Submit to Digest

The All-or-Nothing Approach to Data Privacy: Sorrell v. IMS Health, Citizens United, and the Future of Online Data Privacy Legislation

Commentary Notes First Amendment

I. Introduction: Not all data uses are created equal.

Google recently introduced a new social networking tool called the Google+ project, which capitalizes on the fact that consumers want more control over whom they share their personal information with online. Google+ allows users to set up separate groups—such as a group for friends, a group for family, and a group for coworkers—and then share different information with each group. This recognizes a simple fact of life: As Google puts it, “[n]ot all relationships are created equal.” The popularity of the national Do Not Call Registry, which prohibits telemarketers from calling phone numbers listed in the registry, is another example of consumers’ desire to keep particular groups of people, such as telemarketers, from using their personal data.

In Sorrell v. IMS Health, however, the Supreme Court held that the First Amendment did not allow the government to regulate speech on the basis of the types of categorical distinctions between speakers that consumers make all the time. Invalidating a Vermont statute that prohibited data mining companies from using physician prescription data for marketing purposes, the Court held that the government could not engage in “content” or “viewpoint” discrimination against marketers by prohibiting the commercial use of this data while permitting its non-commercial use. Sorrell at 2659, 2663-64.[1] This ruling, which seemingly has its roots in the Court’s Citizens United decision, eviscerates the commercial speech doctrine—the First Amendment doctrine governing speech with a commercial viewpoint and content—by effectively holding that the government cannot regulate commercial speech, such as marketing, differently than other types of speech just because the speaker is a corporation or the content of the speech is commercial.

If Sorrell applies to the world of online data, then the Court leaves legislatures with difficult choices when it comes to regulating data privacy. Under Sorrell, legislatures cannot regulate the commercial use of data any differently than its non-commercial use. This means that proposed legislation such as the Commercial Privacy Bill of Rights Act of 2011 (“Commercial Privacy Bill”), which aims to do precisely the opposite, would likely not pass constitutional muster. Instead, legislatures may have to consider universal opt-in or opt-out schemes, under which consumers could individually opt in or out of the use of their personal data for any purpose, not just commercial use. In its opinion, the Sorrell Court mentioned HIPAA, the Health Insurance Portability and Accountability Act of 1996, which requires all consumers to receive and acknowledge notice of the ways in which health care providers may use their personal data, approvingly in this context. However, both opt-in and opt-out data privacy schemes may negatively affect innovation, research, and even privacy. If legislatures choose to pass consumer data privacy laws in the wake of Sorrell, they will face difficult choices between competing values and may ultimately leave consumer data privacy up to the market. 

II. Prohibiting legislatures from discriminating based on a speaker’s corporate viewpoint, Sorrell finds its roots in Citizens United.

Sorrell represents a break from commercial speech doctrine precedent in two ways: It holds that legislatures cannot regulate commercial speech based on either its corporate viewpoint or its commercial content. See Sorrell at 2677 (Breyer, J., dissenting). While Justice Breyer expressed surprise at the majority’s holding in Sorrell, stating that “neither of these categories—‘content-based’ nor ‘speaker-based’—has ever before justified greater scrutiny when regulatory activity affects commercial speech,” id., the majority’s prohibition of speaker-based regulation finds its roots in Citizens United. In Citizens United, the Court rejected the idea that legislatures could impose different requirements on corporate political speech simply because the speaker was a corporation. Darrell Menthe has suggested that this holding might impact the commercial speech doctrine by “radically affirm[ing] that the First Amendment must be neutral as between different speakers . . . . Although directed at political speech, Citizens United has broad implications for commercial speech doctrine. It means that the basis for treating commercial speech differently must be its content, not its corporate authorship.” Darrell Menthe, 38 Hastings Const. L. Q. 131, 133 (2010). Thus while Sorrell represents a break with previous commercial speech doctrine precedent, Citizens United provided the theoretical underpinnings for this departure.

