Privacy and digital media

Deepfakes — False digital depictions — can harm a person’s privacy and reputation,  and also pose a risk to broader society.  While some may be  harmless, others may involve substitution or undermining identities in criminal cases, pornographic videos, election interference, foreign social influence campaigns, or identity theft in corporate fraud. This was identified as a problem as early as 2021, in a Private Industry Notification by the FBI, and, strangely, has become a problem with the Trump administration.

An AI-faked photo of Minnesota protester Nekima Levy Armstrong  was published by White House staff Jan. 22, 2026, showing Ms. Armstrong during her arrest as “hysterical — tears streaming down her face, her hair disheveled, appearing to cry out in despair (and)  “ARRESTED” was emblazoned across the photo, along with a misleading description of Ms. Levy Armstrong as a “far-left agitator” who was “orchestrating church riots in Minnesota.”

A July, 2025, deepfake video  of US Senator Amy Klobuchar (D-Minn) raised hackles on both sides of the aisle. The video was an absurd critique of an ad campaign for jeans featuring Sydney Sweeney that depicted Klobuchar using the phrase “perfect titties” and lamenting that Democrats were “too fat to wear jeans or too ugly to go outside.”  Klobochar said: “There was no getting around the fact that it looked and sounded very real.”   Tik-tok took it down and Meta labelled it, but X (Twitter) refused to take it down or even label it as manipulative or deceptive, contrary to its user policies, Klobuchar said.

In April of 2025, Klobuchar, Ted Cruz (R-Tx) and others introduced a “No Fakes Act” designed to “protect Americans’ voice and likeness and combat the proliferation of AI deepfakes.”  The bill would:

  • Create a property right in a person’s AI-generated digital replica;
  • Hold individuals or companies liable if they produce an unauthorized digital replica of an individual;
  • Establish a notice-and-takedown process so victims of unauthorized deepfakes have an avenue to get online platforms to take down the deepfake;
  • Exclude certain digital replicas from coverage based on recognized First Amendment protections;
  • Largely preempt State laws addressing digital replicas to create a workable national standard.

Critics say the bill is overly broad and does not protect legitimate speech such as parody and satire. A better approach would be to give people targeted tools to protect against harmful misrepresentations, and not create a new federal copyright system. 

——–

Surveillance

Is your computer or smartphone listening to your private conversations?  Do you have a right to correct or remove private information on the internet or social media? These are some of the privacy questions that have emerged with new digital media.

Smartphone spying – Google settled a lawsuit for $68 million on Jan. 26, 2026, after a group of users alleged it was illegally recording  private conversations in order to target advertising. Google Assistant is supposed to react only when people use “hot words” such as “Hey Google” or “OK Google.” But some users have found that Google has misperceived  these hot words. Google calls these “false accepts.”   Apple came to  a similar $95 million settlement in 2025. So yes, your phone is listening in on your private conversations, and Big Tech is hoping to contain the damage.    

Social media and AI surveillance 

In the runup to the 2016 presidential election, the British political consulting company Cambridge Analytica unlawfully obtained Facebook profiles and political information about 87 million Americans.  Facebook (Meta) had to pay large fines for the data leak and Cambridge Analytica went bankrupt. Nevertheless, the outcome of the presidential election and the Brexit vote in Britain may have been altered.

The threat to democracies through social media manipulation is serious according to studies by researchers at Oxford, Georgetown University, and  the National Institutes of Health.

Increased concerns about surveillance also emerged around AI when:

  • A  federal judge ruled in February 2026 that a man’s conversations with Anthropic’s Claude chatbot were not private.
  • Amazon aired a Superbowl 2026 ad for Ring doorbell cameras that provoked widespread outrage  when it showed how artificial intelligence could be used to find lost dogs without thinking that it could be used to monitor neighborhoods.   
  • OpenAI, the company behind ChatGPT, was aware of a British Columbia woman’s interactions with the chatbot and considered reporting her to the authorities months before she committed a mass shooting.

This is an ongoing issue.  Almost any information sent to a server can be  accessed  by employees, government agencies or criminals.  The concern is that A.I. encourages people to share much more personal information than before.  

State privacy protection in Virginia and California  

California and Virginia have taken the lead on digital privacy, but the US laws far far short of the EU’s Digital Services Act.

California’s Privacy Rights Act (CPRA)  provides a private right to bring lawsuits (right of action) against creators of nonconsensual deepfake pornography and  outlaws manipulated video of politicians within 60 days of an election.

The CPRA also expands on the protections provided by an earlier version of the  CCPA and was approved by California voters under Proposition 24 in the November 2020 election.

The  Virginia Consumer Data Privacy Act,    (VCDPA) passed in 2021,  has provisions like Europe’s GDPR and the CPRA.

Under the new laws, California and Virginia residents are protected from inaccurate data storage and collection:

  • “Sensitive personal information” such as social security number, driver license number, and financial account number, also racial or ethnic origin, religious beliefs, union membership, the contents of a consumer’s email and text messages (unless the business is an intended recipient), genetic and sexual orientation.
  • New rights for consumers: Consumers will have the right to request limitations on the use and disclosure of that information and to ask businesses to correct inaccurate personal information maintained by a business.
  • Enhanced protections for children’s data. The CPRA triples fines for collecting and selling information of minors under 16 years of age.
  • Adds data retention requirement. Prohibits businesses’ retention of personal information or sensitive personal information for longer than reasonably necessary for the disclosed purpose for which the information was collected.
  • Adds a specific data security requirement. Prior to the CPRA, the CCPA did not expressly require businesses to maintain reasonable safeguards to protect personal information, although it added a private right of action for data breaches cause by a failure to maintain reasonable safeguards. The CPRA expressly requires businesses to implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code 1798.81.5.
  • Data Protection Assessments.The VCDPA imposes a new requirement for controllers: data protection assessment obligations (as mentioned above regarding sensitive data). Controllers must conduct data protection assessments for specific processing activities involving personal data. These activities include targeted advertising, sale of personal data, profiling, sensitive data, and data that presents a heightened risk of harm to consumers.

