Skip to main content

Utility

  • Current Students
  • Faculty & Staff
  • Alumni
  • Office Directory

Actions Menu

  • Visit
  • Give
Block Center for Technology and Society

Main navigation

  • Our Work

    • Block Tech Policy Forums
    • Block Seed Fund Awards
    • Academic Conferences
    • Research Talks with Block
    Hamburg Hall
    At the Block Center for Technology and Society, we bridge cutting-edge research with actionable policy to address some of today’s most pressing societal challenges.

    Our work brings together Carnegie Mellon University faculty and partners across disciplines to generate insights that shape the future of work, guide the responsible use of technology, and inform evidence-based policymaking. Explore our publications, seed-funded projects, and opportunities to engage with research that drives impact.

  • News & Events
  • For Students

    • David Lingren Policy Fellowship
    • Research Talks with Block
    students at work
    Interested in being a Research Assistant?

    Join our resume pool for students interested in research positions at CMU!

  • Our People
  • About the Block Center

Utility

  • Current Students
  • Faculty & Staff
  • Alumni
  • Office Directory

Actions Menu

  • Visit
  • Give

What can we help you find?

Block Center Tech Policy Forum: Privacy Regulation Strategies for 2026

Block Center / News and Events / Block Center Tech Policy Forum: Privacy Regulation Strategies For 2026
kirsten martin tech policy forum
laura tech policy forum
alessandro tech policy forum
jonathan tech policy forum
karl tech policy forum
paul alessandro tech policy forum
panel tech policy forum
lorrie tech policy forum
panel tech policy forum
julie tech policy forum
discussion tech policy forum

Key Findings, Policy Recommendations, and Additional Resources

The Block Center for Technology and Society brought together an interdisciplinary group of experts to discuss privacy regulation strategies amidst a fast-evolving data ecosystem. Overall, the discussions underscore a fundamental shift in how privacy must be understood and governed.

Two core sentiments emerged: 1) the current regulatory paradigm fails to meaningfully protect individuals in a data-driven economy, and 2) emerging AI systems are accelerating and amplifying existing risks, making incremental reform insufficient. The discussions highlighted the need for a framework that places responsibility on institutions rather than individuals, establishes clear substantive protections that can not be waived, and anticipates the transformative impact of AI – as well as stressed how imperative it is that action be taken quickly before existing failures are further entrenched.

There were several key findings and actionable recommendations that emerged that can guide a more effective, future-oriented privacy regulatory framework. 

1. Privacy is a policy choice, not a technological inevitability 
The current state of online privacy reflects deliberate design and business model decisions rather than unavoidable trade-offs. Alternative models exist but lack legal and economic incentives to scale. 

2. The notice-and-consent framework is fundamentally broken 
Users do not read or understand privacy policies and are routinely nudged toward agreement through manipulative design. Consent, as currently operationalized, functions as a legal fiction rather than meaningful authorization. 

3. Privacy harms are real but systematically undercounted 
While economic impacts of regulation are well-studied, the harms of unregulated data practices—such as behavioral manipulation, loss of autonomy, and sensitive inference—remain insufficiently measured and undervalued in policymaking. 

4. Responsibility has been misplaced onto individuals 
Consumers are expected to manage their own privacy in a system designed to overwhelm and outmaneuver them. This “responsibilization” creates an unwinnable asymmetry between individuals and data-driven firms. 

5. AI intensifies existing privacy risks 
Agentic AI systems will exponentially expand data collection, inference, and decision-making. Existing frameworks are not equipped to handle a world where machines act autonomously on behalf of users.

Key recommendations to addressing the failings of the existing system and to build a more effective framework include:

Place responsibility on institutions rather than individuals 

  • Shift away from reliance on user consent as the primary legal basis for data use. Implement enforceable accountability standards regardless of user agreement. 
  • Define certain entities, particularly large platforms and AI developers, as “information fiduciaries” with legal obligations to act in users’ best interests. 

Move toward substantive protections rather than procedural safeguards 

  • Create data minimization requirements, restrictions on secondary use of data, and clear limits on sensitive data collection and inference. 

Create regulations that help prevent harm before it happens 

  • Expand the definition and measurement of harm to include non-economic harms, including psychological and behavioral manipulation, loss of autonomy and dignity, and discriminatory or biased inference. 
  • Explicitly prohibit interface designs that manipulate user decision-making. 
  • Create standardized metrics to better assess and cohesively regulate these harms. 

Create AI-specific privacy guardrails now 

  • Require impact assessments for AI systems that rely on personal data, limit autonomous data decision-making without user oversight, mandate transparency in AI-driven data processing and inference.

Throughout the day, our panelists called attention to policy and academic research that informed and inspired their conversations. The reading list below brings together the foundational scholarship and contemporary policy work referenced across all four panels.

