Privacy Torts in the Era of Persistent Data

The American common law of privacy is, in its modern form, a creation of the late nineteenth and twentieth centuries — built upon the foundation laid by Warren and Brandeis¹ and consolidated in the four-tort taxonomy of the Restatement (Second) of Torts.² The doctrine was developed under epistemic conditions radically unlike our own. Information, once disclosed, was nevertheless apt to be forgotten; the practical inability to retrieve a decades-old newspaper item supplied a kind of de facto privacy that no statute had to declare. The torts of intrusion upon seclusion and public disclosure of private facts both took their shape against this background of natural forgetting.

Persistent data changes the empirical premise. A photograph posted in 2008 is, absent affirmative removal, available in 2026; an arrest record indexed by a search engine in 2012 surfaces atop the queries that an employer runs in 2026. The torts that the common law developed for a world that forgot must now operate in a world that, for all practical purposes, does not. The question for contemporary doctrine is whether the common-law privacy torts can be adapted to this new architecture, or whether the adaptation must come from legislation.

Intrusion upon seclusion in the persistent-data setting

The intrusion tort, as the Restatement frames it, requires an intentional intrusion upon the solitude or seclusion of another that would be highly offensive to a reasonable person. The classical applications involve physical invasion or surreptitious surveillance; the contemporary applications more often involve the aggregation of individually-public data points into a composite picture that the subject would not have anticipated. The doctrinal question is whether the aggregation itself constitutes an actionable intrusion, even where each constituent datum was lawfully gathered.

State courts have, with notable inconsistency, begun to recognize aggregation-based intrusion theories — particularly in the context of data-broker activity and persistent location tracking. The cases tend to turn on whether the defendant's collection method involved a recognizably intrusive technique (covert installation of tracking software, for example) rather than merely the synthesis of publicly available information. The doctrinal gap that this leaves — for aggregations assembled entirely from non-intrusive sources — will likely have to be filled by statute. Several state legislatures have done so, with varying degrees of coherence; the absence of a federal baseline continues to produce a patchwork.

Public disclosure of private facts: the temporal problem

The disclosure tort raises a different set of problems, most of them temporal. The classic precedents — Sidis v. F-R Publishing Corp.³ and Briscoe v. Reader's Digest Association⁴ — wrestled with the republication of facts that had once been public but had faded from public knowledge with the passage of time. The Briscoe court permitted recovery on the theory that the plaintiff, an ex-convict who had rehabilitated himself, had reacquired a privacy interest in his own past; Sidis, by contrast, denied recovery to a former child prodigy whose later obscure life was the subject of a profile, on the view that public-figure status, once acquired, persists.

The common-law privacy torts were developed against the background of natural forgetting. Persistent data eliminates the background.

The First Amendment imposes a substantial constraint on the disclosure tort, particularly after Florida Star v. B.J.F.,⁵ which held that the truthful publication of lawfully obtained information about a matter of public significance may not be punished absent a state interest of the highest order. The breadth of Florida Star's holding has been debated, but its practical effect has been to narrow the disclosure tort's reach in cases involving information that the defendant lawfully obtained from public records. Persistent indexing of those records — by search engines, data brokers, and aggregators — has accordingly produced a result that the common law did not anticipate: facts that the law treats as public become, for First Amendment purposes, immune from privacy-based suppression, even decades after the original public-records event.

European contrast and the limits of import

The European "right to be forgotten," developed under the GDPR and the Court of Justice's decisions in Google Spain and its progeny, takes a structurally different approach: it conceives privacy as a positive right that can override the public's interest in continued access to information, subject to a public-interest balancing test. The American constitutional tradition is unlikely to embrace this framework directly. The First Amendment's treatment of truthful speech about matters of public concern as presumptively protected leaves limited room for a delisting regime of European scope. What may be possible — and what several state legislatures have begun to attempt — is a narrower right of correction or contextualization, particularly for criminal records that have been sealed or expunged under state law.

Toward a coherent doctrine

The path forward, in our view, lies not in the abandonment of the common-law torts but in their disciplined extension to the data-persistence setting. The intrusion tort can be adapted to recognize aggregation-based harms where the defendant's collection methods are themselves problematic; the disclosure tort can preserve its core function — protecting the rehabilitated, the involuntarily exposed, and the marginally newsworthy — without running afoul of Florida Star. Legislation will be required to fill the gaps that the common law cannot reach, particularly in the data-broker setting. For related discussion, see our commentary on geofence warrants and the Fourth Amendment and on government transparency in the era of mass records requests.