Parallel reasoning behind the Sorrell and Citizens United decisions demonstrates how the Court’s holding in Sorrell grew out of its opinion in Citizens United. In Citizens United, the Court rejected a law targeting corporate political speech, stating that there is no basis for “the argument that political speech of corporations or other associations should be treated differently under the First Amendment simply because such associations are not ‘natural persons’” or “the proposition that, in the political speech context, the Government may impose restrictions on certain disfavored speakers.” Citizens United at 883, 900. In Sorrell, the Court similarly rejected a law targeting commercial speech by focusing on how corporate marketers are “disfavored” and face “discrimination” under the law and on how the law uniquely targets corporations: “The explicit structure of the statute allows the information to be studied and used by all but a narrow class of disfavored speakers.” Sorrell at 2668.

Both cases reject attempts to justify differential treatment of corporate speakers based on their ability to influence discourse. In Citizens United, the Court held that the government could not regulate corporate political speech as a way to “prevent corporations from obtaining ‘an unfair advantage’ . . . by using ‘resources amassed in the economic marketplace.’” Citizens United at 904. In Sorrell, the Court applies this same idea to commercial speech, focusing on how the Vermont legislature could not justify its data mining statute as a way of “diminishing” pharmaceutical marketers’ “ability to influence prescription decisions.” Sorrell at 2670. As the Sorrell Court memorably stated, “the fear that speech might persuade provides no lawful basis for quieting it.” Id.

The similarities between the dissenting justices’ arguments in Citizens United and Sorrell further suggest that Citizens United laid the groundwork for Sorrell. In Citizens United, Justice Stevens stated that “[t]he majority’s approach to corporate electioneering marks a dramatic break from our past,” in which the Court has “accepted the legislative judgment that the special characteristics of the corporate structure require particularly careful regulation.” Citizens United at 930 (Stevens, J., concurring and dissenting) (quotations omitted). In Sorrell, Justice Breyer similarly emphasizes the majority’s break with precedent, stating that there is no instance in which “this Court ever previously applied any form of ‘heightened’ scrutiny in any even roughly similar case,” and also suggests that the majority’s decision disrupts “widely accepted regulatory activity.” Sorrell at 2677.

By championing the idea that legislatures could not regulate the speech of corporations differently than that of other speakers and by dispelling the argument that the disparate impact of corporate speech on the marketplace of ideas justifies stronger regulation of corporate speech, Citizens United provided a model for the Sorrell court’s holding that commercial speech regulations must be viewpoint neutral. Although Sorrell represents a break with previous commercial speech precedent, this break is not completely unexpected following the Court’s decision in Citizens United.

III. Banning content-based regulation of commercial speech, Sorrell further undermines the commercial speech doctrine.

Although the Court’s decision in Sorrell had its roots in Citizens United, Sorrell went one step further than even Menthe predicted. As he suggested might happen, Citizens United led the Sorrell Court to ban regulation of speech based solely on a corporate viewpoint. However, even Menthe failed to predict that the Sorrell Court would hold that legislatures could not pass regulations specifically regulating commercial content.

Under the seminal commercial speech case Central Hudson, the Court had previously allowed content-based regulation of commercial speech due to its “hardy” nature. See Central Hudson at 564 n.6. Although the Sorrell Court did not explicitly overrule Central Hudson, it seemingly reached its determination that the Vermont statute violated the First Amendment precisely because the statute placed content-based restrictions on speech. In part II(A)(1) of its decision in Sorrell—pages before its discussion of Central Hudson—the Court noted that the Vermont law “is designed to impose a specific, content-based burden on protected expression. It follows that heightened judicial scrutiny is warranted.” Sorrell at 2664. These two lines appear to state a primary holding of the case, which directly conflicts with Central Hudson’s allowance for content-based regulation of commercial speech.

When the Court finally addressed the Central Hudson commercial speech doctrine in Sorrell, the Court did so as if it were addressing a counterargument rather than the core doctrine of the case: “In the ordinary case it is all but dispositive to conclude that a law is content-based and, in practice, viewpoint-discriminatory . . . . The State argues that a different analysis applies here because, assuming [the Vermont law] burdens speech at all, it at most burdens only commercial speech.” Sorrell at 2667. This language seems to suggest that if the State had not brought up the Central Hudson commercial speech doctrine, the Court may not have addressed it at all.

