Block Center Tech Policy Forum: Privacy Regulation Strategies for 2026

kirsten martin tech policy forum
laura tech policy forum
alessandro tech policy forum
jonathan tech policy forum
karl tech policy forum
paul alessandro tech policy forum
panel tech policy forum
lorrie tech policy forum
panel tech policy forum
julie tech policy forum
discussion tech policy forum

Key Findings, Policy Recommendations, and Additional Resources

The Block Center for Technology and Society brought together an interdisciplinary group of experts to discuss privacy regulation strategies amidst a fast-evolving data ecosystem. Overall, the discussions underscore a fundamental shift in how privacy must be understood and governed.

Two core sentiments emerged: 1) the current regulatory paradigm fails to meaningfully protect individuals in a data-driven economy, and 2) emerging AI systems are accelerating and amplifying existing risks, making incremental reform insufficient. The discussions highlighted the need for a framework that places responsibility on institutions rather than individuals, establishes clear substantive protections that can not be waived, and anticipates the transformative impact of AI 鈥 as well as stressed how imperative it is that action be taken quickly before existing failures are further entrenched.

There were several key findings and actionable recommendations that emerged that can guide a more effective, future-oriented privacy regulatory framework.听

1. Privacy is a policy choice, not a technological inevitability
The current state of online privacy reflects deliberate design and business model decisions rather than unavoidable trade-offs. Alternative models exist but lack legal and economic incentives to scale.听

2. The notice-and-consent framework is fundamentally broken
Users do not read or understand privacy policies and are routinely nudged toward agreement through manipulative design. Consent, as currently operationalized, functions as a legal fiction rather than meaningful authorization.听

3. Privacy harms are real but systematically undercounted
While economic impacts of regulation are well-studied, the harms of unregulated data practices鈥攕uch as behavioral manipulation, loss of autonomy, and sensitive inference鈥攔emain insufficiently measured and undervalued in policymaking.听

4. Responsibility has been misplaced onto individuals
Consumers are expected to manage their own privacy in a system designed to overwhelm and outmaneuver them. This 鈥渞esponsibilization鈥 creates an unwinnable asymmetry between individuals and data-driven firms.听

5. AI intensifies existing privacy risks听
Agentic AI systems will exponentially expand data collection, inference, and decision-making. Existing frameworks are not equipped to handle a world where machines act autonomously on behalf of users.

Key recommendations to addressing the failings of the existing system and to build a more effective framework include:

Place responsibility on institutions rather than individuals听

  • Shift away from reliance on user consent as the primary legal basis for data use. Implement enforceable accountability standards regardless of user agreement.听
  • Define certain entities, particularly large platforms and AI developers, as 鈥渋nformation fiduciaries鈥 with legal obligations to act in users鈥 best interests.听

Move toward substantive protections rather than procedural safeguards听

  • Create data minimization requirements, restrictions on secondary use of data, and clear limits on sensitive data collection and inference.听

Create regulations that help prevent harm before it happens听

  • Expand the definition and measurement of harm to include non-economic harms, including psychological and behavioral manipulation, loss of autonomy and dignity, and discriminatory or biased inference.听
  • Explicitly prohibit interface designs that manipulate user decision-making.听
  • Create standardized metrics to better assess and cohesively regulate these harms.听

Create AI-specific privacy guardrails now听

  • Require impact assessments for AI systems that rely on personal data, limit autonomous data decision-making without user oversight, mandate transparency in AI-driven data processing and inference.

Throughout the day, our panelists called attention to policy and academic research that informed and inspired their conversations. The reading list below brings together the foundational scholarship and contemporary policy work referenced across all four panels.

Panel 1:
  • Acquisti, A., Brandimarte, L., & Loewenstein, G. (2015). Privacy and human behavior in the age of information. Science, 347(6221), 509鈥514.
  • Brandimarte, L., Acquisti, A., & Loewenstein, G. (2013). Misplaced confidences: Privacy and the control paradox. Social Psychological and Personality Science, 4(3), 340鈥347.
  • Data & Society. (2018). Weaponizing the digital influence machine: The political perils of online ad tech.
  • Electronic Privacy Information Center. (2024). The state of privacy: How state "privacy" laws fail to protect privacy and what they can do better.
  • Georgetown Law Tech Institute. (n.d.). Redesigning the governance stack project.
  • McDonald, A. M., & Cranor, L. F. (2009). The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society, 4, 543鈥568.
  • Ronan, L. (1979). Seat belts: 1949鈥1956. U.S. Department of Transportation.
  • Shilton, K. (2009). Four billion little brothers? Privacy, mobile phones, and ubiquitous data collection. Communications of the ACM, 52(11), 48鈥53.

Panel 2

  • Balebako, R., Leon, P. G., Shay, R., Ur, B., & Wang, Y. (2012). Measuring the effectiveness of privacy tools for limiting behavioral advertising.
  • Chicago Booth Stigler Center. (2019). Stigler Committee on Digital Platforms final report.
  • Habib, H., Pearman, S., Wang, J., Zou, Y., Acquisti, A., Cranor, L. F., Sadeh, N., & Schaub, F. (2020). "It's a scavenger hunt": Usability of websites' opt-out and data deletion choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI '20, Article 132). ACM.
  • Kugler, M. B., Strahilevitz, L., Chetty, M., Mahapatra, C., & Ulloa, Y. (2025). Can consumers protect themselves against privacy dark patterns? University of New Hampshire Law Review, 23, 243.
  • Luguri, J., & Strahilevitz, L. J. (2021). Shining a light on dark patterns. Journal of Legal Analysis, 13(1), 43鈥109.
  • Tran, V. H., Lee, L., Kumar, M., Zhang, Y., Xian, L., & Schaub, F. (2025). Layered, overlapping, and inconsistent: A large-scale analysis of the multiple privacy policies and controls of U.S. banks. In Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (CCS '25, pp. 3177鈥3191). ACM.
  • Tran, V. H., Mehrotra, A., Chetty, M., Feamster, N., Frankenreiter, J., & Strahilevitz, L. (2024). Measuring compliance with the California Consumer Privacy Act over space and time. In Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems (CHI '24, Article 785). ACM.
  • Warren Center for Network and Data Sciences. (n.d.-a). The effect of ad-blocking and anti-tracking on consumer behavior. University of Pennsylvania.
  • Warren Center for Network and Data Sciences. (n.d.-b). A field experiment to study the effect of ad-blocking and anti-tracking on consumer behavior. University of Pennsylvania.

