By: Mary E. Wert

Published: March 7, 2026

On January 17, 2025, the U.S. Supreme Court upheld provisions of the Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACAA), colloquially referred to as the “TikTok ban.”[1] The Court determined that although the statute involves regulation of speech, it is content-neutral, and the government’s national security purpose was sufficient justification for the Act.[2] For many, the decision felt like government-approved censorship. But the holding highlights a growing challenge: how to regulate the use of personal data and protect the individual right of privacy while preserving rights guaranteed by the First Amendment. To resolve this problem, the threshold question is: what rights, if any, do individuals have to their personal data? This requires considering whether an individual’s data is considered “published” every time a person accesses a website, thereby granting unfettered use to the platforms that record and use the data under the First Amendment’s freedom of speech protections. The U.S. legal system in the U.S. has yet to provide clear answers to these questions.

The tension between free speech and individual privacy is not a new issue. The First Amendment enshrines the right to freedom of speech, the press, and peaceful assembly.[3] The Supreme Court has expanded these protections to include commercial speech, freedom of expression, and freedom of association.[4] In contrast, while a right to privacy may be implied in several Constitutional amendments, it is not explicitly identified anywhere in the U.S. Constitution.[5] Therefore, protecting this right becomes complicated when it collides with other fundamental rights. Historically, the Court has prioritized the right of the press to publish truthful information over individual privacy interests, emphasizing the importance of a free press for a democratic society.[6] The Court expanded this concept when it held that editorial discretion is also protected under the first amendment.[7] The relatively recent concept of protected commercial speech appears to create another friction point between the First Amendment and privacy rights. Under the commercial speech doctrine, an expression in the form of an advertisement about a specific product in which the speaker has an economic interest is protected as commercial speech, subject to intermediate scrutiny.[8] Under this logic, a company’s collection and use of data to customize advertisements could arguably be protected as commercial speech.[9]

In the 2011 case Sorrell v. IMS Health, the Court struck down a law restricting the sale of prescriber-identifiable data for pharmaceutical marketing, holding that the restriction violated the First Amendment’s protection of commercial speech.[10] The majority reasoned that, because the law only restricted selling prescriber data for marketing purposes, it imposed a content-based burden on speech.[11] But the Court made a critical and flawed assumption: that the pharmacies or data miners had any rights over the data in first place. Instead, the Sorrell Court should have determined whether this personal data identifying prescribers’ patterns falls within the zone of information privacy – the protection of personal information (and potentially data) from unwarranted government intrusion – or is somehow information classified as speech. By recognizing a First Amendment right in the sale of personal data, the Sorrell Court elevated the commercial interests of data brokers above the constitutional interest in individual information privacy. Prescribers, like social media users, should have the right to control their own identifying data. The Sorrell decision creates a troubling precedent that must be corrected; the First Amendment should not be exploited to shield corporate commodification of private information at the expense of an individual’s constitutional right to privacy.

Throughout the last century, the Court recognized privacy as an implied right derived from emanations of other constitutional rights. First acknowledged in 1965, the Court explained “the First Amendment has a penumbra where privacy is protected from governmental intrusion.”[12] Two years later, the Court again addressed privacy rights, this time under the Fourth Amendment, asserting that warrantless searches violate an individual’s “reasonable expectation of privacy.”[13] In 1979, the Court created a gaping loophole that drastically narrowed Fourth Amendment privacy protections through the third-party doctrine, explaining that information shared with a third-party is not private and therefore no longer protected under the Fourth Amendment.[14] However, almost forty years later, the Court rejected application of the third-party doctrine for cell-site location data, holding that continuous collection of location data without consent constitutes an intrusion into the “privacies of life.”[15] This decision signals the need for stronger privacy protections around digital information and personal data.

