Constructing a remedy for data hoards

Abstract

This article considers how a constructive data trust—a court order that someone holds property for the benefit of another—might offer a reparative solution in privacy and data governance cases. This proposal is situated within an algorithmic reparative framework, which seeks not only to compensate for individual privacy harms but to redress the structural inequities and ill-gotten gains inherent in massive data collection. While scholars have increasingly advocated for data trusts as voluntary governance models to manage information flow, this article distinguishes its contribution by proposing the constructive data trust as an equitable remedy rather than a mere administrative structure. By repurposing this traditional legal instrument, we can transition from a defensive posture of data protection toward a proactive model of data reparation that restores the benefits of data hoards to the communities from which they were extracted.

Keywords

Data trust reparation remedy law

Introduction

In June 2024, embattled facial recognition company, clearview AI, agreed to settle a lawsuit emerging from its scraping of images from social media sites. Clearview had been sued in New York, Virginia, California, and Illinois, among other jurisdictions, for invasion of privacy; these cases were consolidated into a class action lawsuit, spearheaded by the American Civil Liberties Union (ACLU), which claimed that the company had violated the Illinois Biometric Information Privacy Act (BIPA) (Statt, 2020). BIPA allows individuals to sue an organization that violates their right to control their “biologically unique” identifiers and carries statutory penalties of $1000 for each negligent violation and up to $5000 for each intentional or reckless violation. Defending the lawsuit, which began in 2020, had reportedly become a drain on company finances, leading Clearview to offer a unique solution for settlement instead of facing the full brunt of possible damages under BIPA (Hill, 2024; Scarcella, 2024). Clearview's settlement offer had purportedly been worth $50 million. Instead of a traditional cash payment, the company agreed to provide class members with a financial stake in the company worth upwards of 23% (Hill, 2024). This would mean that if the company were to go public, those who had claimed a share of the stake could benefit financially.

In general, current private rights of action or class action lawsuits brought under privacy or data governance legislation in the United States focus on compensatory remedies—providing monetary damages for those individuals impacted by data collection and use (Freed, 2021; Scholz, 2021). Since the passage of BIPA in 2008, individuals have sued several organizations, including Spokeo, Six Flags, and Facebook (Meta) for privacy invasions (Bryant, 2021). Depending on the statute, the damages collected for these invasions can range from nominal to significant. While the recent Clearview settlement and similar lawsuits may provide an undetermined sum for privacy invasions, a question remains about what happens to the data collected and what rights individuals and communities have to the data collected, stored, and used without permission or beyond the scope of their expectations.

This article examines the possibility of using constructive trusts—a court order requiring the maintenance of property for the benefit of another—as a restitutionary measure in privacy and data governance cases. The next section considers data hoarding and the concerns with processing information. This is followed by an examination of trusts in general, data trusts, and the use of constructive trusts as remedies, and the possibilities for intangible “things.” In this section, I also explore the various claims for which constructive trusts have arisen. Following this, I consider instances in which a constructive data trust may provide a solution to the power asymmetry inherent in personal data collection, followed by consideration of the possible drawbacks and hindrances in the widespread use of constructive data trusts.

On data hoarding

We know that the personal data—whether biometric, video, financial, or other—collected is used in many algorithmic decision processes including, mortgage and loan, bail and sentencing, health care, and others (Bui and Noble, 2020; O’Neil, 2016). We also know that the use of this historic data collected in racist, sexists, and other biased contexts, disparately impacts individuals from already marginalized and vulnerable communities (Eubanks, 2018; Washington, 2023). Data collection and its use in machine learning systems is, as it should be, a source of major concern for regulators globally.

In early 2024, for instance, Oregon Senator Ron Wyden sent a letter to Lina Khan, then-Chair of the Federal Trade Commission (FTC), and Gary Gensler, then-Chair of the Securities and Exchange Commission, asking their agencies to investigate the conduct of Near Intelligence, Inc., a now-bankrupt data broker (Wyden, 2024). A year prior, Near, since acquired by Azira, had become publicly traded on NASDAQ, after securing a significant share of the location data market. Wyden's office started investigating the company in May 2023, after a Wall Street Journal article detailed how an anti-abortion organization used location data from Near for targeted messaging (Tau and Haggin, 2023). A later WSJ investigation found that Near had sold location data to the US government, including defense contractors and intelligence agencies, without the consent of those tracked (Tau et al., 2023). By December 2023, and after being “cut off” from access to data from two large online advertising data exchanges for violating terms of service, Near filed for bankruptcy (Keegan, 2024). Senator Wyden's letter asked that the FTC intervene in Near's bankruptcy proceedings to ensure that the data held by Near would be destroyed. The FTC finalized its order requiring Near to delete data collected without consent in April 2024. This authority to order the deletion of both the data held by Near and any associated algorithms comes through a remedy called disgorgement (Li, 2022).

In prior writing I have discussed the several categories of Information Distribution Organizations (IDOs), defined as those organizations that play a significant role in the data ecosystem and for which data collection and use are deemed indispensable parts of the business or organizational model, and which have become the subject of social, ethical, and policy controversies over the past several decades (McNealy, 2021). IDOs can be organized into four categories, depending on context and behavior: Hoarder, handler, bricoleur, spy. Of particular interest for this article are the hoarders—those organizations, like Near, involved in the collection, processing, and storage of vast amounts of information—and the spy—involved in the same kinds of data interactions as the hoarder, but without the permission of the data subject.

Data hoarding in the wild

Hoarders are readily identifiable. In fact, expansive data collection is the logic practiced by most firms in the modern organizational environment. This has been identified by Zuboff (2019) as surveillance capitalism, or the organizational capture of human experiences that are then processed in prediction systems, the products of which are then sold to other customers (Zuboff, 2019). A more critical description of the impact of this kind of hoarding can be found in the Myers West (2019) conceptualization of data capitalism, “a system in which the commoditization of our data enables a redistribution of power in the information age” (West, 2019: 23). It is the power dynamics identified explicitly or implicitly in either conceptualization that is of importance for this discussion.

An example of both surveillance and data capitalism, and how it is both an issue of commerce and power, is the Crisis Text Line (CTL) scandal, a non-profit that uses data-driven technology to provide mental health services to those in crisis. In 2022, an investigation of the AI-driven mental health chat line CTL, uncovered that the organization was sharing user data with its for-profit spinoff (Levine, 2022; Porcaro, 2022). To do this, CTL collected text conversations with its users and allowed its for-profit child organization, Loris.ai, to use portions of that data to create and advertise customer service systems. CTL claimed that the data had been anonymized and did not contain information that could identify users.

