Privacy Regulation Is Broken — Here Is a Fix That Actually Works

Giving people control of their personal data is not working. That is the argument from Daniel Solove, a leading privacy scholar, writing in the Wall Street Journal. His solution is simpler: hold companies accountable for what they do with that data.

Solove argues that the current approach to privacy regulation is backwards. We ask individuals to manage their own privacy by reading consent forms, adjusting settings, and opting in or out of data collection. In practice, almost no one does this effectively. The forms are too long, the settings are too complex, and the consequences of a wrong choice are invisible.

Instead, Solove proposes a model closer to how we regulate food and drug safety. You do not need to be an expert in food science to buy groceries. The system ensures the food is safe before it reaches you. Privacy should work the same way.

What accountability looks like

Solove outlines several measures that would shift responsibility from individuals to companies. First, rigorous data minimisation — companies should collect only the data they genuinely need, not everything they might possibly want.

Second, fiduciary duties for companies that handle personal data. This is a legal obligation to act in the best interests of the person whose data you hold, similar to how doctors and financial advisors must put their clients first.

Third, liability for negligent or reckless technological design. If a company builds a system that harms people through poor design choices, it should be held responsible — regardless of whether users “consented” in a terms-of-service agreement.

Fourth, liability for algorithms that cause harm. If an AI system discriminates, defrauds, or injures, the company that deployed it bears responsibility, not the user who clicked “agree”.

Finally, multi-stakeholder review of new technologies before they are deployed at scale. This would catch problems before they affect millions of people rather than after.

Why the old model is failing

The current privacy framework relies on notice and consent. Companies tell you what they will do with your data, and you agree or walk away. In theory this gives you control. In practice it is a fiction.

Studies consistently show that people do not read privacy policies. A typical policy takes 15-30 minutes to read. Most people would need to read dozens of them per year. Even if they did, the language is deliberately vague, making it impossible to know exactly what will happen to the data.

The result is a system where companies collect massive amounts of data with minimal real consent, and individuals bear the consequences of misuse. Solove’s argument is that this is not a failure of individual responsibility. It is a failure of regulatory design.

What this means for businesses

For any business that collects customer data — which is most businesses — Solove’s argument has practical implications. The direction of regulation is moving toward accountability, not just disclosure.

That means you should ask: if a regulator looked at how we handle customer data, would we pass? Do we collect data we do not need? Do we have clear processes for data minimisation? Could an algorithm we use cause harm, and if so, who is responsible?

Companies that treat privacy as a compliance checkbox are already behind. The companies that will thrive are the ones that treat data responsibility as a core operating principle, not a legal obligation to be met minimally.

Bottom line

The privacy debate is shifting from individual consent to corporate accountability. Solove’s argument — treat data companies like food companies — is gaining traction. Businesses that get ahead of this shift will face less regulatory risk and earn more customer trust.

The practical starting point: collect less data, be transparent about what you use, and take responsibility for what your algorithms do. That is the future of privacy regulation, whether the laws change tomorrow or in five years.