Existing legal frameworks overemphasize tangible, quantifiable privacy harms while neglecting pervasive psychological, relational, and existential harms endemic to the digital age. Method: Drawing on qualitative content analysis of 369 publicly reported privacy incidents, this study develops the first empirically grounded, socio-technical taxonomy of privacy harms. Contribution/Results: The taxonomy reveals that over 70% of harms manifest as intangible consequences—including loss of psychological safety, chronic anxiety, erosion of trust, and self-censorship—rather than material loss. It transcends traditional tort-law paradigms by systematically mapping harm agents, motivations, and information-type patterns, demonstrating that privacy violations fundamentally entail the degradation of social relations and agentic subjectivity. This framework provides a human-centered theoretical foundation and an operational assessment tool for privacy governance, platform accountability, and legislative reform.

To understand how privacy incidents lead to harms, HCI researchers have historically leveraged legal frameworks. However, these frameworks expect acute, tangible harms and thus may not cover the full range of human experience relevant to modern-day digital privacy. To address this gap, our research builds upon these existing frameworks to develop a more comprehensive representation of people's lived experiences with privacy harms. We analyzed 369 privacy incidents reported by individuals from the general public. We found a broader range of privacy incidents and harms than accounted for in existing legal frameworks. The majority of reported privacy harms were not based on tangible harm, but on fear and loss of psychological safety. We also characterize the actors, motives, and information associated with various incidents. This work contributes a new framework for understanding digital privacy harms that can be utilized both in research and practice.