Consumer Privacy, Privacy Regulation, Privacy Penalties, General Data Privacy Regulation, GDPR, Information Privacy, Big Tech, Small Businesses, Empirical Legal Studies, Privacy Penalty Overbreadth, Safe Harbors, Regressive Risks of Privacy Penalties, Privacy Harms

Document Type



How to frame privacy penalties to protect our personal information is an important question as demands for legislation and proposals proliferate. The predominant assumption in calls for a comprehensive consumer privacy regime is that regulation and penalties arm the consumer David against Goliath businesses. Missing in the focus on powerful companies is attention to the potential harms of expanding privacy penalties for small-fry individuals and entities, especially from disfavored or marginalized groups. This article is the first to illuminate the regressive risks of privacy penalties, showing how broad privacy penalties can become tools for harassment of small businesses and individuals with limited resources to defend.

Drawing on original research collecting and coding 571 privacy penalty decisions from 20 nations under the world’s toughest privacy rights and penalties regime, the European Union’s General Data Privacy Regulation (GDPR), this article offers cautionary lessons. Illuminating a shadow jurisprudence of small targets, the article shows how overly broad, amorphously worded privacy penalty provisions can be used to target disfavored groups and create weapons for the disgruntled, such as punishing people who record the police or in disputes between neighbors.

The article offers three major principles to protect against targeting harms. First, the article argues against vague broad language in framing penalty-backed obligations to curb discretion to harass and target disfavored groups. Second, the article argues for a regulatory agency model with an explicit advisory role rather than a predominantly quasi-prosecutorial role. Third, the article proposes safe harbors for individuals and small businesses and a complementary understanding that even seemingly minor penalties can carry major collateral consequences for the vulnerable.

Included in

Privacy Law Commons



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.