By seemingly basing the Sorrell decision not on the Central Hudson commercial speech doctrine, but instead on general First Amendment principles that prohibit viewpoint- and content-based regulation of speech, the Court in Sorrell afforded greater protection to commercial speech. The Court applied “heightened” scrutiny to the Vermont statute—the type of scrutiny reserved for non-commercial speech—instead of the lesser standard of scrutiny the Central Hudson court stated was appropriate for commercial speech. See Sorrell at 2675, 2677 (Breyer, J., dissenting) (stating that “the Court should review Vermont’s law ‘under the standard appropriate for the review of economic regulation,’ not ‘under a heightened standard appropriate for the review of First Amendment issues’” and that the majority wrongly adopted “a standard yet stricter than Central Hudson”). The majority’s approach in Sorrell thus reviewed the regulation of commercial speech under essentially the same standard as non-commercial speech, thereby prohibiting lawmakers from regulating speech with a corporate speaker or commercial message differently than non-commercial speech.

IV. Sorrell leaves legislatures with tough data privacy choices: Is online data privacy worth the risk to innovation and research posed by universal opt-in or opt-out schemes?

By prohibiting legislatures from regulating the commercial use of data differently from the non-commercial use of data, Sorrell leaves lawmakers with few practical means of addressing online consumer data privacy. Lawmakers can allow the status quo to continue—keeping in place a patchwork of laws that protects some consumer data, such as medical records, but not others, such as consumer web browsing histories—and hope that market forces will lead to greater data privacy. Many believe that market regulation is preferable to government regulation, since legislation may fail to adapt to new technology and may “impose burdensome costs” on the online sector. 454. However,  given the President’s stated interest in data privacy legislation, Senator John McCain and Senator John Kerry’s proposed Commercial Privacy Bill and California’s proposed Do Not Track legislation, it is clear that there is significant government interest in regulating consumer data privacy.

The Court’s decision in Sorrell undermines the aim of legislation such as the Commercial Privacy Bill that imposes special regulations on the commercial use of consumer data. The approach taken by the Commercial Privacy Bill is very similar to the Vermont law struck down in Sorrell: The bill allows consumers to opt-out of the use of their data for third-party ad marketing, but still allows companies to collect and track consumer data for other purposes. If the Sorrell opinion applies broadly to online consumer data, then Sorrell forecloses consumer data privacy laws that discriminate against some commercial uses of data while allowing other uses. California’s Do Not Track Act may fare better, since the current version of the bill prohibits the general collection of data belonging to consumers who have opted out of online tracking, and thus does not specifically target the commercial use of consumer data. Nevertheless, the Do Not Track Act provides wide exceptions for government, law enforcement, and research use of data, and thus may still impermissibly discriminate against commercial data use.

Sorrell suggests that an alternate approach is required if legislatures wish to regulate data privacy. The Court speaks approvingly of HIPAA as such an approach. Sorrell at 2668. HIPAA requires health care providers and other covered entities to “give individuals an understandable notice of the ways in which [personal health information] will be used and disclosed” and to “make a good faith effort to obtain a written acknowledgement of receipt of the notice.” Once providers have given notice and attempted to obtain consent, they can use personal health information for “treatment, payment, and health care operations” without further permission. Perhaps what the Sorrell Court found attractive about HIPAA was the Act’s requirement that all healthcare providers must inform consumers of providers’ privacy practices and obtain written acknowledgment of these practices. This resembles a type of universal “opt-in” scheme, where all entities who wish to use consumer data must inform the consumer ex ante of all the ways her data may be used and must receive the consumer’s permission before using her data.