Panel 3

  • Citron, D. K., & Solove, D. J. (2022). Privacy harms. Boston University Law Review, 102, 793鈥868.

Panel 4

  • Acquisti, A., Adjerid, I., Balebako, R., Brandimarte, L., Cranor, L. F., Komanduri, S., Leon, P. G., Sadeh, N., Schaub, F., Sleeper, M., Wang, Y., & Wilson, S. (2017). Nudges for privacy and security: Understanding and assisting users' choices online. ACM Computing Surveys, 50(3), Article 44.
  • Acquisti, A., Brandimarte, L., & Loewenstein, G. (2020). Secrets and likes: The drive for privacy and the difficulty of achieving it in the digital age. Journal of Consumer Psychology, 30(4), 736鈥758.
  • Emami-Naeini, P., Dheenadhayalan, J., Agarwal, Y., & Cranor, L. F. (2022). An informative security and privacy "nutrition" label for Internet of Things devices. IEEE Security & Privacy, 20(2), 31鈥39.
  • Ohm, P. (2025). Toward compliance zero: AI and the vanishing costs of regulatory compliance. In A. Kuenzler, T. Schrepel, & V. Stocker (Eds.), The law & technology & economics of AI. Network Law Review.
  • Roemmich, K., Martin, K., & Schaub, F. (in press). CA鈥揅I: Integrating contextual integrity and the capabilities approach for dignity considerations in AI governance. IEEE Security & Privacy.
  • Uszkoreit, J. (2017, August 31). Transformer: A novel neural network architecture for language understanding. Google Research Blog.
  • Zuckerman, E. (2022). The good web. Stanford Social Innovation Review.

Block Center Tech Policy Forum Recordings

Missed the live discussion or want to revisit key moments? Watch recordings from the Block Center Tech Policy Forum, featuring thought-provoking conversations with leaders at the forefront of privacy, regulation, and policy. Find all of the recorded panels on our .听

Panels & Speakers

Welcome: Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at 黑料正能量 (黑料正能量)

Panel 1: What Is Privacy Online and Why Is It So Unregulated?听听

  • This panel examines the current fragmentation of the U.S. privacy landscape, assessing which regulatory and institutional approaches have proven effective, where significant gaps remain amid emerging technologies, and which actors are best positioned to advance meaningful privacy protections.
  • Panelists:
    • Alessandro Acquisti (Massachusetts Institute of Technology); Julie Cohen (Georgetown University); Lorrie Cranor (黑料正能量),听听
  • Moderator:听听
    • Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at 黑料正能量 (黑料正能量)

Panel 2: Why Doesn鈥檛 鈥楥onsent鈥 Work?听听

  • This panel explores the limits of consent-based privacy frameworks, how authorized and unauthorized data use should be defined in practice, and how researchers and the public can better elevate these challenges for policymakers.
  • Panelists:
    • Antonio Rangel (California Institute of Technology); Florian Schaub (University of Michigan); Lior Jacob Strahilevitz (University of Chicago Law)听
  • Moderator:听
    • Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at 黑料正能量 (黑料正能量)

Panel 3: How to Identify and Measure Privacy Violations.听听

  • This panel addresses the technical and policy challenges of determining when data can be considered identifiable, and how to assess whether data is being shared or used in ways that violate reasonable privacy expectations.
  • Panelists:
    • Serge Egelman (University of California, Berkeley); Christo WIlson (Northeastern University). Norman Sadeh (黑料正能量)
  • Moderator:听
    • Cesca Antonelli, Editor-in-Chief, Bloomberg Industry Group

Panel 4: Privacy Harms and Firm Responsibility.听听

  • This panel brings together experts to examine how privacy harms arise in practice and to reconsider the responsibilities of firms in preventing, mitigating, and being held accountable for those harms.
  • Panelists:听
    • Laura Brandimarte (University of Arizona); Jonathan Kanter (黑料正能量); Paul Ohm (Georgetown University).听听
  • Moderator:听
    • Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at 黑料正能量 (黑料正能量)

alessandro

Alessandro Acquisti

Massachusetts Institute of Technology

laura brandimarte

Laura Brandimarte

University of Arizona

julie cohen

Julie Cohen

Georgetown University

lorrie

Lorrie Cranor

黑料正能量听

serge

Serge Egelman

University of California, Berkeley

johnathan kanter

Jonathan Kanter

黑料正能量

kirsten martin

Kirsten Martin听

黑料正能量

paul ohm

Paul Ohm

Georgetown University

antonio rangel

Antonio Rangel

California Institute of Technology

norman sadeh

Norman Sadeh

黑料正能量

florian

Florian Schaub

University of Michigan

lior strahilevitz

Lior Jacob Strahilevitz

University of Chicago Law

christo

Christo Wilson

Northeastern University