1. Common law. On the one hand, we could apply traditional common law doctrines like fraudulent misrepresentation and breach of contract. The common law approach generally consists of “simple rules,” to borrow Richard Epstein’s term, but for better or worse, the common law can get messy, since these rules are developed piecemeal and “bottom-up,” as judges decide individual controversies on a case-by-case basis. For my part, I develop a common law approach to data fraud in my 2017 paper “Legal Liability for Data Fraud” (available here).
2. Regulation. On the other hand, we could apply a regulatory framework or a rational “top-down” approach to this problem, such as mandatory disclosure rules, flat-out prohibition, or some form of Pigovian taxes. By way of example, our colleague Omri Ben-Shahar (pictured below), a law professor at the University of Chicago, who argues for a regulatory approach, compares harmful “data emissions” to environmental pollution. (Check out his fascinating paper here.) Such an approach has the advantage of promoting uniformity but is always open to the risk of regulatory capture and the law of unintended consequences. In short, since neither the common law or regulatory approach is perfect, the real question is, which approach is “less bad”?