CTL's data interactions stemming from its collection of chats, its processing of that data, and making it available for use by Loris demonstrate the susceptibility of personal data to use and processing in systems designed to both materially benefit organizational actors and to place individuals and communities at a power deficit. Through its service, CTL had collected what was thought to be one of the largest mental health datasets in the world, able to be analyzed to create models on mental health and effective crisis communications (Hendel, 2022). Yet, even with the supposed anonymization, research has shown that it is not difficult for those in possession of data to traceback the disclosures in the data and re-identify users. Although CTL provided users with a 50-paragraph disclosure about usage and data collection, questions arose as to whether people in crisis are aware of how their data might have been collected and then used. Following the exposure of the data sharing program with Loris.ai, CTL changed its privacy policy to provide clear details about how data might be collected and shared (Hagerty, 2022). It eventually discontinued its data-sharing program and asked Loris.ai to delete any data it had received. Like other organizations that find themselves the target of negative attention because of data collection and processing activities, CTL may have agreed to change its behavior, but retains the ability to profit, in some way, from retention of the chat line data.

Data processing

It is not simply that an organization like CTL has data; it is the processing of the data that brings value and associated negative impacts. These harms from data processing are identified as part of the rationale for passage of legislation like the European Union's General Data Protection Regulation (GDPR) as well as the US state laws it has influenced like the California Consumer Privacy Protection Act (CCPA), Virginia's Consumer Data Protection Act (CDPA), and Iowa's Consumer Data Protection Act (ICDPA). These laws place limitations on both data collection and processing. Contention exists about whether the laws mitigate data processing harms. The CCPA, for example, is an opt-out statute, providing individuals with the ability to remove themselves from data processing by organizations (Stauss and Weber, 2022). This is significantly different from opt-in legislation, which prohibits organizations from collecting and processing data without providing individuals with notice and obtaining their consent.

The harms of data processing can be connected to the kinds of data being processed. The United Kingdom's Information Commissioner's Office identified 10 kinds of data processing considered high risk for harm: the use of innovative technology (including artificial intelligence), denial of service, large-scale profiling, biometric data, genetic data, data matching, invisible processing, tracking, targeting vulnerable groups for marketing, and risk of physical harm (UK Information Commissioner's Office, 2024). Some of these harms, like genetic data and biometric data, are based on the sensitivity of the category of data; genetic and biometric data can reveal sensitive information about an individual and their family's health, ancestry, and possible health outcomes. The significance of this information and how it can be used to harm has provoked US legislators to pass laws like BIPA and other state biometric privacy laws, as well as genetic privacy laws like the Genetic Information Nondiscrimination Act (GINA), an US federal law prohibiting employers and insurers from requesting or requiring genetic data and discriminating against job-seekers and health plan enrollees based on genetics (USC, 2008).

Other categories of identified harms can be traced to how the data are used and the purpose of the uses. Targeting vulnerable groups for marketing, for example, has long been a target of regulation by the FTC, which includes children, the elderly, low-income, and chronically ill individuals in its operationalization of those groups most susceptible to unfair and deceptive practices (Federal Trade Commission, n.d.). The agency strongly enforces the Children's Online Protection Act (COPPA) (1998), for instance, which prohibits the collection of data from children under 13 year old by apps and services that target children or should know children are in the audience. An enforcement action against NGL Labs, in collaboration with the Attorney General of California, for its “Not Gonna Lie” anonymous messaging app demonstrates the FTC's concerns for children's data. The claims against NGL included that it targeted teenagers on Instagram, and that it collected and stored users’ personal data, including their social media usernames and profile pictures, location data, and browsing history (Kang, 2024; Tonsager et al., 2024). The company also failed to obtain consent from the parents. The FTC and State of California proposed a settlement of $4.5 million for users and a $500,000 civil penalty. The settlement would also ban NGL from offering anonymous messaging apps to kids under 18.

Important in the NGL settlement, too, is the order requiring that the company and any other company working with it to delete all that personal data associated with the app, with a few exceptions. NGL was required to provide written verification of the processes through which it identified all the personal data that had to be deleted. In addition, NGL had to maintain information about which data it retained because it was obtained with consent, along with a record of data so that the FTC could compensate users and that the app stores from which users downloaded the app were able to provide refunds. Therefore, although ultimately requiring the erasure of the ill-gotten information, the federal agency required NGL to retain it to fulfill certain specific purposes. This is, in essence, the creation of a trust.

The urgency for equitable remedies like a trust is heightened by the US Supreme Court's 2021 decision in AMG Capital Management, LLC v. Federal Trade Commission (2021), in which it held that Section 13(b) of the FTC Act does not authorize the Commission to seek equitable monetary relief, such as restitution or disgorgement, directly in federal court. This decision effectively stripped the FTC of its primary tool for recovering billions of dollars for consumers, forcing the agency to rely on more cumbersome administrative processes or specific statutory violations.

And while the United States is lacking an omnibus federal privacy and data protection law, some states, like California, have given some classes of individuals the right to order organizations to delete their personal data. Yet, even deletion, at the individual level, may not provide the kind of protection and remedial action needed, at a community level, for the collection and use of personal data. Certainly, damages may help to rectify an invasion of a privacy plaintiff's injuries; the addition of punitive damages may deter other organizations from engaging in the same or similar behaviors. The current voluminous collection of data creates the need for damages beyond or along with the monetary. Restitutionary damages, a declaratory judgment in which a court orders the “thing” by which an individual or organization was unjustly enriched to be removed from a defendant, may offer additional relief. Based in equity, a court order for a constructive trust, may provide an adequate, supplementary remedy from ongoing privacy invasions and disparate impacts of personal data collection, storage, and use.

Trusts, as a general matter

Traditional trust law, in English-based systems, finds its foundations in both property and contract law. Trusts, in general, are created when one party (trustor) transfers legal ownership of something (the res) to another (trustee) for the benefit of a third party (beneficiary) (Penner, 2016). The trustee, then, is endowed with fiduciary duties to the third-party including the duty of loyalty, the duty to administer the trust, and the duty of prudence, among others (Leslie, 2005). Most states within the United States have enacted the Uniform Trust Code, which provides for the creation, administration, and structures of trusts under state law. Traditional trust law is, although interesting, beyond the scope of this article.

Data trusts

Although traditional trust law is outside the scope of this paper, data trusts are not. Data trusts have gained in popularity in scholarship and practical use in the past several years. Put simply, data trusts are mechanisms for using quasi-trust law provisions for data. Arguing for the use of data trusts for the data collected in online transactions, Professor Lillian Edwards wrote in 2004 that trusts could provide a new way of considering how personal data is collected online (Edwards, 2004). The concept had two keys: profit-sharing and fiduciary duty. The principle of profit-sharing is inherent in the idea that the trust would be for the benefit of the parties whose data was a part of the trust. In the case of personal data, the explosion of the data processing and prediction industries, for example, demonstrate the value of this information. At the time Edwards published her provocation, most states in the United States did not have privacy or data security related laws that provided individuals with a private right of action that would allow for the recovery of damages, especially not as a proxy for profit-sharing with the individual being considered a partial owner or beneficiary. The second principle is a combination of two key ideas proposed by Edwards: the duty to act in the best interest of the beneficiary and the duty of care. The fiduciary duties are mandatory; failure to fulfill them were grounds for a beneficiary to ask for an accounting of activities and to seek civil recourse.

