Deterrence-based approaches to privacy enforcement rely on an overlooked and often false premise—that firms know what their own data practices are. There is good reason for skepticism because operational information tends to become siloed within firm subunits. Information about data management is no different. Firms may neglect to memorialize relevant information in reports for internal distribution. And even if such reports are generated, they may not be presented in a manner that is intelligible across firm constituencies. This paper looks outside of privacy law for a solution. Recent scholarship on securities disclosures has highlighted the variety of goals that disclosures serve. While the traditional purpose of financial disclosures is to inform outside investors, the process of preparing disclosures has beneficial internal effects too. It forces firms to study their own financial health and ensures that relevant corporate units are apprised of the results. Mandatory disclosures about corporate data practices could have similarly beneficial effects. While some states already require firms to publish generic information about data practices to consumers, these disclosures lack basic attributes that make financial disclosures effective—they lack detail, no human signs them, and they are not filed with any state authority. Securities- style disclosures hold more promise. By carefully tailoring the content, format, and required signatories of data practice disclosures, authorities could force firms to generate, translate, and internally propagate important information about data. Firms that actually know what they are doing with data are more susceptible to efforts aimed to deter data misuse.