Panel 1:
  • Acquisti, A., Brandimarte, L., & Loewenstein, G. (2015). Privacy and human behavior in the age of information. Science, 347(6221), 509–514. https://doi.org/10.1126/science.aaa1465
  • Brandimarte, L., Acquisti, A., & Loewenstein, G. (2013). Misplaced confidences: Privacy and the control paradox. Social Psychological and Personality Science, 4(3), 340–347. https://doi.org/10.1177/1948550612455931
  • Data & Society. (2018). Weaponizing the digital influence machine: The political perils of online ad tech. https://datasociety.net/library/weaponizing-the-digital-influence-machine/
  • Electronic Privacy Information Center. (2024). The state of privacy: How state "privacy" laws fail to protect privacy and what they can do better. https://epic.org/documents/the-state-of-privacy-report/
  • Georgetown Law Tech Institute. (n.d.). Redesigning the governance stack project. https://www.law.georgetown.edu/tech-institute/programs-and-initiatives/redesigning-the-governance-stack-project/
  • McDonald, A. M., & Cranor, L. F. (2009). The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society, 4, 543–568. https://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf
  • Ronan, L. (1979). Seat belts: 1949–1956. U.S. Department of Transportation. https://rosap.ntl.bts.gov/view/dot/11828
  • Shilton, K. (2009). Four billion little brothers? Privacy, mobile phones, and ubiquitous data collection. Communications of the ACM, 52(11), 48–53. https://cacm.acm.org/practice/four-billion-little-brothers/

Panel 2

  • Balebako, R., Leon, P. G., Shay, R., Ur, B., & Wang, Y. (2012). Measuring the effectiveness of privacy tools for limiting behavioral advertising. https://lorrie.cranor.org/pubs/EffectivenessBA.pdf
  • Chicago Booth Stigler Center. (2019). Stigler Committee on Digital Platforms final report. https://publicknowledge.org/wp-content/uploads/2021/11/Stigler-Committee-on-Digital-Platforms-Final-Report.pdf
  • Habib, H., Pearman, S., Wang, J., Zou, Y., Acquisti, A., Cranor, L. F., Sadeh, N., & Schaub, F. (2020). "It's a scavenger hunt": Usability of websites' opt-out and data deletion choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI '20, Article 132). ACM. https://doi.org/10.1145/3313831.3376511
  • Kugler, M. B., Strahilevitz, L., Chetty, M., Mahapatra, C., & Ulloa, Y. (2025). Can consumers protect themselves against privacy dark patterns? University of New Hampshire Law Review, 23, 243. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5084827
  • Luguri, J., & Strahilevitz, L. J. (2021). Shining a light on dark patterns. Journal of Legal Analysis, 13(1), 43–109. https://doi.org/10.1093/jla/laaa006
  • Tran, V. H., Lee, L., Kumar, M., Zhang, Y., Xian, L., & Schaub, F. (2025). Layered, overlapping, and inconsistent: A large-scale analysis of the multiple privacy policies and controls of U.S. banks. In Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (CCS '25, pp. 3177–3191). ACM. https://doi.org/10.1145/3719027.3765072
  • Tran, V. H., Mehrotra, A., Chetty, M., Feamster, N., Frankenreiter, J., & Strahilevitz, L. (2024). Measuring compliance with the California Consumer Privacy Act over space and time. In Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems (CHI '24, Article 785). ACM. https://doi.org/10.1145/3613904.3642258
  • Warren Center for Network and Data Sciences. (n.d.-a). The effect of ad-blocking and anti-tracking on consumer behavior. University of Pennsylvania. https://www.law.upenn.edu/live/files/11653-the-effect-of-ad-blocking-and-anti-tracking-on
  • Warren Center for Network and Data Sciences. (n.d.-b). A field experiment to study the effect of ad-blocking and anti-tracking on consumer behavior. University of Pennsylvania. https://www.law.upenn.edu/live/files/12361-a-field-experiment-to-study-the-effect-of

Panel 3

  • Citron, D. K., & Solove, D. J. (2022). Privacy harms. Boston University Law Review, 102, 793–868. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3782222