Examples of data trusts in the wild are not overwhelmingly numerous although the idea garnered significant attention. The Open Data Institute, an organization founded by Sir Tim Berners-Lee, calls data trusts a legal structure that provides independent stewardship of data. In essence, a data trust is a contractual or quasi-contractual arrangement for people or organizations pooling data for mutual benefit, who engage in a scheme of cooperative governance. Data trusts have been piloted across the world and have taken various proposed forms. In Toronto in 2017, Sidewalk Labs, then a subsidiary of Google, proposed the creation of a smart city or a smart segment of a city, equipped with data-collecting sensor technologies of all kinds, near the Waterfront in Toronto (Rinik, 2020; Wylie, 2020). The proposal, though initially earning the winning bid on a request for proposals by the Toronto city government, was met with significant pushback from residents and advocates concerned about data protection and privacy. In recognition of resident concerns, Sidewalk Labs proposed the creation of a data trust for the data collected in the smart city that would benefit the people in that neighborhood. This proposal was met with incredulity at the company's proposal to work in the interests of those whose data was collected.

An example of a controversial action by a data trust, which occurred at around the same time was DeepMind Health receiving access to a portion of the medical records held by the UK's National Health Service (NHS). The health records were to be used as training data (BBC, 2021). One of the suggestions made in connection with the collaboration was that the records were going to be a data trust useful for all different kinds of medical or healthcare organizations to get access to this trust. As with the Sidewalk Labs Toronto controversy, a major concern was that a significant number of those whose records were in the trust did not want to participate. Further, some questioned whether the National Trust was fulfilling its duty of care when it allowed DeepMind to access the data. This was especially so because of a lack of trust in the non-public organization wanting to collaborate with the trust, Google.

Both examples of attempted data trusts above demonstrate negative responses from those who would be considered the beneficiaries because they do not believe that they would benefit. They further did not trust that the trustees would behave in a manner that would fulfill their fiduciary duties. There are, however, data trusts that have been successfully created because of the collaborative governance mechanisms connected to them. Some US indigenous tribes created data trusts for biomaterials, including genetic data (Modhvadia and Reid, 2024; Native BioData Consortium, n.d.). If researchers, then, want to collect and use the data, they are required to seek permission, and follow the policies set by the organization, many of which seek to be respectful and cognizant of traditions. In this way, the indigenous groups have created a governance structure aimed at protecting its members and the protect value in this kind of data.

A reparative necessity

The work of the indigenous organizations to create protections related to their data also seeks to address historic exploitation and abuse. Although the idea of data trust using Edward's (2004) two key ideas is still provocative, a more critical framing of these ideas is necessary. Instead of considering personal data from an individual ownership frame, it is more fruitful to consider the networked impacts of the collection and processing of this data (Viljoen, 2021; Doerr and Yu, 2023). The use of machine learning and other algorithmic tools has created a layer of amplification in the stack of possible privacy and related harms including discrimination (Davis et al., 2021). Data, and the technologies that record them, are inherently social and reflective of society. Therefore, when data is collected in societal systems, if left without correction and contextualization, it will reflect the inequities in that society when processed. According to Davis and colleagues, the use of algorithmic tools, then, reifies “existing patterns of power and privilege, marginalization and disadvantage” (Davis et al., 2021: 2).

A better possible framework for considering the value that individuals and communities might share-in could be algorithmic reparation, which strives for social equity or the provisions of resources based on the historic systems of privilege and discrimination. This would include an examination of history as well as structural redress. “Algorithmic reparation thus incorporates redress into the assemblage of technologies that interweave macro institutions and microinteractions, embedding an equitable agenda into the material systems that govern daily life” (Davis et al., 2021: 4). This kind of value-sharing system, instead of profit-sharing or damages calculating systems, would better reflect the short and long-term impacts of data collection and usage, and make for a data trust system that might address societal power hierarchies leading to systemic disadvantage and harm.

The concept of algorithmic reparation shifts the focus from individual privacy “violations” to the structural “extraction” of value from marginalized groups. Unlike traditional data protection, which emphasizes individual control or notice and consent, an algorithmic reparative framework acknowledges that the harm of a data hoard is cumulative and distributive. Drawing on the work of legal and data scholars (Davis et al., 2021; Viljoen, 2021), reparation in this context requires more than just deleting data or paying a nominal settlement fee. It demands a structural reordering where the benefits of the data—its predictive power, its research utility, and its economic value—are redirected toward the communities that provided the raw material. By applying a constructive trust, we move from a logic of compensation (paying for a past wrong) to a logic of reparation (building a future-facing system of collective benefit).

Without an omnibus, federal privacy or data protection statute privacy and data protection in the US rests in a cobble of regulations from states, administrative, and sector-specific laws, Illinois’ BIPA being heralded as an example for other jurisdictions. Fear of liability under BIPA has led to several settlements by tech organizations sued since the enactment of the law. In context, these settlements do not make as large of an impact on the organizations as someone harmed by the data collection might desire. Class members in these suits may receive sums as low $30 or no higher than a few hundred dollars. Although these monetary damages are supposed to reflect a bringing of the injured parties to wholeness, questions remain about the value of the data and the people it reflects, as well as what is to be done with the data. In these settlements and rulings, organizations must pay a fine while continuing to earn value from the data collected through deception, manipulation, or other extra-legal means. Compensatory settlements often fail to account for the “gain-based” value of data that remains within an organization after a fine is paid. Restitutionary remedies are uniquely suited for data governance because they alleviate the burden on plaintiffs to establish direct losses—a notoriously difficult task in privacy law (Li & Lee, 2026). What's necessary is a remedy that fulfills this restitutionary potential by stripping the hoarder of the unearned advantages of the dataset, thereby “legitimizing” the continued existence of the technology through the equitable distribution of its benefits (Li & Lee, 2026). When communities of data subjects are caught in a dragnet used to power the latest AI models, what are the possibilities when current civil law fails to provide a more complex remedy? An answer might be found in the law of equity.

While privacy litigation traditionally founders on the requirement to prove concrete “injury-in-fact,” recent scholarship suggests shifting the legal focus from the plaintiff's loss to the defendant's gain. As Li and Lee (2026) argue, the doctrine of unjust enrichment offers a pragmatic alternative to intellectual property and privacy regimes by reframing unauthorized data use not as a tortious wrong, but as a benefit unjustly derived at the data owner's expense. Within this framework, the constructive trust serves as the necessary remedial vehicle to capture and redirect these ill-gotten gains, ensuring that the commercial value extracted from data hoards is held for the collective benefit of the data originators (Li & Lee, 2026).

