Why Giving Users 'Control' Over Data Won't Fix AI-Era Privacy
Legal scholar Daniel Solove argues in the Wall Street Journal that consent-based privacy law has failed — and that AI makes the case for regulating companies directly, the way food and drug law does.
Key Takeaways
- Law professor Daniel Solove argues that the dominant privacy model — give users notice, consent, and control — has failed and cannot scale to AI-era data processing.
- He proposes an accountability model instead: rigorous data minimization, fiduciary duties on companies, and liability for negligent design or harmful algorithms, modeled on food and drug regulation.
- He also calls for multi-stakeholder review of AI technologies before deployment, shifting the burden of proof from individual users to the organizations building the systems.
- For security and compliance teams, the piece is a signal that AI governance frameworks are moving from disclosure-based checklists toward provable, auditable accountability controls.
Cryptographer and security commentator Bruce Schneier used his blog to highlight a Wall Street Journal opinion piece by George Washington University law professor Daniel Solove, built on his academic paper. Solove's argument is simple but structurally important for anyone building AI governance programs: the privacy model most laws are built on — give people notice, ask for consent, let them "control" their data — does not work in an era where AI systems ingest, infer, and re-derive personal information at a scale no individual can meaningfully review.
The control model was already straining before AI
Consent-and-control regimes (the backbone of frameworks like GDPR's lawful-basis provisions and most US state privacy laws) assume a person can understand what data is collected, why, and what happens to it downstream. Solove's point, as summarized by Schneier, is that AI breaks that assumption even further: models trained on personal data can infer new sensitive attributes, repurpose data far from its original collection context, and make consent forms functionally meaningless. Asking users to police this through opt-outs and privacy dashboards puts the burden in the wrong place.
An accountability model borrowed from food and drug law
Instead, Solove argues for regulating the companies building and deploying these systems directly — the same logic used for food and drug safety, where the burden sits on manufacturers, not consumers reading ingredient labels. His proposed mechanisms include:
- Rigorous data minimization — collect and retain only what a system genuinely needs, rather than defaulting to broad collection with consent as the fig leaf.
- Fiduciary duties for companies handling personal data, obligating them to act in users' interest rather than merely disclosing what they do.
- Liability for negligent or reckless technological design, treating unsafe data architecture the way product-safety law treats a defective device.
- Liability for algorithms that cause harm, independent of whether a user ever "consented" to the processing that produced the harm.
- Multi-stakeholder review of technologies before deployment, rather than after-the-fact enforcement once harm has already occurred.
Why this matters beyond the legal debate
Regardless of whether Solove's specific proposals become law, the direction of travel matches what security and governance teams are already seeing in emerging AI regulation: frameworks like ISO/IEC 42001, the EU AI Act, and sectoral rules such as DORA increasingly expect organizations to demonstrate accountability through documented risk assessment, design review, and ongoing monitoring — not just a privacy policy and a consent banner. A regulator or auditor asking "can you show your data minimization decisions?" or "who reviewed this model before deployment?" is functionally asking for the same evidence Solove's accountability model would require.
For teams building or deploying AI systems, the practical takeaway is to treat data minimization, design review, and pre-deployment risk assessment as engineering requirements now, ahead of any specific new liability regime — because the compliance direction across multiple jurisdictions is converging on exactly that.
Frequently Asked Questions
What is Daniel Solove's main argument about AI and privacy?
Solove argues that privacy laws relying on user consent and control are ineffective in the AI era, because AI systems process and infer personal data at a scale individuals cannot meaningfully review or opt out of. He proposes regulating companies' conduct directly instead, similar to food and drug safety law.
What specific measures does Solove propose instead of consent-based privacy law?
He proposes rigorous data minimization, fiduciary duties on companies handling personal data, liability for negligent or reckless technological design, liability for algorithms that cause harm, and multi-stakeholder review of technologies before deployment.
How does this relate to existing AI governance frameworks like ISO 42001?
Frameworks such as ISO/IEC 42001 and the EU AI Act already push organizations toward documented risk assessment, design review, and monitoring rather than disclosure alone — the same accountability evidence Solove's proposed model would require, making his argument a preview of where compliance expectations are heading.
Sources
- 1Protecting Privacy in an AI Era — Schneier on Security
- 2AI Privacy Laws Need to Focus on Companies, Not Just Data — The Wall Street Journal
- 3Solove's underlying academic paper — SSRN