Block Center Tech Policy Forum: Privacy Regulation Strategies for 2026

Key Findings, Policy Recommendations, and Additional Resources

The Block Center for Technology and Society brought together an interdisciplinary group of experts to discuss privacy regulation strategies amidst a fast-evolving data ecosystem. Overall, the discussions underscore a fundamental shift in how privacy must be understood and governed.

Two core sentiments emerged: 1) the current regulatory paradigm fails to meaningfully protect individuals in a data-driven economy, and 2) emerging AI systems are accelerating and amplifying existing risks, making incremental reform insufficient. The discussions highlighted the need for a framework that places responsibility on institutions rather than individuals, establishes clear substantive protections that can not be waived, and anticipates the transformative impact of AI – as well as stressed how imperative it is that action be taken quickly before existing failures are further entrenched.

There were several key findings and actionable recommendations that emerged that can guide a more effective, future-oriented privacy regulatory framework.

1. Privacy is a policy choice, not a technological inevitability
The current state of online privacy reflects deliberate design and business model decisions rather than unavoidable trade-offs. Alternative models exist but lack legal and economic incentives to scale.

2. The notice-and-consent framework is fundamentally broken
Users do not read or understand privacy policies and are routinely nudged toward agreement through manipulative design. Consent, as currently operationalized, functions as a legal fiction rather than meaningful authorization.

3. Privacy harms are real but systematically undercounted
While economic impacts of regulation are well-studied, the harms of unregulated data practices—such as behavioral manipulation, loss of autonomy, and sensitive inference—remain insufficiently measured and undervalued in policymaking.

4. Responsibility has been misplaced onto individuals
Consumers are expected to manage their own privacy in a system designed to overwhelm and outmaneuver them. This “responsibilization” creates an unwinnable asymmetry between individuals and data-driven firms.

5. AI intensifies existing privacy risks
Agentic AI systems will exponentially expand data collection, inference, and decision-making. Existing frameworks are not equipped to handle a world where machines act autonomously on behalf of users.

Key recommendations to addressing the failings of the existing system and to build a more effective framework include:

Place responsibility on institutions rather than individuals

Shift away from reliance on user consent as the primary legal basis for data use. Implement enforceable accountability standards regardless of user agreement.
Define certain entities, particularly large platforms and AI developers, as “information fiduciaries” with legal obligations to act in users’ best interests.

Move toward substantive protections rather than procedural safeguards

Create data minimization requirements, restrictions on secondary use of data, and clear limits on sensitive data collection and inference.

Create regulations that help prevent harm before it happens

Expand the definition and measurement of harm to include non-economic harms, including psychological and behavioral manipulation, loss of autonomy and dignity, and discriminatory or biased inference.
Explicitly prohibit interface designs that manipulate user decision-making.
Create standardized metrics to better assess and cohesively regulate these harms.

Create AI-specific privacy guardrails now

Require impact assessments for AI systems that rely on personal data, limit autonomous data decision-making without user oversight, mandate transparency in AI-driven data processing and inference.

Throughout the day, our panelists called attention to policy and academic research that informed and inspired their conversations. The reading list below brings together the foundational scholarship and contemporary policy work referenced across all four panels.

Panel 1:

Acquisti, A., Brandimarte, L., & Loewenstein, G. (2015). Privacy and human behavior in the age of information. Science, 347(6221), 509–514. https://doi.org/10.1126/science.aaa1465

Brandimarte, L., Acquisti, A., & Loewenstein, G. (2013). Misplaced confidences: Privacy and the control paradox. Social Psychological and Personality Science, 4(3), 340–347. https://doi.org/10.1177/1948550612455931

Data & Society. (2018). Weaponizing the digital influence machine: The political perils of online ad tech. https://datasociety.net/library/weaponizing-the-digital-influence-machine/

Electronic Privacy Information Center. (2024). The state of privacy: How state "privacy" laws fail to protect privacy and what they can do better. https://epic.org/documents/the-state-of-privacy-report/