Constructive (data) trusts

When traditional trusts fail, as well as in cases in which plaintiffs seek declaratory remedies for tortious and criminal acts, courts may create constructive trusts. Under the Restatement (3d) of Restitution and Unjust Enrichment, a constructive trust is created when “a defendant is unjustly enriched … at the expense of the claimant or in violation of the claimant's rights” (Restatement (3d) Restitution and Unjust Enrichment, 1998). The remedy is based on the equitable principle that an individual should not be able to benefit from property they obtained through someone’s unlawful or immoral act. To demonstrate that a constructive trust is required, a plaintiff must show (1) the defendant committed some act to obtain the plaintiff's property through fraud or breach of trust, (2) that allowing the defendant to keep the property would result in the defendant benefiting at the plaintiff's expense, (3) that the property was currently and traceably in the defendant's possession.

Constructive trusts, then, are restitutionary assignments of power over some form of property or asset. Often used in cases in the broad realms of property, wills and estates, and unfair competition, constructive trusts are not necessarily trusts at all under the traditional definition—a fiduciary relationship where one holds property for the benefit of another. Instead, constructive trusts are created through court order, requiring an individual or organization breaching a duty, having been unjustly enriched, or interfering with economic relations, among other acts, to surrender the thing (res) in question (Restatement (3d) Restitution and Unjust Enrichment, 1998). Constructive trusts have been created in lawsuits over profits, intellectual property, stock options, as well as, information held on laptops.

The use of constructive trust for personal data collected and processed without consent or in systems leading to harm, then, would not be unprecedented. Recent cases in which a court has ordered the creation of a constructive trust for data or related matters are instructive. In Kraus v. Magarik (2020), a case that arose after the part-owner of a lighting business secretly formed his own company with competitors, the court refused to dismiss his former partners’ motion for the creation of a constructive trust. Instead, the court found that when the former owner had created a competing company, he had breached his fiduciary duty. He had further breached his duties of loyalty and good faith by providing his new partners with access to “technical product specifications, information on upcoming designs, sales data, e-commerce data, and other commercially sensitive information including customer lists, vendor relationships, the identity of contractual counterparties, internal cost structure and operating expenses, and e-commerce knowledge.” Although this data existed in electronic form, the court found that it was still tangible, a requirement for a claim of trade secret conversion—the stealing, using, destroying, or selling of someone else's trade secret data—based a prior case in which a court found that customer lists and other related data in the form of electronic records were subject to conversion.

In a similar case, an organization sued its former Vice President of Sales for sending emails to her personal address that contained private company information including “confidential client contact information; client account information; business needs of clients; special needs of clients; production services and confidential client financial information, including costs, profit margins, discounts, rebates, marketing strategies, and tactics; and other confidential information concerning Regency's business operations, business model, and marketing techniques” (The Regency NYC Inc. v. Atkinson, 2024). The former VP then used the business data to solicit and contact the company's clients and vendors for her own purposes. The company, Regency, requested a constructive trust based on its former employee's breach of the duty of loyalty and breach, and unjust enrichment.

Important in both cases are the courts’ examination of whether there was a sufficient relationship between the parties to find that a fiduciary duty existed. In both cases, because there was a close business or employment relationship, the courts found sufficient evidence of a fiduciary duty. An important question for the imposition of a constructive trust for unjust enrichment with personal data, as proposed in this provocation, is whether a duty could exist between those whose data has been collected and the organizations doing the collection. Although the neologism seems to have originated with Professor Kenneth Laudon in his examination of privacy and data markets, in relation with modern social media and other platforms, the idea of data or information fiduciaries is popularly connected to a 2014 blog post by Professor Jack Balkan (Khan and Pozen, 2019), who argued that online service providers might be considered information fiduciaries, a categorization would impose the duty to not use its users personal information against their best interest (Balkin, 2014, 2015). This would limit the collection, use, and sale of personal data, and change the users’ reasonable expectation of privacy—a standard used in many US court cases in which it asks whether an individual claiming invasion of privacy had an expectation about society was prepared to accept as reasonable.

Zittrain (2013), too, has argued that the voluntary categorization of online platforms as information fiduciaries would mean more requirements related to platform behavior in relation to user data. An example of this would be the ability of users to determine the amount of personalization they would encounter, meaning that user personalization might be free of influence built to fulfill the platform's profit logic. Such logics may seek to manipulate or discriminate against users by using personal data. Yet, critics of the information fiduciary approach claim that there are several reasons to doubt the framework would resolve the issues with online privacy and personal data on platforms (Khan and Pozen, 2019). A rationale for this pushback against the concept has to do with its inability to deal with the immense market share and the business model built on surveillance (Dobkin, 2018). Instead, some critics call for a regulatory framework that focuses on abusive data practices and includes antitrust considerations.

Proposals and critiques of information fiduciaries identify the issue of information asymmetry between user and platform as one that must be addressed (Dobkin, 2018). Other asymmetries that must be addressed include “knowledge, power, and control,” and it is not possible to remedy these inequities with a simple legal mechanism like a constructive trust. Instead, it must be coupled with participatory governance from those whose data is the subject of the trust. In more simple terms, the people in the trust must be able to control the trust. The specifics of the governance system can be debated, but the failures of data trust proposals like Sidewalk Labs and DeepMind above demonstrate that people and communities are very concerned about how the data captured about them will be used and by whom. They are also concerned with not being able to participate in the decision-making regarding the development and functioning of such a venture. It should be noted that the Sidewalk Labs discord was not simply dissent from people on social media or interviewed in traditional news. In fact, the dissent to the smart city and data trust proposal involved a coordinated campaign of protests, contacting policymakers, social media campaigning, and collective action. This demonstrates the interests that individuals and communities have in the governance of personal data.

Constructing a remedy: A speculation

To clarify the role of the proposed constructive data trust, it is necessary to distinguish between Threshold Conditions (prerequisites for the remedy to apply) and Implementation Criteria (how the trust is managed). Several requirements exist for a constructive data trust to be a feasible remedy:

Condition 1: The Breach of Duty (Threshold). The existence of a fiduciary or quasi-fiduciary relationship—the information fiduciary—where a party has a duty to protect or act in the interest of the data subjects.

Condition 2: Unjust Enrichment (Threshold). This is a prerequisite for the remedy, not an implementation goal. A constructive trust is appropriate when an organization's actions have enriched it at the expense of individuals or communities through wrongful data acquisition. The goal of the trust is to capture this enrichment and re-route its benefits, rather than allowing the hoarder to profit from the breach.

Criterion 3: Participatory Governance (Implementation). Once the trust is imposed, the mechanism for managing the the data must shift to a model of participatory governance.

A constructive trust may offer a way for individuals and communities to obtain value from the data already collected but enriching an organization. The particulars of each constructive data trust may differ based on context.

A primary hurdle in establishing a constructive trust for data is the legal identification of the beneficiary. Unlike traditional trusts, where assets are held for specific named individuals, the harms of data hoarding are often distributed across a diffuse population. To address this, the court can rely on the doctrine of “fluid recovery” (also known as cy pres distribution). Under this framework, the beneficiary is defined not by a list of names, but by the shared injury or the common source of the data extraction. By designating the community from which the data was harvested as the collective beneficiary, the court allows the trust to fund public-interest projects—such as community-led auditing—that benefit the group as a whole. This bypasses the administrative impossibility of identifying every individual data subject in a multi-billion-point dataset (Hensler et al., 2000; State of California v. Levi Strauss & Co., 1986).

