Until recently, “privacy” jurisprudence was limited to a manageable number of discrete topics. In the civil context, “privacy law” referred to the four common law privacy torts: intrusion on seclusion, public disclosure of private facts, false light publicity, and misappropriation of publicity rights. In the criminal context, privacy law referred to the “reasonable expectation of privacy” standard that constrains the government’s search powers under the Fourth Amendment or to the infamous First Amendment “penumbra” of privacy first recognized in Griswold v. Connecticut. In each of these contexts (except misappropriation of publicity rights), the legal analysis turns on the expectations or reactions of a hypothetical “reasonable person” — in the tort context, whether a reasonable person would be offended; in the Constitutional context, whether a reasonable person would have an expectation of privacy in the circumstances at hand. Indeed, the reasonable person standard is so pervasive in pre-Internet privacy jurisprudence that its extirpation would leave the entire area of law largely devoid of a conceptual framework.

In recent years, as “privacy law” has come to refer primarily to the set of laws and regulations governing the collection and use of consumer data, the reasonable person has been marginalized and explicit consent has become the expected norm. The Obama Administration’s 2012 framework for privacy policy, Consumer Data Privacy in a Networked World (the Framework), reflects this evolution; its seven-point “Consumer Privacy Bill of Rights” emphasizes transparency and consumer control, rather than reasonable expectations. As a practical matter, this approach removes the limits that the “reasonable person standard” would otherwise apply — the question is no longer whether a practice is consistent with our societal values and expectations, but whether it was disclosed in the fine print. Similarly, by focusing on data collected from consumers rather than information about consumers, the framework avoids a broader discussion of the implications of the exponentially increasing flood of consumer data being gathered and stored. More recently, the National Institute of Standards and Technology (NIST) publication “Security and Privacy Controls for Federal Information Systems and Organizations,” also known as NIST Special Publication 800-53, includes a detailed appendix dedicated to privacy controls — none of which mentions consumer expectations (other than those created by the recommended disclosures).

For companies that collect, analyze, use and store consumer data, the move away from the reasonable person standard is, on balance, a good thing. As it currently stands, the standards promulgated by the White House and NIST lack any enforcement mechanism, and, due to both the complexity of the issues and the gridlock in Congress, this doesn’t seem likely to change any time soon. When (and if) the political landscape changes enough to allow the passage of comprehensive consumer data privacy legislation, the framework being advanced by the Obama Administration assumes the existence of informed consumers who can (and will) read and understand privacy disclosures. Unhappy consumers will (presumably) not be able to successfully claim, for example, that no reasonable person would expect an online retailer to sell its users’ personal or financial data to an international crime syndicate. Rather, they will need to establish that such a transaction was not disclosed by the vendor, or agreed to by them. This, in turn, will require deciphering the language of the offending vendor’s privacy policy, which may describe in neutral general terms conduct that would be obviously undesirable if described specifically.

Consumers are likely to throw up their hands in confusion, much as they do now. As the Internet of Things becomes a reality —with all of those smart appliances and devices gathering consumer data and transmitting it over the Internet — it seems wildly unlikely that consumers will have either the time or the inclination to parse the scores of privacy disclosures they are likely to encounter on a given day. The burden of reading and understanding the disclosures from all smart devices one encounters in a day would be so overwhelming as to leave no time for anything else.

Because I view the framework advanced by the administration as ultimately unworkable (more on this in future columns), I anticipate that at some point in the future the pendulum will swing back, and the reasonable person will again set the standard for acceptable data practices.