Georgetown Law Tech Institute. (n.d.). Redesigning the governance stack project. https://www.law.georgetown.edu/tech-institute/programs-and-initiatives/redesigning-the-governance-stack-project/

McDonald, A. M., & Cranor, L. F. (2009). The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society, 4, 543–568. https://lorrie.cranor.org/pubs/readingPolicyCost-authorDraft.pdf

Ronan, L. (1979). Seat belts: 1949–1956. U.S. Department of Transportation. https://rosap.ntl.bts.gov/view/dot/11828

Shilton, K. (2009). Four billion little brothers? Privacy, mobile phones, and ubiquitous data collection. Communications of the ACM, 52(11), 48–53. https://cacm.acm.org/practice/four-billion-little-brothers/

Panel 2

Balebako, R., Leon, P. G., Shay, R., Ur, B., & Wang, Y. (2012). Measuring the effectiveness of privacy tools for limiting behavioral advertising. https://lorrie.cranor.org/pubs/EffectivenessBA.pdf
Chicago Booth Stigler Center. (2019). Stigler Committee on Digital Platforms final report. https://publicknowledge.org/wp-content/uploads/2021/11/Stigler-Committee-on-Digital-Platforms-Final-Report.pdf
Habib, H., Pearman, S., Wang, J., Zou, Y., Acquisti, A., Cranor, L. F., Sadeh, N., & Schaub, F. (2020). "It's a scavenger hunt": Usability of websites' opt-out and data deletion choices. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI '20, Article 132). ACM. https://doi.org/10.1145/3313831.3376511
Kugler, M. B., Strahilevitz, L., Chetty, M., Mahapatra, C., & Ulloa, Y. (2025). Can consumers protect themselves against privacy dark patterns? University of New Hampshire Law Review, 23, 243. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5084827
Luguri, J., & Strahilevitz, L. J. (2021). Shining a light on dark patterns. Journal of Legal Analysis, 13(1), 43–109. https://doi.org/10.1093/jla/laaa006
Tran, V. H., Lee, L., Kumar, M., Zhang, Y., Xian, L., & Schaub, F. (2025). Layered, overlapping, and inconsistent: A large-scale analysis of the multiple privacy policies and controls of U.S. banks. In Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (CCS '25, pp. 3177–3191). ACM. https://doi.org/10.1145/3719027.3765072
Tran, V. H., Mehrotra, A., Chetty, M., Feamster, N., Frankenreiter, J., & Strahilevitz, L. (2024). Measuring compliance with the California Consumer Privacy Act over space and time. In Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems (CHI '24, Article 785). ACM. https://doi.org/10.1145/3613904.3642258
Warren Center for Network and Data Sciences. (n.d.-a). The effect of ad-blocking and anti-tracking on consumer behavior. University of Pennsylvania. https://www.law.upenn.edu/live/files/11653-the-effect-of-ad-blocking-and-anti-tracking-on
Warren Center for Network and Data Sciences. (n.d.-b). A field experiment to study the effect of ad-blocking and anti-tracking on consumer behavior. University of Pennsylvania. https://www.law.upenn.edu/live/files/12361-a-field-experiment-to-study-the-effect-of

Panel 3

Citron, D. K., & Solove, D. J. (2022). Privacy harms. Boston University Law Review, 102, 793–868. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3782222