As a thought exercise, it may be instructive to consider how a constructive data trust might work for personal data in context. The following subsections offer speculative examinations of three such examples focusing on biomedical data, infrastructural data, and creative data.

The biometric/genetic hoard (23andMe)

Toward the end of 2024, the direct-to-consumer DNA and genealogy mega-corporation 23andMe was reported to be in financial trouble. The organization had suffered multiple data breaches, which had led to at least one class action lawsuit (Allyn, 2024; Brown, 2024; Columbus, 2024; Morrow, 2024; Mullin, 2024). Further, the home DNA testing business was not as profitable as it had once been and the organization reportedly had not turned a profit in the entirety of the 18 years it had been in existence. Disputes over the desire to take the company private caused all seven independent members of 23andMe's board of directors to resign. The board conflict, security breaches, and financial instability elicited responses of concern from security experts, including calls for 23andMe users to delete their data.

Although reportedly 80 percent of 23 and Me users opt-in to having their genetic materials used for research, this does not translate to users affirmatively consenting to their data being included in the sale of the company (Allyn, 2024). Yet, without the vast store of genetic data, the company would be worthless. There had been rumors that the company was looking for a third-party buyer to take over. Instead of selling the company, 23andMe CEO Anne Wojcicki had a vision to take the company private, acquiring all shares of the organization that were not already owned (Thier, 2024). By early 2025, rumors of a cash sale of the company were again circulating. The company claimed, however, that were it to sell, the current privacy policy, which states that if the company is acquired, customers’ data may be accessed or sold as part of such a transaction, would remain in effect. In early 2025, 23andMe filed for bankruptcy protection and attempted to sell itself while under court supervision (Jamali, 2025). The CEO has now resigned; she and her TTAM Research Institute, a non-profit, later bought the company for $305 million.

Eleven states in the United States, however, require that organizations obtain customer consent before genetic materials are transferred. Therefore, the sale of 23andMe would trigger for customers in at least those eleven states the right to opt-in to participating in the sale. Along with its CCPA, which allows California residents to delete personal information, including genetic information, California's Genetic Information Privacy Act (GIPA), for instance, requires direct-to-consumer genetic testing companies to obtain express consent for collection, use, and disclosure of the consumer's genetic data and biological samples to third parties (Cal. Civ. Code, 2021). In fact, the California Attorney General issued a letter explaining California citizen rights under the law, and admonishing them to delete their data from the site (Bonta, 2025).

The travails of 23andMe are not the specific interest in this scenario. Of interest is how a constructive trust might offer a remedy for customers like those of 23andMe, who may believe that the sale of the company, along with the data, to a third party goes beyond the scope of the contract to which they had originally agreed. Under a constructive trust framework, a court could, as a remedy for (classes of) individuals seeking to have their rights protected either through intervention in a bankruptcy proceeding or disrupting a sale of data, order the creation of a constructive data trust, wherein the original organization would be prohibited from the sale to the third party, and required to provide an accounting of the data held in the trust.

The infrastructure/mobility hoard

A compelling parallel to the infrastructure debates of Sidewalk Labs can be found in the legal friction between the Los Angeles Department of Transportation (LADOT) and micro-mobility providers. Through its Mobility Data Specification (MDS), the city of Los Angeles mandated that companies like Uber and Lyft provide real-time GPS data for every trip taken on public streets. Uber challenged this in a lawsuit via its Jump escooter subsidiary Uber Technologies, Inc. v. Los Angeles Department of Transportation (2021) arguing that such a mandate constituted an illegal “hoarding” of proprietary business data and a violation of the Fourth Amendment (Arcila, 2020).

Applying the constructive trust framework to this conflict addresses the unjust enrichment threshold (Criterion 2) from a different angle. Here, the enrichment is the private capture of movement patterns generated entirely through the use of public-funded infrastructure (roads, signals, and traffic management). When private mobility firms refuse to share this “digital exhaust” with the city, they effectively extract a public resource for private competitive advantage, hindering the city's ability to manage transit equity and congestion (Scassa, 2020).

A court could resolve an impasse like this by imposing a constructive trust over the MDS data stream. Rather than providing the government with raw, surveillance-capable access—which was the core of the privacy objection in Sanchez v. LADOT (2022)—the data would be held by an independent data steward. Under participatory governance, this steward would use the trust's assets to provide the city with insights necessary to improve accessibility in transit deserts (Sheller, 2018). This structural intervention satisfies the reparative goal by rerouting the private profit of data collection to the public resource of equitable urban mobility.

The labor/creative hoard

The rise of generative artificial intelligence presents a new frontier for constructive trusts, particularly regarding the scraping of creative labor. In Andersen v. Stability AI Ltd (2024), a class of artists sued AI companies for using their copyrighted works to train models like Stable Diffusion without consent or compensation. The core of the artists’ grievance is that their labor was hoarded to build a commercial tool that now competes with their own livelihoods—a classic case of unjust enrichment (Henderson et al., 2023).

Under an algorithmic reparative framework, the training set becomes the res of a constructive trust. Because platforms like Midjourney or Stability AI acted as de facto information fiduciaries—managing and mediating access to the digital portfolios of millions—they arguably breached a duty of loyalty when they used that data to devalue the creators themselves (Sag, 2023).

The application of constructive trusts to generative AI models addresses the specific residual legal gaps identified in current AI litigation. Li and Lee (2026) contend that unjust enrichment can bypass the evidentiary hurdles of substantial similarity in copyright law by focusing on the quantifiable benefit the developer received from the data. By imposing a constructive trust on the resulting model or its revenue streams, the court creates a mechanism for gain-based restitution, moving beyond the traditional IP law approach to a model of sustained, reparative profit-sharing (Li and Lee, 2026; Sag, 2023).

A court-ordered constructive trust over the model's revenue stream or its latent space (the mathematical representations of style) would create a mechanism for reparative royalties. In theory, the trust could automate micro-payments to a “Creator's Collective” every time the model generates an image in a specific artist's style or uses their unique data signature (Koulu, 2016). This does not just provide a one-time settlement check; it establishes a structural remedy that ensures the beneficiaries (the artists) retain a stake in the ongoing commercial success of the model built on their labor.

In the context of generative AI, the Creator Collective serves as a representative entity for a beneficiary class defined by technical provenance rather than formal professional affiliation. While professional guilds or unions (e.g., SAG-AFTRA or the Authors Guild) possess the institutional capacity to act as class fiduciaries—negotiating micro-royalty structures and auditing model weights—the trust's legal boundary remains the training set itself.

