging in online experiences, but only to the extent of their exposure. 

A Duty of Loyalty for Privacy Law at 966.

Richards and Hartzog suggest that a broad duty of loyalty combined with specific prohibitions against especially troubling practices would work like other areas of regulation (e.g., “unfair and deceptive trade practices”).

But although the American Data Privacy and Protection Act refers to this concept, the broad duty of loyalty is not (yet) part of the draft.