In one of the most consequential cases in recognizing an individual right of privacy, Roe v. Wade, the Court explained that the roots of the right are found in the First, Fourth, Fifth, Ninth, and Fourteenth Amendments.[16] A few years later in 1977, plaintiffs in New York challenged a state statute requiring doctors to disclose patients’ identification information to the government, arguing that the law “invad[ed] the constitutionally protected zone of privacy” guaranteed under the Fourteenth Amendment’s due process clause.[17] Although the Court upheld the statute, it did so while also recognizing that the Fourteenth Amendment protects an individual’s interest in avoiding disclosure of personal matters.[18] Perhaps foreshadowing today’s digital landscape, the Court explained that centralizing vast amounts of personal information “vastly increase[s] the potential for abuse” and future technologies may require new guardrails to protect individual privacy.[19]

Borrowing from antitrust and telecommunications laws, policymakers should require functional separation between a company’s user-facing platform and its data-brokerage or advertising arm. Just as the breakup of AT&T and the FCC’s Computer Inquiries forced telecoms to keep basic carriage functions separate from information services, tech companies could be barred from leveraging data collected for one purpose to fuel another.[20] Certain data such as precise location, biometrics, or political affiliations should be categorically off-limits for secondary use absent explicit, opt-in consent. This mirrors the European Union’s treatment of “special categories” of data under the recent General Data Protection Regulation, and ensures that sensitive attributes cannot be exploited under broad business justifications.[21] Such limitations on personal data usage would enable the government to preserve First Amendment rights for individuals utilizing social media platforms like TikTok while limiting the company’s ability to exploit user information.

Alternatively, another approach to protecting personal data is to invoke intellectual property (IP) theories. The Danish government recently leveraged their IP laws to tackle the challenge of AI generated content for deepfakes, passing legislation that grants the citizens of Denmark copyright protection over their own likenesses (face, body, and voice). Codifying individuals’ ownership rights to their personal data resolves at least two potential arguments that could allow entities to intrude on individual privacy: (1) data collection that is used for advertising purposes is analogous to the right of a consumer to receive commercial information, and (2) algorithmic curation using personal user data is analogous to editorial discretion also are not supported by precedent.

The first argument finds support in Virginia State Board of Pharmacy v. Virginia Citizens Consumer Council, Inc.[22] But in that case, the Court explained that the protection afforded by the First Amendment applied to the communication itself: to the speaker and the recipient. Notably, the critical presumption was a willing speaker.[23] In contrast, data collected from online platform users is not willingly or intentionally shared. Online platforms may assert that they obtain user consent via Terms and Conditions provisions, the current all-or-nothing model for such agreements provides no real choice. Users must either accept exceedingly long and confusing terms with limited (if any) options to choose what gets collected or forgo access to platforms that are becoming essential for all aspects of modern life.[24] This structure transforms “consent” into coercion. Any assertion that an entity with the means to surveil and collect personal data has a right to it goes against constitutional notions of privacy.

Second, many companies tailor the output a user sees on their websites and applications after analyzing various data inputs to optimize the user experience—and keep people coming back. These companies may argue that curation of the user interface is protected under editorial discretion. But this act of customization is only one layer in the digital information marketplace. Once again, the data that feeds the analysis to enable personalization is where the real issue lies. In granting individual’s ownership rights to their own personal data and information, the collection of such data that was never intended to be public without meaningful consent is akin to copyright infringement, and any argument about editorial discretion becomes moot.

Online speech must be protected under the First Amendment. The internet is the modern-day public forum, and regulations proposing to limit online content and expression should be subject to the highest scrutiny. The real threat is not what people say online, but what is silently recorded about individual behavior: what is read, hovered over, or followed; where a person travels or shops; what bank or gym they use. This compilation of digital actions turns private thoughts and subconscious patterns into personal profiles, subject to exploitation—whether in the commercial sector or for governmental purposes. Today, nearly every online platform operates on a model where data is the currency and influence is the industry. The price users pay for access to “free” platforms is their personal data. Therefore, the issue that demands attention is not online speech or the existence of these platforms, but the behind-the-scenes, unfettered collection and use of personal data unrelated to an individual’s published content. When every click, scroll, and choice is monitored and used without informed consent, the freedom to think and believe privately—a common principle in so many fundamental rights—becomes meaningless, and constitutional protections become mere empty words.

