Mihailis Diamantis, Maaz Bin Musa, Lucas Ausberger, Rishab Nithyanand

The weakest link in privacy enforcement today is detection. For years, agencies and activists sounded the alarm about unregulated, opaque mechanisms that online data brokers employ to harvest, process, and sell user data. Some state legislatures have responded in recent years by passing legislation to protect privacy rights. Federal legislation may not be far off. But privacy rights are meaningless without effective enforcement, and enforcement is blind without detection. 
 
 New technology for detecting privacy violations holds promise. Historically, uncovering privacy violations required access to data brokers’ books. Unsurprisingly, such access was not forthcoming. Researchers have developed tools that carry out “closed book privacy audits,” detecting privacy violations without corporate cooperation. By selectively feeding fictitious personal data to online platforms and measuring its impact web experience, closed book privacy audits can track corporate use (and misuse) of personal information across the data ecosystem. Automated closed book privacy audits would empower private and public enforcers.
 
 There is one hitch. Privacy audits require both information to test and benchmarks to test it against. While closed book audits can provide the information, the evaluative benchmarks remain elusive. Emerging privacy laws require disclosures about how corporations collect and use personal information, but they do not mandate any particular forms of disclosure. Through an original empirical study of privacy disclosures by California corporations, this Essay documents the result: a widely variable mishmash of opaque representations that are impossible to audit in a consistent procedure. The solution proposed here is to mandate uniform privacy disclosures in a machine-readable format. We argue that privacy regulators can borrow from the standardized disclosure frameworks used by other regulatory bodies (e.g., the United States Securities and Exchange Commission) to simultaneously improve their effectiveness and facilitate low-cost detection of violations through closed book audits.