Beyond notice and choice: privacy, norms, and consent.

Author:Sloan, Robert H.
 
FREE EXCERPT

Table of Contents I. The Allure of Notice and Choice A. Informed Consent: The Role of Notices B. Free consent: Affirmative Act or Passive Acquiescence? C. Summing to an Acceptable Tradeoff II. The Critique A. It Is Impossible for a Notice to Contain Enough Information 1. Complexity 2. Long-term Retention 3. Big Data and its Implications B. How Can Consent Be Anything But Passive Acquiescence? C. Notice and Choice Leads to Unacceptable Tradeoffs 1. The Simple Tradeoff Problem 2. The Real Tradeoff Problem III. Beyond Notice and Choice A. Value-Optimality B. Acceptable Tradeoffs C. Why Consent is Informed D. Why Consent Is Free IV. A Key Task: Curing Failures of Norm Completeness Informational privacy is the ability to determine for yourself when others may collect and how they may use your information. (1) Adequate informational privacy requires a sufficiently broad ability to control collection and use, and this requires a sufficiently broad ability to give or withhold free and informed consent to proposed collections and uses; otherwise, you cannot determine for yourself what others do with your information. (2)

Notice and Choice (sometimes called Notice and Consent (3)) is the current paradigm for securing free and informed consent to business's online data collection and use practices. (4) The "notice" is a presentation of terms. (5) The "choice" is an action signifying acceptance of the terms (typically using the site or clicking on an "I agree" button). (6) When the notice contains information about a business's data collection and use, the argument for Notice and Choice rests on two claims. (7) First: when adequately implemented, Notice and Choice ensures that website visitors can give free and informed consent to businesses' data collection and use practices. (8) Second: the combined effect of the individual consent decisions is an acceptable overall tradeoff between privacy and the benefits of information processing. (9) There are well-known, compelling critiques of both claims. (10) Policy makers and privacy advocates nonetheless typically insist on adherence to Notice and Choice. (11) The Federal Trade Commission, for example, recently endorsed it and provided guidelines for its implementation. (12)

A somewhat unsympathetic but not entirely inapt analogy is the old joke about the drunk and the streetlight:

A policeman sees a drunk man searching for something under a streetlight and asks what the drunk has lost. He says he lost his keys and they both look under the streetlight. After a few minutes the policeman asks if he is sure he lost them here, and the drunk replies, no, that he lost them in the park. The policeman asks why he is searching here, and the drunk replies, "This is where the light is." (13) Policy makers and privacy advocates search under the streetlight of Notice and Choice even though consent is not there. (14) Why don't they look in the "park"? Most likely, they see no need to do so. We find the critiques of Notice and Choice conclusive, but our assessment is far from widely shared--and understandably so. (15) The criticisms are scattered over several articles and books; no one has unified them and answered the obvious counterarguments. (16) We do so. (17) Making the critique plain, however, is not enough to move policy makers from the "streetlight" to the "park." The critiques are entirely negative; they do not point to an alternative, a "park" in which to search for consent. (18) As Helen Nissenbaum notes, "Why exactly the existing transparency-and-choice, or notice-and-consent, approach has failed--and what to do about it--remains hotly disputed." (19)

We offer an alternative: informational norms. Informational norms are social norms that constrain the collection, use, and distribution of information. (20) Such norms explain, for example, why your pharmacist may inquire about the drugs you are taking, but not about whether you are happy in your marriage. (21) When appropriate norms govern online exchanges, they ensure that visitors give free and informed consent, and they also implement an acceptable tradeoff between privacy and competing concerns.

Critiques are most effective when they undermine their targets' strongest points; accordingly, we begin with a review of the arguments for Notice and Choice. Discussions of Notice and Choice typically pay little, if any, explicit attention to its underlying rationale, (22) so our review sometimes, of necessity, extrapolates arguments as much as it reports them. We present these arguments in Section I. Section II contains our critique of Notice and Choice. We present our norm-based alternative in Section III and conclude in Section IV will a call to study norms and their role in ensuring free and informed consent.