Panel 4

  • Acquisti, A., Adjerid, I., Balebako, R., Brandimarte, L., Cranor, L. F., Komanduri, S., Leon, P. G., Sadeh, N., Schaub, F., Sleeper, M., Wang, Y., & Wilson, S. (2017). Nudges for privacy and security: Understanding and assisting users' choices online. ACM Computing Surveys, 50(3), Article 44. https://doi.org/10.1145/3054926
  • Acquisti, A., Brandimarte, L., & Loewenstein, G. (2020). Secrets and likes: The drive for privacy and the difficulty of achieving it in the digital age. Journal of Consumer Psychology, 30(4), 736–758. https://doi.org/10.1002/jcpy.1191
  • Emami-Naeini, P., Dheenadhayalan, J., Agarwal, Y., & Cranor, L. F. (2022). An informative security and privacy "nutrition" label for Internet of Things devices. IEEE Security & Privacy, 20(2), 31–39. https://doi.org/10.1109/MSEC.2021.3132398
  • Ohm, P. (2025). Toward compliance zero: AI and the vanishing costs of regulatory compliance. In A. Kuenzler, T. Schrepel, & V. Stocker (Eds.), The law & technology & economics of AI. Network Law Review. https://www.networklawreview.org/ohm-ai-regulation/
  • Roemmich, K., Martin, K., & Schaub, F. (in press). CA–CI: Integrating contextual integrity and the capabilities approach for dignity considerations in AI governance. IEEE Security & Privacy. https://doi.org/10.1109/MSEC.2026.3654404
  • Uszkoreit, J. (2017, August 31). Transformer: A novel neural network architecture for language understanding. Google Research Blog. https://research.google/blog/transformer-a-novel-neural-network-architecture-for-language-understanding/
  • Zuckerman, E. (2022). The good web. Stanford Social Innovation Review. https://doi.org/10.48558/RPBJ-2X58

Block Center Tech Policy Forum Recordings

Missed the live discussion or want to revisit key moments? Watch recordings from the Block Center Tech Policy Forum, featuring thought-provoking conversations with leaders at the forefront of privacy, regulation, and policy. Find all of the recorded panels on our YouTube playlist here. 

tech policy forum

Panels & Speakers

Welcome: Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University (CMU)

 

Panel 1: What Is Privacy Online and Why Is It So Unregulated?  

  • This panel examines the current fragmentation of the U.S. privacy landscape, assessing which regulatory and institutional approaches have proven effective, where significant gaps remain amid emerging technologies, and which actors are best positioned to advance meaningful privacy protections.
  • Panelists:
    • Alessandro Acquisti (Massachusetts Institute of Technology); Julie Cohen (Georgetown University); Lorrie Cranor (CMU),  
  • Moderator:  
    • Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University (CMU)

 

Panel 2: Why Doesn’t ‘Consent’ Work?  

  • This panel explores the limits of consent-based privacy frameworks, how authorized and unauthorized data use should be defined in practice, and how researchers and the public can better elevate these challenges for policymakers.
  • Panelists:
    • Antonio Rangel (California Institute of Technology); Florian Schaub (University of Michigan); Lior Jacob Strahilevitz (University of Chicago Law) 
  • Moderator: 
    • Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University (CMU)

 

Panel 3: How to Identify and Measure Privacy Violations.  

  • This panel addresses the technical and policy challenges of determining when data can be considered identifiable, and how to assess whether data is being shared or used in ways that violate reasonable privacy expectations.
  • Panelists:
    • Serge Egelman (University of California, Berkeley); Christo WIlson (Northeastern University). Norman Sadeh (CMU)
  • Moderator: 
    • Cesca Antonelli, Editor-in-Chief, Bloomberg Industry Group

 

Panel 4: Privacy Harms and Firm Responsibility.  

  • This panel brings together experts to examine how privacy harms arise in practice and to reconsider the responsibilities of firms in preventing, mitigating, and being held accountable for those harms.
  • Panelists: 
    • Laura Brandimarte (University of Arizona); Jonathan Kanter (CMU); Paul Ohm (Georgetown University).  
  • Moderator: 
    • Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University (CMU)

alessandro

Alessandro Acquisti 

Massachusetts Institute of Technology

laura brandimarte

Laura Brandimarte 

University of Arizona

julie cohen

Julie Cohen 

Georgetown University

lorrie

Lorrie Cranor

Carnegie Mellon University 

serge

Serge Egelman 

University of California, Berkeley

johnathan kanter

Jonathan Kanter 

Carnegie Mellon University

kirsten martin

Kirsten Martin 

Carnegie Mellon University

paul ohm

Paul Ohm 

Georgetown University

antonio rangel

Antonio Rangel 

California Institute of Technology

norman sadeh

Norman Sadeh 

Carnegie Mellon University

florian

Florian Schaub 

University of Michigan

lior strahilevitz

Lior Jacob Strahilevitz 

University of Chicago Law

christo

 

Christo Wilson 

Northeastern University

 

5000 Forbes Avenue 
Pittsburgh, PA 15213  
(412) 268-2000

About CMU

  • Athletics
  • Events Calendar
  • Careers at CMU
  • Maps, Parking & Transportation
  • Health & Safety
  • News

Academics

  • Majors
  • Graduate
  • Undergraduate Admission
  • Graduate Admission
  • International Students
  • Scholarship & Financial Aid

Our Impact

  • Centers & Institutes
  • Business Engagement
  • Global Locations
  • Work That Matters
  • Regional Impact
  • Libraries

Top Tools

  • Report Digital Accessibility Barrier
  • Academic Calendar
  • Bookstore
  • Canvas
  • The HUB
  • Workday

Copyright © 2026 Carnegie Mellon University

  • Title IX
  • Privacy
  • Legal