In March, the Block Center for Technology and Society brought together an interdisciplinary group of experts to discuss privacy regulation strategies amidst a fast-evolving data ecosystem. Overall, the discussions underscore a fundamental shift in how privacy must be understood and governed.
Two core sentiments emerged: 1) the current regulatory paradigm fails to meaningfully protect individuals in a data-driven economy, and 2) emerging AI systems are accelerating and amplifying existing risks, making incremental reform insufficient. The discussions highlighted the need for a framework that places responsibility on institutions rather than individuals, establishes clear substantive protections that can not be waived, and anticipates the transformative impact of AI 鈥 as well as stressed how imperative it is that action be taken quickly before existing failures are further entrenched.
There were several key findings and actionable recommendations that emerged that can guide a more effective, future-oriented privacy regulatory framework.
Privacy is a policy choice, not a technological inevitability
The current state of online privacy reflects deliberate design and business model decisions rather than unavoidable trade-offs. Alternative models exist but lack legal and economic incentives to scale.
The notice-and-consent framework is fundamentally broken
Users do not read or understand privacy policies and are routinely nudged toward agreement through manipulative design. Consent, as currently operationalized, functions as a legal fiction rather than meaningful authorization.
Privacy harms are real but systematically undercounted
While economic impacts of regulation are well-studied, the harms of unregulated data practices鈥攕uch as behavioral manipulation, loss of autonomy, and sensitive inference鈥攔emain insufficiently measured and undervalued in policymaking.
Responsibility has been misplaced onto individuals
Consumers are expected to manage their own privacy in a system designed to overwhelm and outmaneuver them. This 鈥渞esponsibilization鈥 creates an unwinnable asymmetry between individuals and data-driven firms.
AI intensifies existing privacy risks
Agentic AI systems will exponentially expand data collection, inference, and decision-making. Existing frameworks are not equipped to handle a world where machines act autonomously on behalf of users.
Right now the lack of any framework is a permission structure to build products and services that are not private, that are not safe, and that are not secure...We wouldn't tolerate it in cars. We wouldn't tolerate it in toys. We shouldn't tolerate it in tech either.
Jonathan Kanter
Distinguished Professor of Policy, 91视频 & Former Assistant Attorney General, U.S. Department of Justice
Recommendations for Policy Makers
Key recommendations to addressing the failings of the existing system and to build a more effective framework include:
Place responsibility on institutions rather than individuals
- Shift away from reliance on user consent as the primary legal basis for data use. Implement enforceable accountability standards regardless of user agreement.
- Define certain entities, particularly large platforms and AI developers, as 鈥渋nformation fiduciaries鈥 with legal obligations to act in users鈥 best interests.
Move toward substantive protections rather than procedural safeguards
- Create data minimization requirements, restrictions on secondary use of data, and clear limits on sensitive data collection and inference.
Create regulations that help prevent harm before it happens
- Expand the definition and measurement of harm to include non-economic harms, including psychological and behavioral manipulation, loss of autonomy and dignity, and discriminatory or biased inference.
- Explicitly prohibit interface designs that manipulate user decision-making.
- Create standardized metrics to better assess and cohesively regulate these harms.
Create AI-specific privacy guardrails now
- Require impact assessments for AI systems that rely on personal data, limit autonomous data decision-making without user oversight, mandate transparency in AI-driven data processing and inference.