Countless high-profile abuses of user data by leading technology companies have raised a basic question: should firms that traffic in user data be held legally responsible to their users as “information fiduciaries”? Privacy legislation to impose fiduciary-like duties on data collectors enjoys bipartisan support but faces strong opposition from scholars. First, critics argue that the information-fiduciary concept flies in the face of fundamental corporate law principles that require firms to prioritize shareholder interests over those of consumers. Second, it is said that the overwhelming self-interest of large technology companies makes fiduciary loyalty impossible as a practical matter from the outset.
This Essay finds neither objection convincing. The first objection rests on a mischaracterization of corporate law, which in reality would require compliance with user-regarding fiduciary obligations—the opposite of what critics fear. The second objection fails to convince because fiduciary law has proven itself adaptable enough to survive such challenges in other settings, such as in the asset management industry. The second objection nevertheless reveals a need for greater specificity of the scope and intensity of fiduciary duties that would be imposed under the information fiduciary model. Even so, neither objection plausibly undermines the model.