As Li and Lee (2026) suggest, the focus must be on the unjust gain derived from the entire corpus of unauthorized data. Therefore, the constructive trust could be structured to provide a dual-path recovery: direct reparative royalties for identifiable creators (regardless of union status) and a common fund for the broader creative community. This common fund mirrors the doctrine of fluid recovery, and could fund open-source defensive tools or legal aid for independent artists, thereby ensuring that even unorganized creators benefit from the redistribution of the hoarded value. This structure prevents the remedy from becoming a closed-loop system for legacy institutions, instead treating the entire harvested community as the equitable owners of the model's latent value (Viljoen, 2021).

A major issue for all three of the above scenarios would be the enforcement of the court order for a constructive data trust. In the U.S., government organizations on the state and federal levels can require organizations to produce audit materials related to the data. A second issue of priority would be to whom would the data be transferred to establish participatory governance. This question is answered by the existence of community and civil society organizations created over the last decade aimed at providing support for communities desiring to use and govern data for community sustainability and benefit. Yet, the mere existence of these organizations does not offer an exact blueprint for how these constructive data trusts might be managed. The duty-based requirements for trustees, coupled with the overarching reparative framework identified above, do however, offer a way forward for considering how these vast stores of sensitive personal data might be both protected and offer community benefit.

Automating reparative constructive trusts?

The three scenarios—spanning biological, urban, and creative domains—demonstrate that the constructive data trust is not a monolithic tool, but a versatile equitable remedy capable of addressing diverse modes of unjust enrichment. However, for a constructive trust to move beyond a theoretical provocation, it must overcome the logistical and privacy-related hurdles that traditionally plague large-scale data management. This requires shifting from a descriptive account of what a trust can do to a normative blueprint of how it can be administered. By leveraging stewardship and privacy-enhancing technologies, the constructive trust can operationalize its fiduciary duties while ensuring that the very act of reparation does not inadvertently create new avenues for surveillance.

To transition from a provocative idea to an administrable legal intervention, the constructive data trust requires a clear operational framework. This framework addresses the logistical hurdles of stewardship and the power asymmetries identified earlier. To ensure a constructive data trust is both administrable and protective, it must be supported by two pillars: independent stewardship and technological safeguarding. The following are possible technical implementations along with important considerations that may impact their feasibility in a reparative scheme.

The fiduciary steward and accountability

The transition of control from an adversarial hoarder to a court-appointed steward requires a phased implementation to ensure the remedy is effective without destroying the underlying utility of the system. This could be achieved through the court ordering a logical partition of the contested data res. A Special Master, as trustee, would be appointed to oversee this partition, acting as a technical ombudsman with the power to audit and monitor the hoarder's access (Scheindlin & Redgrave, 2008). During this phase, the trustee may implement privacy protocols to ensure that reparative goals (like bias mitigation or community access) are pursued while the organization's legitimate, non-hoarding functions remain operational (Bamberger & Mulligan, 2015).

Differential privacy as a tool of equity

A significant hurdle for a reparative trust is the risk of secondary harm—the potential for the trust itself to become a vehicle for surveillance or re-identification. To fulfill the fiduciary duty of confidentiality, a trust can utilize differential privacy (DP), a mathematical framework that adds noise to a dataset, ensuring that the presence or absence of any single individual's data does not significantly affect the outcome of a query (Dwork & Roth, 2014) as a primary technical mechanism. Yet, DP is not without its criticism, especially as it has been found to deal with marginalized and vulnerable populations within a dataset, including errors affecting accuracy for important policy-influencing issues like the Census (Jurjevich and Chun, 2021; Santos-Lozada et al., 2020). A reparative framework will require what Kaul and Mukherjee (2024) call equitable DP, the design, communication, and implementation of DP algorithms that ensure equitable outcomes. By implementing equitable DP, a constructive trust can fulfill its reparative mission—such as allowing city planners to analyze patterns for equitable neighborhood transit —without exposing the raw, identifiable information (Wood et al., 2018).

Automation and smart contracts

Finally, the administration of complex distributions—such as the reparative royalties mentioned in the Stability AI case—is made feasible through smart contracts or automated protocols programed to trigger based on specific audit trails. For example, if a company pays for access to a differentially private insight from the trust, the smart contract will automatically route a portion of that payment to a community-managed fund (Koulu, 2016). This might reduce the administrative overhead of the trust and ensure that the reparative flow of value is transparent, immutable, and continuous.

While these mechanisms provide the technical and legal feasibility for a constructive trust, their ultimate value lies in their ability to operationalize algorithmic reparation. By shifting the res from a private asset to a community trust, the court does more than manage data; it restores the structural balance of the information ecosystem. The technical mechanisms described above are more than administrative conveniences; they are the functional components of algorithmic reparation. The current legal landscape often allows for the private capture of benefits derived from public and non-profit resources, such as the semantic web and open-source datasets (Wylie, 2020). By shifting the res from a private asset to a community trust, the court effectively reroutes the surplus value of the data hoard.

This intervention transitions the legal response from individual-centric restitution to a model of restorative data justice. Under this framework, the constructive trust acts as a vehicle to make whole the communities whose collective information was extracted through a breach of duty. In the LADOT mobility case, reparation is achieved by returning transit insights to the public sphere; in the Stability AI case, it is achieved by ensuring that the commercial success of the model sustains the creative community that built it. By returning to the foundational principles of equity, the constructive data trust ensures that the black box of the data hoard is opened, not for the sake of surveillance, but for the distribution of community-wide benefit. Ultimately, this structural remedy prevents unfettered data capitalism from permanently alienating communities from the fruits of their own digital labor, fulfilling the reparative promise of algorithmic justice (Davis et al., 2021).

Conclusion

This article has considered how the creation of a constructive data trust might offer protection for the personal data collected in various ecosystems, as well as a way of considering how these trusts might be managed. The framework for reparation and community benefit serves to anchor both the rationale for the creation of these data trusts, as well as an ethos for how these might be managed for individual and community benefit. Constructive trusts can be created by a court when there is evidence that an organization or individual is being enriched to the detriment of another. The ongoing data collection and processing, both legitimate and deceptive, continues to have adverse consequences for those caught in the data dragnet. Constructive data trusts offer a remedy for allowing control over the data collected.

A limitation of this article is that it does not offer specifics of how the constructive data will be managed. This is not the purview of a provocation like this. Future research might offer best practices data trusts that are created through court order. Perhaps more important will be future research on how the constructive data trusts might ultimately wind down the trust for deletion of data. Although this article has briefly discussed the FTC's power of algorithmic disgorgement and data deletion, further exploration of these powers put into use for organizational data hoards will be necessary for a fuller understanding of the various remedies that might be used to change the power dynamics inherent in the data collection ecosystem.

Footnotes

ORCID iD

Jasmine McNealy

Funding

The author received no financial support for the research, authorship, and/or publication of this article.

Declaration of conflicting interests

The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

References

Allyn

(2024) 23andMe is on the brink. What happens to all its DNA data? NPR, 3 October. Available at: https://www.npr.org/2024/10/03/g-s1-25795/23andme-data-genetic-dna-privacy (accessed 4 October 2024).

AMG Capital Management, LLC v. Federal Trade Commission (2021) 141 S. Ct. 1341.