Data privacy in the EU

The European Union began enacting digital data privacy regulations in the 1990s and finalized a systematic legal approach in March 2014 with the  General Date Protection Regulation.

Three other sweeping regulations were enacted in the 2023-2024 period: The the Digital Services Act, the  Digital Markets Act,  and the Artificial Intelligence Act.

GDPR: The GDPR’s primary aim, which is to enhance individuals’ control and rights over their personal data and to simplify the regulatory environment for international business.  The GDPR also establishes lawful ways to collect information and provides data protection and security guidelines, as well as an individual right of informed consent, access and correction.

The EU General Data Protection Regulation (GDPR) governs how personal data of individuals in the EU may be processed and transferred. It went into effect on May 25, 2018.   It’s a comprehensive privacy policy  that applies across all business sectors and to companies of all sizes, including any operating but not based in the EU.

The GDPR requires that:

  • Digital media companies ask users for consent to be tracked online
  • Users have the right to access and correct information about them
  • Users may erase links to information about them under most circumstances
  • Digital media companies keep records of their interactions with users.

EU’s new digital sovereignty: 

The EU is determined to chart its own course despite vehement objections by American-based technology companies and the Trump administration. For context, recall that Europeans have a long history in this area.  The Nazi regime used personal data  and IBM computers to target Jewish people in the 1930s, with horrific results. The East  German communist secret police — the Stasi — kept track of everyone from the end of World War II until 1989. When the Berlin Wall fell, inaccurate Stasi data created an enormous amount of conflict.

For the past 80 years, hate speech laws have forbidden a lot of what is permitted in the  US under the marketplace of ideas and counterspeech doctrine.  Even so, it is vital to understand that regulating technology and privacy is not the same as censorship or suppression of political speech.

 The Digital Services Act —  The 2024 law introduces rules for online services used by European citizens in their everyday life such as marketplaces, social media networks, app stores, and online travel and accommodation platforms. The EU says the main goal of the DSA is to create a digital space that respects citizens and consumers’ fundamental rights.

The Digital Markets Act — Applies to large digital platforms that provide  core platform services, for example online search engines, app stores, and messenger services.  The DMA is one of the first regulatory tools to comprehensively regulate the gatekeeper power of the largest digital companies. The DMA complements, but does not change EU competition rules, which continue to apply fully. 

The Artificial Intelligence Act regulates by through three risk categories. First, there are those that create an unacceptable risk, such as government-run social scoring of the type used in China. These are banned. Second, high-risk applications, such as a CV-scanning tool that ranks job applicants, are subject to specific legal requirements. Lastly, applications not explicitly banned or listed as high-risk are largely left unregulated.

Enforcing the GDPR and DSA:

Right to be forgotten 

In 1915, Gabrielle Darley killed a New Orleans man. She was tried, acquitted of murder and within a few years was living a new life under her married name, Melvin. Then a blockbuster movie, “The Red Kimono,” splashed her sensational story across America’s silver screens. Melvin sued for that invasion of privacy and won her case, and court’s decision is often remembered in the “Right to be Forgotten” debate today.

The right to be forgotten is the right to have private information removed from Internet searches.  The legal concept is applied differently in Europe and in the US.  

As noted in this March, 2021 essay, the right to be forgotten dovetails with ethical concepts about criminal justice, victims and rehabilitation.

Under the US First Amendment, transparency, the right of free speech and the “right to know” are typically favored over removing or increasing the difficulty to access truthfully published information regarding individuals and corporations.

One US exception is the way some states have made it illegal to extort individuals for removal of public information, such as police photos of criminal offenders. Prior to 2015 in Virginia, for example, “mug shot” publications on the web would charge up to $3,000 to remove photos and true criminal incident information. Afterward, a state law prohibited that kind of activity.  Nationally, a legal push on behalf of people who made minor mistakes and then face major harm to their reputation is underway, called the Clean Slate Campaign.

One newspaper’s approach to the issue is the “Boston Globe’s” fresh start campaign, which attempts to “unpublish” articles that are unfair or reflect racial injustice.

European RTBF 

One part of the GDPR involves the rehabilitation of minor criminal offenders, and it  was upheld in the European Court of Justice case  Google v Costeja – Gonzlez, in 2014.

That case began in 1998 when a Spanish newspaper published an announcement about a property that Costeja-Gonzales had to sell to satisfy a debt. By 2009, the old article about the 1998 forced sale was still affecting his business, so he sued Google Spain to have the information de-linked.  The courts agreed and the case set a precedent.

Note that the newspaper article is still there, and the court decision about the 1998  forced sale is still on record. Only the Google link has been changed.  In these “Right to be Forgotten” cases, individuals  request de-linking of  outdated minor information.   Since 2014, Google has de-linked about four million sites. 

 

Further reading

Senate Judiciary Committee hearings: 

General news articles