Panel 4

Acquisti, A., Adjerid, I., Balebako, R., Brandimarte, L., Cranor, L. F., Komanduri, S., Leon, P. G., Sadeh, N., Schaub, F., Sleeper, M., Wang, Y., & Wilson, S. (2017). Nudges for privacy and security: Understanding and assisting users' choices online. ACM Computing Surveys, 50(3), Article 44. https://doi.org/10.1145/3054926
Acquisti, A., Brandimarte, L., & Loewenstein, G. (2020). Secrets and likes: The drive for privacy and the difficulty of achieving it in the digital age. Journal of Consumer Psychology, 30(4), 736–758. https://doi.org/10.1002/jcpy.1191
Emami-Naeini, P., Dheenadhayalan, J., Agarwal, Y., & Cranor, L. F. (2022). An informative security and privacy "nutrition" label for Internet of Things devices. IEEE Security & Privacy, 20(2), 31–39. https://doi.org/10.1109/MSEC.2021.3132398
Ohm, P. (2025). Toward compliance zero: AI and the vanishing costs of regulatory compliance. In A. Kuenzler, T. Schrepel, & V. Stocker (Eds.), The law & technology & economics of AI. Network Law Review. https://www.networklawreview.org/ohm-ai-regulation/
Roemmich, K., Martin, K., & Schaub, F. (in press). CA–CI: Integrating contextual integrity and the capabilities approach for dignity considerations in AI governance. IEEE Security & Privacy. https://doi.org/10.1109/MSEC.2026.3654404
Uszkoreit, J. (2017, August 31). Transformer: A novel neural network architecture for language understanding. Google Research Blog. https://research.google/blog/transformer-a-novel-neural-network-architecture-for-language-understanding/
Zuckerman, E. (2022). The good web. Stanford Social Innovation Review. https://doi.org/10.48558/RPBJ-2X58

Welcome: Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University (CMU)

Panel 1: What Is Privacy Online and Why Is It So Unregulated?

This panel examines the current fragmentation of the U.S. privacy landscape, assessing which regulatory and institutional approaches have proven effective, where significant gaps remain amid emerging technologies, and which actors are best positioned to advance meaningful privacy protections.
Panelists:
- Alessandro Acquisti (Massachusetts Institute of Technology); Julie Cohen (Georgetown University); Lorrie Cranor (CMU),
Moderator:
- Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University (CMU)

Panel 2: Why Doesn’t ‘Consent’ Work?

This panel explores the limits of consent-based privacy frameworks, how authorized and unauthorized data use should be defined in practice, and how researchers and the public can better elevate these challenges for policymakers.
Panelists:
- Antonio Rangel (California Institute of Technology); Florian Schaub (University of Michigan); Lior Jacob Strahilevitz (University of Chicago Law)
Moderator:
- Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University (CMU)

Panel 3: How to Identify and Measure Privacy Violations.

This panel addresses the technical and policy challenges of determining when data can be considered identifiable, and how to assess whether data is being shared or used in ways that violate reasonable privacy expectations.
Panelists:
- Serge Egelman (University of California, Berkeley); Christo WIlson (Northeastern University). Norman Sadeh (CMU)
Moderator:
- Cesca Antonelli, Editor-in-Chief, Bloomberg Industry Group

Panel 4: Privacy Harms and Firm Responsibility.

This panel brings together experts to examine how privacy harms arise in practice and to reconsider the responsibilities of firms in preventing, mitigating, and being held accountable for those harms.
Panelists:
- Laura Brandimarte (University of Arizona); Jonathan Kanter (CMU); Paul Ohm (Georgetown University).
Moderator:
- Kirsten Martin, H. John Heinz III Dean of the Heinz College of Information Systems and Public Policy at Carnegie Mellon University (CMU)

Alessandro Acquisti

Massachusetts Institute of Technology

Laura Brandimarte

University of Arizona

Julie Cohen

Georgetown University

Lorrie Cranor

Carnegie Mellon University

Serge Egelman

University of California, Berkeley

Jonathan Kanter

Carnegie Mellon University

Kirsten Martin

Carnegie Mellon University

Paul Ohm

Georgetown University

Antonio Rangel

California Institute of Technology

Norman Sadeh

Carnegie Mellon University

Florian Schaub

University of Michigan

Lior Jacob Strahilevitz

University of Chicago Law

Christo Wilson

Northeastern University

Read more about Block Center Tech Policy Forum: Privacy Regulation Strategies for 2026