Andersen v. Stability AI Ltd., 744 F. Supp. 3d 956 (ND Cal. 2024).

Arcila

(2020) Jump v. Los Angeles: removing platforms further from democratic control. UCLA Law Review Discourse 68: 160–175.

Balkin

(2014) Information Fiduciaries in the Digital Age. In: Balkinization. Available at: https://perma.cc/L277-CZLG (accessed 25 February 2025).

Balkin

(2015) Information fiduciaries and the first amendment lecture. U.C. Davis Law Review 49(4): 1183–1234.

Bamberger

Mulligan

(2015) Privacy on the Ground: Driving Corporate Behavior in the United States and Europe. Cambridge, MA: MIT Press.

BBC (2021) DeepMind faces legal action over NHS data use. 1 October. Available at: https://www.bbc.com/news/technology-58761324 (accessed 5 May 2024).

Bonta

(2025) Attorney General Bonta Urgently Issues Consumer Alert for 23andMe Customers. Available at: https://oag.ca.gov/news/press-releases/attorney-general-bonta-urgently-issues-consumer-alert-23andme-customers (accessed 26 March 2025).

10.

Brown

(2024) Remember That DNA You Gave 23andMe? In: The Atlantic. Available at: https://www.theatlantic.com/health/archive/2024/09/23andme-dna-data-privacy-sale/680057/ (accessed 28 September 2024).

11.

Bryant

(2021) Facebook’s $650M BIPA settlement ‘a make-or-break moment’. Available at: https://iapp.org/news/a/facebooks-650m-bipa-settlement-a-make-or-break-moment (accessed 17 March 2025).

12.

Bui

Noble

(2020) We’re missing a moral framework of justice in artificial intelligence: On the limits, failings, and ethics of fairness. In: Dubber

Pasquale

Das

(eds) The Oxford Handbook of Ethics of AI. New York, NY: Oxford University Press. Available at: https://doi.org/10.1093/oxfordhb/9780190067397.013.9 (accessed 28 January 2025).

13.

Cal. Civ. Code (2021) California Genetic Information Privacy Act.

14.

Children's Online Protection Act (COPPA) (1998) 15 USC §§ 6501-6506.

15.

Columbus

(2024) With 23andMe in crisis, strengthening DNA security has never been more urgent. In: VentureBeat. Available at: https://venturebeat.com/security/with-23andmes-directors-quitting-your-data-is-at-risk-time-to-double-down-on-identity-securitywith-23andmes-directors-quitting-your-data-is-at-risk-time-to-double-down-on-identity-security/ (accessed 4 October 2024).

16.

Davis

Williams

Yang

(2021) Algorithmic reparation. Big Data & Society 8(2): 1–12. 10.1177/2053951721104.

17.

Dobkin

(2018) Information fiduciaries in practice: Data privacy and user expectations. Berkeley Technology Law Journal 33(1): 1–50.

18.

Doerr

J-H

(2023) Translational research and communities. Ethics & Human Research 45(5): 34–38.

19.

Dwork

Roth

(2014) The algorithmic foundations of differential privacy. Foundations and trends® in theoretical computer science 9: 211–487.

20.

Edwards

(2004) Reconstructing consumer privacy protection on-line: A modest proposal. International Review of Law, Computers & Technology 18(3): 313–344.

21.

Eubanks

(2018) Automating Inequality: How High-Tech Tools Profile, Police, and Punish the Poor. New York, NY: St. Martin’s Publishing Group.

22.

Federal Trade Commission (n.d.) U.S. Federal Trade Commission Consumer Protection and Privacy Technical Assistance Overview. Federal Trade Commission. Available at: https://www.ftc.gov/system/files/attachments/international-technical-assistance-program/ftctechnicalcoop0716.pdf (accessed 17 March 2025).

23.

Freed

(2021) Florida privacy bill tanks over individuals’ right to sue. StateScoop, 6 May. Available at: https://perma.cc/BW77-5MTY (accessed 10 March 2025).

24.

Hagerty

(2022) One of the biggest suicide prevention hotlines amends its data-sharing practices. Available at: https://www.popsci.com/technology/crisis-text-line-stops-sharing-data-loris-ai/ (accessed 5 May 2024).

25.

Hendel

(2022) Crisis Text Line ends data-sharing relationship with for-profit spinoff. Available at: https://www.politico.com/news/2022/01/31/crisis-text-line-ends-data-sharing-00004001 (accessed 14 March 2023).

26.

Henderson

Jurafsky

, et al. (2023) Foundation models and fair use. Journal of Machine Learning Research 24(400): 1–79.

27.

Hensler

Dombey-Moore

Giddens

, et al. (2000) Class action dilemmas: Pursuing public goals for private gain. Santa Monica, CA: Rand Corporation.

28.

Hill

(2024) Clearview AI Used Your Face. Now You May Get a Stake in the Company. The New York Times, 14 June. Available at: https://www.nytimes.com/2024/06/13/business/clearview-ai-facial-recognition-settlement.html (accessed 10 March 2025).

29.

Jamali

(2025) 23andMe files for bankruptcy protection. Available at: https://www.bbc.com/news/articles/c9q4r9xy9wro (accessed 26 March 2025).

30.

Jurjevich

Chun

(2021) Effects of Differential Privacy Among Communities of Color Across Southern Arizona. Making Action Possible for Southern Arizona (MAP) White Paper #17. April 06, 2021, available at: https://mapazdashboard.arizona.edu/article/effects-differential-privacy-among-communities-color-across-southern-arizona (last accessed Jan 26, 2026).

31.

Kang

(2024) F.T.C. Bars Anonymous Messaging App From Serving Users Under Age 18. The New York Times, 9 July. Available at: https://www.nytimes.com/2024/07/09/technology/ngl-app-ftc-settlement.html (accessed 17 March 2025).

32.

Kaul

Mukherjee

(2024) Equitable differential privacy. Frontiers in Big Data 7: 1420344..

33.

Keegan

(2024) What Happens to Your Sensitive Data When a Data Broker Goes Bankrupt? The Markup, 23 February. Available at: https://themarkup.org/privacy/2024/02/23/what-happens-to-your-sensitive-data-when-a-data-broker-goes-bankrupt (accessed 7 May 2024).

34.

Khan

Pozen

(2019) A skeptical view of information fiduciaries. Harvard Law Review 133(2): 497–541.

35.

Koulu

(2016) Blockchains and online dispute resolution: Smart contracts as an alternative to enforcement. SCRIPTed 13: 40.

36.

Kraus Usa, Inc. v. Magarik (2020) 17-CV-6541 (ER).

37.

Leslie

(2005) Trusting trustees: Fiduciary duties and the limits of default rules. Georgetown Law Journal 94(1): 67–120.

38.

Levine

(2022) Suicide hotline shares data with for-profit spinoff, raising ethical questions. Available at: https://www.politico.com/news/2022/01/28/suicide-hotline-silicon-valley-privacy-debates-00002617 (accessed 14 March 2023).