  1. THE ALLURE OF NOTICE AND CHOICE

    The allure of Notice and Choice is that it appears with one elegant stroke to ensure that consent is informed and free and thereby also to implement an acceptable tradeoff between privacy and competing concerns. (23) We start with the argument that Notice and Choice secures informed consent.

    1. Informed Consent: The Role of Notices

      A website visitor's consent to a business's data collection and use practices is informed if the visitor has sufficient knowledge of the practices to make a reasonable evaluation of the risks and benefits of disclosing information. The required information is typically taken to be an adequate amount of specific detail about the type of data collected, the purposes for which it is used, and the third parties with which it is shared. (24) Proponents and critics of Notice and Choice share this specificity assumption. (25) We will reject it later, but we grant it for now. (26) The problem is that visitors generally have little knowledge of the ways in which online businesses collect and use information. (27) Notice and Choice offers an obvious solution: present visitors with the necessary information. (28) The almost universal practice online is to make the presentation in a standard form contract. (29) The relevant information may be scattered across multiple documents-a privacy policy, a terms of use agreement, a sales agreement, and so on. (30) Whether in one document or several, we will call the totality of the written terms addressing data collection and use a "Notice." (31) As long as the Notice sufficiently describes the practices, a visitor who reads and understands it has sufficient knowledge of those practices.

      This obvious solution prompts an equally obvious objection: the vast majority of visitors do not read Notices. (32) So doesn't it follow that the vast majority of visitors fail to give informed consent? (33) No, not as long as hypothetical knowledge counts as sufficient for informed consent. The relevant hypothetical knowledge is the knowledge a visitor would gain from reading the Notice. Counting the hypothetical knowledge as sufficient for informed consent is precisely what courts do. (34) They invoke the duty to read: as long as a party has an adequate opportunity to read and understand an agreement, then the court deems the party to know the terms of the agreement even if he or she did not read it. (35) Thus, if a visitor has an adequate opportunity to read and understand a Notice, a court will deem the visitor to know what it says, and--provided the Notice sufficiently describes the business's data collection and use practices--the visitor's consent will count as informed. (36)

      The duty is a special case of the following widely accepted normative principle: if you know that, with reasonable time and effort, you could obtain information relevant to a future action, and you freely choose not to obtain that information, then, within broad limits, when you act, you assume the risk of adverse consequences of which you would have been aware and which you could have avoided had you obtained the information. This is why "[i]t will not do for a man to enter into a contract, and, when called upon to abide by its conditions, say that he did not read it when he signed it, or did not know what it contained." (37) Despite its normative pedigree, the duty to read has caused considerable academic concern. (38) We nonetheless assume for the sake of argument that the "duty to read interpretation" of informed consent is correct. (39) Our point, which we will develop in Part II, is that Notice and Choice fails to ensure informed consent even when we grant that hypothetical knowledge is sufficient to make consent informed. (40)

    2. Free consent: Affirmative Act or Passive Acquiescence?

      Courts treat Notices as contracts, and, as Mark Lemley notes, "[a]ssent by both parties to the terms of a contract has long been the fundamental principle animating contract law. Indeed, it is the concept of assent that gives contracts legitimacy and distinguishes them from private legislation." (41) A private party does not have the power to unilaterally impose legally enforceable obligations on other adult parties. (42) Only governments can legitimately exercise such power. (43) Special circumstances aside, the only way a private party can impose legally enforceable terms on another adult party is to secure that party's free assent to being bound. (44)

      Margaret Jane Radin offers a useful characterization of when consent is free. (45) Free consent "involves a knowing understanding of what one is doing in a context in which it is actually possible for one to do otherwise, and an affirmative action in doing something, rather than a merely passive acquiescence in accepting something." (46) In her book, Boilerplate, Radin argues that only actual knowledge can fulfill the "knowing understanding" requirement, and she concludes that visitors' consent is not free on the ground that non-reading visitors have only hypothetical knowledge of the terms in Notices. (47) As important as it is, we will not pursue this point. We grant for the sake of argument that hypothetical knowledge fulfills the "knowing understanding"...

To continue reading

REQUEST YOUR FREE TRIAL