Tech Policy Forum

Read more about Tech Policy Forum

Jan 21, 2026

Block by Block: Motahhare Eslami

Unlocking AI for Public Good

The Unlocking AI for Public Good event brought together leaders from Carnegie Mellon University, the Commonwealth of Pennsylvania, and community organizations to explore how AI can strengthen public sector outcomes, broaden economic opportunity, and shape a responsible innovation ecosystem. Opening remarks from CMU Vice President for Research Theresa Mayer and Pennsylvania Secretary of Policy and Planning Akbar Hossain emphasized the Commonwealth’s historic moment. Major tech sector investments such as Amazon’s twenty billion dollar statewide commitment and deepening collaboration between CMU and state agencies are positioning Pennsylvania to lead nationally in responsible AI deployment. Speakers highlighted both the promise and risks of rapid technological adoption, noting examples from social services, transportation, healthcare, and education, and underscoring a shared commitment to ensuring that AI serves residents equitably and effectively.

The event’s panels explored how AI is reshaping systems across sectors and identified practical strategies for ethical, effective deployment. In the State of the Technology panel, CMU faculty stressed that AI must be tailored to real world problems, supported by high quality data, and accompanied by clear procurement guidance and stakeholder engagement. Panelists discussed both opportunities such as using AI to improve early intervention systems in mental health and homelessness and challenges including business value gaps, implementation constraints, inequality in access, and the need for transparent benchmarks. A second panel on Public and Private Partnerships highlighted how AI is already transforming workforce development, transportation management, small business support, and city operations across Pennsylvania. Leaders from Team PA, Partner4Work, the AI Strike Team, and Lucas Lane Consulting emphasized that successful deployment requires proactive community engagement, network based governance, and a focus on supporting rural and underserved areas so that AI adoption does not widen existing divides.

Together, these conversations underscored the event’s central message. Unlocking AI for public good requires coordinated leadership, intentional design, and strong partnerships across academia, government, industry, and communities.

9:00 - 9:15 — Opening Remarks

Theresa Mayer, Vice President for Research, Carnegie Mellon University
Akbar Hossain, Secretary of Policy and Planning, Commonwealth of Pennsylvania

9:15 AM — Plenary Keynotes:

Speakers:

Kirsten Martin, Dean, Heinz College of Information Systems and Public Policy, Carnegie Mellon University
Sayeed Choudhury, Associate Dean for Digital Infrastructure, Carnegie Mellon University
Christopher Phillips, Professor and Department Head of History, Carnegie Mellon University

9:40 - 10:40 AM — Panel 1: The State of the Technology

Moderator: Annie Newman, Director of Digital Strategy, Commonwealth of Pennsylvania

Panelists:

Rayid Ghani, Distinguished Career Professor, Carnegie Mellon University
Jodi Forlizzi, Herbert A. Simon Professor, Carnegie Mellon University
Holly Wiberg, Assistant Professor, Carnegie Mellon University

10:40 - 10:50 AM — Coffee Break

10:50 - 11:50 AM — Panel 2: Public & Private Partnerships

Moderator: Ben Kirshner, Chief Transformation Officer, Commonwealth of Pennsylvania

Panelists:

Joanna Doven, Executive Director, AI Strike Team
Robert Cherry, CEO, Partner4Work
Abby Smith, President & CEO, Team Pennsylvania
Kim Lucas, Principal, Lucas Lane Consulting

11:50 AM - 12:00 PM — AI Policy: The Future in Pennsylvania

Speakers:

Akbar Hossain, Secretary of Policy and Planning, Commonwealth of Pennsylvania
Video Presentation: Lt. Governor Austin Davis, Commonwealth of Pennsylvania
Amy Klinke, Assistant Vice President for Business Engagement, Carnegie Mellon University

12:00 - 1:00 PM — Lunch & CMU Engagements Showcase