39.

(2022) Algorithmic destruction. SMU Law Review 75(3): 479–506.

40.

Lee

(2026) Unjust enrichment as a remedy for AI's unauthorised use of protected data. Common Law World Review: 1–19. 10.1177/14737795251410287.

41.

McNealy

(2021) Hoarder, handler, bricoleur, spy: An explication of information distribution organisations. Journal of International and Comparative Law 8(2): 385–404.

42.

Modhvadia

Reid

(2024) Participatory and inclusive data stewardship: A landscape review. 13 December. Ada Lovelace Institute. Available at: https://www.adalovelaceinstitute.org/report/participatory-inclusive-data-stewardship/ (accessed 17 March 2025).

43.

Morrow

(2024) What happened to 23andMe? | CNN Business. Available at: https://www.cnn.com/2024/09/20/business/23andme-board-resigns-nightcap/index.html (accessed 4 October 2024).

44.

Mullin

(2024) 23andMe Is Sinking Fast. Can the Company Survive? Wired. Available at: https://www.wired.com/story/is-23andme-dead-at-home-genetic-testing-anne-wojcicki/ (accessed 4 October 2024).

45.

Native BioData Consortium (n.d.) The Native BioData Consortium. Available at: https://nativebio.org/ (accessed 17 March 2025).

46.

O’Neil

(2016) Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy. New York, NY: Crown.

47.

Penner

(2016) The Law of Trusts. Oxford, UK: Oxford University Press.

48.

Porcaro

(2022) The Real Harm of Crisis Text Line’s Data Sharing. Wired, 1 February. Available at: https://www.wired.com/story/consumer-protections-data-services-care/ (accessed 14 March 2023).

49.

Restatement (3d) Restitution and Unjust Enrichment (1998) Constructive Trust. St. Paul, MN: American Law Institute.

50.

Rinik

(2020) Data trusts: More data than trust? The perspective of the data subject in the face of a growing problem. International Review of Law, Computers & Technology 34(3): Routledge: 342–363.

51.

Sag

52.

Sanchez v. Los Angeles Department of Transportation, 39 F.4th 548 (9th Cir. 2022).

53.

Santos-Lozada

Howard

Verdery

(2020) How differential privacy will affect our understanding of health disparities in the United States. Proceedings of the National Academy of Sciences 117(24): 13405–13412.

54.

Scarcella

(2024) US states balk at unusual Clearview AI privacy settlement. Reuters, 13 December. Available at: https://www.reuters.com/legal/legalindustry/us-states-balk-unusual-clearview-ai-privacy-settlement-2024-12-13/ (accessed 10 March 2025).

55.

Scassa

Theresa

(2020) Designing Data Governance for Data Sharing: Lessons from Sidewalk Toronto. Technology and Regulation: 44–56. 10.71265/d7yvsg86.

56.

Scheindlin

Redgrave

(2008) Special masters and e-discovery: The intersection of two recent revisions to the federal rules of civil procedure. Cardozo L. Rev. 30: 347.

57.

Scholz

(2021) Private rights of action in privacy law. William & Mary Law Review 63(5): 1639–1694.

58.

Sheller

(2018) Mobility Justice: The Politics of Movement in an Age of Pandemics. New York, NY: Verso Books.

59.

State of California v. Levi Strauss & Co., 41 Cal. 3d 460 (1986).

60.

Statt

(2020) ACLU sues facial recognition firm Clearview AI, calling it a ‘nightmare scenario’ for privacy. The Verge, 28 May. Available at: https://www.theverge.com/2020/5/28/21273388/aclu-clearview-ai-lawsuit-facial-recognition-database-illinois-biometric-laws (accessed 30 August 2022).

61.

Stauss

Weber

(2022) How do the CPRA, CPA & VCDPA treat opt-out signals? Byte Back - Husch Blackwell, 9 March. Available at: https://www.bytebacklaw.com/2022/03/how-do-the-cpra-cpa-vcdpa-treat-opt-out-signals/ (accessed 17 March 2025).

62.

Uber Technologies, Inc. v. Los Angeles Department of Transportation, 551 F. Supp. 3d 991 (C.D. Cal. 2021).

63.

Tau

Haggin

(2023) WSJ News Exclusive | Antiabortion Group Used Cellphone Data to Target Ads to Planned Parenthood Visitors. Wall Street Journal, 18 May. Available at: https://www.wsj.com/articles/antiabortion-group-used-cellphone-data-to-target-ads-to-planned-parenthood-visitors-446c1212 (accessed 7 May 2024).

64.

Tau

Mollica

Haggin

, et al. (2023) How Ads on Your Phone Can Aid Government Surveillance. WSJ, 13 October. Available at: https://www.wsj.com/tech/cybersecurity/how-ads-on-your-phone-can-aid-government-surveillance-943bde04 (accessed 17 March 2025).

65.

The Regency NYC Inc. v. Atkinson (2024) 23-CV-5479 (JGLC).

66.

Thier

(2024) Every single member of the board just resigned from DNA tester 23andMe. Fortune, 18 September. Available at: https://fortune.com/2024/09/18/23andme-board-resigns-anne-wojcicki/ (accessed 4 October 2024).

67.

Tonsager

Kim

Remick

, et al. (2024) FTC Reaches Settlement with NGL Labs Over Children’s Privacy & AI. Available at: https://www.insideprivacy.com/uncategorized/ftc-reaches-settlement-with-ngl-labs-over-childrens-privacy-ai/ (accessed 17 March 2025).

68.

UK Information Commissioner’s Office (2024) Examples of processing ‘likely to result in high risk’. ICO. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/ (accessed 17 March 2025).

69.

USC Genetic Information Nondiscrimination Act. 42 USC § 2000ff.

70.

Viljoen

(2021) A relational theory of data governance. Yale Law Journal 131(2): 573–654.

71.

Washington

(2023) Ethical Data Science: Prediction in the Public Interest. New York, NY: Oxford University Press.

72.

West

(2019) Data capitalism: Redefining the logics of surveillance and privacy. Business & Society 58(1): SAGE Publications Inc: 20–41.

73.

Wood

Altman

Bembenek

O'Brien

, et al. (2018) Differential privacy: A primer for a non-technical audience. Vanderbilt Journal of Entertainment & Technology Law 21.

74.

Wyden

(2024) Letter to Lina Khan and Gary Gensler about Near. Available at: https://www.wyden.senate.gov/imo/media/doc/signed_near_letter_to_ftc_and_sec.pdf (accessed 7 May 2024).

75.

Wylie

(2020) In Toronto, Google’s Attempt to Privatize Government Fails—For Now. Boston Review, 13 May. Available at: https://www.bostonreview.net/articles/bianca-wylie-sidewalk-labs-toronto/ (accessed 17 March 2025).

76.

Zittrain

(2013) Engineering an election. Harvard Law Review Forum 127: 335–341.

77.

Zuboff

(2019) The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. New York, NY: PublicAffairs.