Regulating data to protect privacy rights must focus on how companies collect and use personal data without limiting individually generated online content in a way that obstructs freedom of speech and expression. Any collection or use of data that amounts to surveillance of thought and behavior cannot plausibly be considered speech or even expression under the First Amendment. Nor are speech and privacy opposing forces. Protecting both requires regulating the collection of personal data, not the content or existence of platforms where data can be obtained. The threshold question is whether individuals have any rights to their own data. The answer should be an unequivocal yes.

 

 

[1] See TikTok v. Garland, 604 U.S. 56, 80 (2025); see generally Protecting Americans from Foreign Adversary Controlled Applications Act, Pub. L. No. 118-50, 138 Stat. 960 (2024).

[2] See TikTok, 604 U.S. at 71-74.

[3] U.S. Const. amend. I.

[4] See Bigelow v. Virginia, 421 U.S. 809, 821 (1975) (recognizing commercial speech as any speech which promotes at least some type of commerce); Stromberg v. California, 283 U.S. 359, 369-70 (1931) (recognizing freedom of expression); National Ass’n for the Advancement of Colored People v. Alabama, 357 U.S. 449, 462 (1958) (recognizing freedom of assembly).

[5] See Griswold v. Connecticut, 381 U.S. 479, 483 (1965).

[6] See New York Times v. Sullivan, 376 U.S. 254, 271-72 (1964); The Florida Star v. B.J.F., 491 U.S. 524, 541 (1989).

[7] Miami Herald v. Tornillo, 418 U.S. 241 (1974) (expanding the First Amendment’s freedom of the press protections to include editorial discretion).

[8] See Central Hudson Gas & Electric Corp. v. Public Service Commission of New York, 447 U.S. 557 (1980) (establishing commercial speech as protected speech under the First Amendment).

[9] Compare Bolger v. Youngs Drug Products Corp., 463 U.S. 60 (1983) (expanding commercial speech to include proposals to enter into a commercial transaction regarding a specific product, based on an economic motivation).

[10] See Sorrell v. IMS Health, Inc., 564 U.S. 552, 580 (2011).

[11] Id.

[12] Id. at 483 (holding that a Connecticut law forbidding use of contraceptives unconstitutionally intrudes upon the right of marital privacy protected by the First Amendment).

[13] See Katz v. United States, 389 U.S. 347, 350-51 (1967) (noting that the Court did not purport to establish a fundamental right to privacy under the Fourth Amendment but “other provisions of the Constitution protect personal privacy from other forms of governmental invasion).

[14] See Smith v. Maryland, 442 U.S. 735, 742-44 (1979) (holding that obtaining phone records from the phone company did not constitute unreasonable search because information shared with a third party).

[15] See Carpenter v. United States, 585 U.S. 296, 311 (2018).

[16] See Roe v. Wade, 410 U.S. 113, 152 (1973) (although the Court in Dobbs v. Jackson Women’s Health Organization, 597 U.S. 215, 231 (2022) overruled the fundamental right to abortion care established in Roe, the majority opinion expressly stated that the decision did not rescind any other rights, implicitly recognizing the constitutional right to privacy established in Roe).

[17] Whalen v. Roe, 429 U.S. 589, 596, 598 (1977).

[18] See id. at 605-07 (cautioning that the growing accumulation of computerized data poses serious risks to individual privacy).

[19] See id. at 607 (Brennan, J. concurring).

[20] See 47 C.F.R. § 64.702 (2025); Re Second Computer Inquiry, 77 F.C.C. 2d 384, ¶ 285 (1980).

[21] See What is GDPR, the EU’s General Data Protection Regulation?, GDPR.EDU, https://gdpr.eu/what-is-gdpr/ (last visited Feb. 26, 2026)

[22] See generally Virginia State Bd. of Pharmacy v. Virginia Citizens Consumer Council, Inc., 425 U.S. 748, 761-62 (1976).

[23] See id. at 756.

[24] See Emma Taggart, Artist Visualizes the Lengthy “Terms of Service” Agreements of Popular Social Media Apps, My Modern Met (May 23, 2018), https://mymodernmet.com/social-media-policy-infographics-dima-yarovinsky.