Publication Date



When the European Union’s (EU) General Data Protection Regulation (GDPR) passed in 2016, it represented the world’s first major comprehensive data privacy law and kicked off a conversation about how we think about the right to privacy in the modern age. The law granted a broad range of rights to EU citizens, including a right to have companies delete data they collect about you, a right not to have your personal information sold, and a range of other rights all geared towards individual autonomy over personal data. All the while, platform companies like Facebook (Meta), Apple, and Amazon have taken advantage of a phenomenon called spontaneous deregulation to outrun legislation designed to regulate data privacy. Spontaneous deregulators take advantage of the inherent gap between the speed at which technology advances and the comparatively languid pace at which legislatures try to keep up. The deregulators do this through co-opting discourses about privacy and pitching a selfregulatory system in which they are entrusted with personal data that they have an inherent profit motive to capitalize on. In today’s economy, data is eminently valuable—trusting a system of deregulation creates unacceptable conflicts of interest at best and a predatory system of data mining at worst. This Note advocates for robust privacy legislation that takes full advantage of the expressive function of the law—the aspect of lawmaking that shapes and protects valuable social norms— to meaningfully protect individual data privacy rights from corporate deregulators. By placing social values and human rights at the forefront, expressive law makes it more difficult for deregulators to obfuscate the purposes and messaging of privacy.