We often regulate actors as a proxy for protecting categories of information. Rather than directly protect reading records, for example, we target actors like libraries who are likely to possess them. This approach has proven increasingly untenable in the digital age, where the relevant actors are difficult to identify and constantly shifting. Unanticipated third parties now insert themselves as intermediaries or eavesdroppers in all manner of transactions, even in protected spaces like libraries. Where this happens, actor-defined regimes fail to vindicate their privacy commitments even within the institutions for which they were designed.
Libraries provide a clear example of this problem. Private reading historically has been protected through a regime that restricts libraries’ ability to exploit reading records. Yet this regime now fails to protect reading records even in libraries because it does not bind third parties who provide library services digitally. Illustrating the point, Amazon facilitates e-book lending for a number of public and academic libraries. Although Amazon collects detailed reading records from patrons utilizing these services, the library confidentiality regime does not restrict what it can do with the records. These patrons accordingly confront the risks to intellectual privacy the library regime was meant to counter.
This Article proposes a content-defined approach whereby confidentiality obligations would attach to particular types of information regardless of which actors possessed it. Such an approach would not only save extant confidentiality regimes from obsolescence, but also provide a vehicle for extending privacy commitments to future data practices that implicated the same types of sensitive records.