A universal opt-in scheme that applied to both commercial and non-commercial entities would likely protect both data privacy and Sorrell First Amendment rights, since it would apply regardless of the speaker’s viewpoint or the data’s commercial content. At first glance, a universal opt-in scheme for consumer data sounds attractive. Facebook utilizes this type of approach with its Facebook applications, which are programs generally created by outside companies that run off of Facebook user data. Before a Facebook user can run an application, Facebook presents the user with a dialogue box that details exactly which types of personal information the application will access and asks for the user’s permission. This approach is certainly refreshing when compared to the practices of websites like, which is known to install hundreds of tracking files on users’ computers without warning.

In practice, however, a universal opt-in data privacy law may have negative effects on Internet innovation and even consumer privacy. In a SCRIPTed article, Nicklas Lundblad and Betsy Masiello describe the more insidious potential effects of an opt-in world of data privacy. One effect is the “dual cost structure” of an opt-in regime, in which a user must decide “first . . . if it is worth the time to evaluate the decision to opt-in; and second . . . whether the service is valuable enough to justify the opt-in.” This extra layer of decisions “has the effect of imposing a cost on the initial recognition of a great opportunity or service,” which could stifle innovation by decreasing the use of new services. A second effect of an opt-in scheme may be an increased demand for “single identity systems” that allow users to log into multiple websites through the same account—and that would likely “have excessive scope and deep use conditions”—which would reduce transaction costs but in the end might also reduce consumer privacy. A third effect is consumer desensitization after multiple data use requests; the corollary result is that “the actual scope [of data requests] can start growing without much awareness on the part of the user.”  A final potential effect is “balkanization,” which Lundblad and Masiello describe as a “worst-case” scenario where users “might be reluctant to leave a service they have evaluated and invested in,” leading to a decrease in data mobility and a corresponding decrease in competition and consumer value.

An opt-out regime, such as California’s Do Not Track law, may be a better option for lawmakers, since it would not involve the high transaction costs, desensitization, and balkanization effects of an opt-in regime. Consumers may still dislike the black-and-white nature of a universal opt-out regime, which would not allow the consumers to share their data for some commercial purposes (such as geolocation services) but not others (such as behavioral marketing). For an opt-out regime to be legal under Sorrell, legislatures may need to go one step further than California’s Do Not Track law and allow opt-out for all potential uses—including use by “researchers, journalists, [and] the State itself,” Sorrell at 2668—and not just commercial uses. If enough consumers opted out of all data tracking, we may lose valuable resources such as Google Flu Trends, which fairly accurately predicts flu outbreaks based on an analysis of the frequency of flu-related Google searches in particular areas. This, however, may be the point the Court was trying to make in Sorrell: Congress can protect data privacy only as long as it is willing to privilege privacy in all settings, both commercial and non-commercial.

V. Conclusion: Sorrell may leave data privacy regulation in the hands of private companies.

By prohibiting legislatures from tailoring data privacy laws to address the commercial use of consumer data—despite the fact that legislation like the Do Not Call Registry and services like Google+ demonstrate that consumers want to share data categorically with some groups but not others—Sorrell leaves legislatures with tough data privacy choices. Existing proposed laws such as the Commercial Privacy Bill may not pass Constitutional muster. Sorrell’s core tenet—that lawmakers must regulate the commercial use of data in the same manner as the non-commercial use of data—favors schemes, such as opt-in and opt-out data privacy laws, that apply universally to all data users. Both universal opt-in and opt-out schemes, however, present legislatures and users with choices that they likely do not want to make. Are desirable uses of health data, such as public health reports or Google Flu Trends, worth giving up patient data privacy? Is it worth protecting data privacy, even if this means that privacy laws prevent the free flow of data between websites, decreasing innovation and customer value? Sorrell’s all-or-nothing approach to data privacy does not adequately allow for a more nuanced legislative approach to data privacy that might better weigh these competing concerns. Ultimately, private market data privacy policies—which can make categorical distinctions between different types of data use—may be the only sensible option in the wake of Sorrell, leaving data privacy decisions in the hands of corporations rather than legislatures.

[1] Sorrell page citations are to the Supreme Court Reporter. All other Supreme Court page citations are to the United States Reports.