Against notice skepticism in privacy (and elsewhere).

• Author: Calo, M. Ryan

INTRODUCTION

What follows is an exploration of innovative new ways to deliver privacy notice. Unlike traditional notice that relies upon text or symbols to convey information, emerging strategies of "visceral" notice leverage a consumer's very experience of a product or service to warn or inform. A regulation might require that a cell phone camera make a shutter sound so people know their photo is being taken. (1) Or a law could incentivize websites to be more formal (as opposed to casual) wherever they collect personal information, as formality tends to place people on greater guard about what they disclose. (2) The thesis of this Article is that, for a variety of reasons, experience as a form of privacy disclosure is worthy of further study before we give in to calls to abandon notice as a regulatory strategy in privacy and elsewhere.

The requirement to provide notice is a very common method of regulation. (3) Notice mandates arise in everything from criminal procedure to financial regulation. (4) Although "ignorance of the law is no defense," (5) there is a sense in which notice underpins law's basic legitimacy--as alluded to by Lon Fuller's inclusion of notice in law's "internal morality" (6) or Friedrich von Hayek's distinction between arbitrariness and the rule of law. (7)

In the context of digital privacy, notice is among the only affirmative obligations websites face. California law and federally-recognized best practices require that a company offering an online service link to a privacy policy. (8) The basic mechanism behind the requirement is that consumers read and compare privacy policies in order to decide what services to use and otherwise exercise choices with respect to their information. (9) These decisions are to police the market by rewarding good practices and penalizing bad ones. (10)

Officials select notice in part because they fear the effect of so-called "command-and-control" regulations on innovation and competition, (11) a concern that appears particularly salient when it comes to digital technology. (12) Thus, for instance, a ban on storing Internet search queries in the name of privacy may interfere with the development of useful services that rely on long-term searching trends. (13) Officials also perceive notice to be cheaper, easier to enforce, and more politically palatable than restrictions on the flow of data. (14) And they recognize that consumer preferences are heterogeneous, such that setting a floor for privacy in advance may prove difficult or arbitrary.

Mandatory notice is understandably popular, but it is also controversial. Many criticize privacy notice as ineffective or worse. (15) These skeptics point out that few consumers read privacy policies and fewer understand them, and hence never become informed decision makers capable of protecting themselves or policing the market. (16) If anything, consumers see the legally required words "privacy policy" and believe it means that the company has a "policy of privacy" and the consumer need not concern herself. (17) Some skeptics call for the abandonment of privacy notice entirely in favor of the same substantive regulation on conduct the notice requirement sought to avoid. (18)

The result has been a standstill in online privacy law: regulators refuse to abandon notice as their primary regulatory mechanism despite growing evidence that existing consumer notices are ineffective. (19) Identifying a new generation of notice that may not be susceptible to the withering critiques commonly levied at traditional notice could lead to an important new regulatory tool in privacy and elsewhere. To be clear, this Article does not recommend any particular solution for the issue of online privacy. Rather, it argues against an extreme skepticism of mandatory notice--a highly popular but much maligned regulatory strategy--by questioning whether critics or proponents of notice have identified and tested all of the available notice strategies.

In Part I, the Article examines the promise of radical new forms of experiential or visceral notice based in contemporary design psychology. Visceral notice differs from traditional notice in that it does not necessarily rely on describing practices in language or symbols. Rather, it leverages a consumer's very experience of a product or service to warn or inform. This Part also compares and contrasts visceral notice to other regulator strategies that seek to "nudge" or influence consumer or citizen behavior. (20)

Part II discusses why the further exploration of visceral notice and other notice innovation is warranted. The regulatory alternatives to notice are poor. Several scholars have described the danger of substantive restrictions on conduct, particularly in a dynamic context such as the Internet--among the reasons that notice gets selected in the first place. (21) It may be that visceral notice is not susceptible to many of the criticisms of traditional notice. Repeated experience does not necessarily wear out in the same way as repeated messages, for instance. (22) If this is right, we should know about it, as it would mean that calls to abandon notice in favor of substantive regulation are premature.

Part III explores potential challenges to visceral notice--for instance, from the First Amendment--and lays out some thoughts on the best regulatory context for requiring or incentivizing visceral notice. In particular, this Part highlights the potential of safe harbors and goal-based rules, i.e., rules that look to the outcome of a notice strategy rather than dictate precisely how notice must be delivered. It also highlights the advantages of staying true to the essential premise of notice as a regulatory mechanism: conveying useful information.

This Article uses online privacy as a case study for several reasons. First, notice is among the only affirmative obligations that companies face with respect to privacy--online privacy is a quintessential notice regime. (23) Second, the Internet is a context in which notice is widely understood to have failed, but where the nature of digital services means that viable regulatory alternatives are few and poor. (24) Finally, the fact that websites are entirely designed environments furnishes unique opportunities for the sorts of untraditional interventions explored in Part I of the Article.

Yet the insights of this Article are not limited to privacy. Similar dynamics play out in many other substantive areas. (25) Any lessons this Article yields might be applied much more broadly.

1. EXPERIENCE: AN EMERGING NOTICE STRATEGY

   Notice is a popular regulatory strategy. In the context of online privacy, providing notice is among the only obligations companies face. California law requires any company that collects personally identifiable information from California citizens--which is most Internet companies in the United States--to have a privacy policy. (26) This policy must contain a basic description of the information the company collects, how it is used, with whom it is shared, and how it is secured. (27) The company must link to the privacy policy from any page from which it collects personal information. The link must be "conspicuous" and contain the word "privacy." (28)

   The Federal Trade Commission is the agency primarily responsible for enforcing consumer privacy online. Its animating statute, the FTC Act, provides the Commission with a mandate to investigate and pursue claims of unfair or deceptive practice. (29) The FTC is guided by a set of "fair information practice principles" in applying the FTC Act to online privacy. (30) These principles include notice/awareness, choice/consent, access/participation, and integrity/security. (31)

   In practice, the Commission privileges the principle of notice to the practical exclusion of the others. Agency materials refer to notice as "[t]he most fundamental principle." (32) A review of the FTC's enforcement pattern over the past decade--from the Microsoft Passport consent order to the recent Sears proceeding--reveals that the Commission seldom moves forward with an enforcement proceeding unless a company has violated the notice/awareness principle, provided clearly inadequate security, or some combination thereof. (33)

   As the Commission has acknowledged, consumers face a number of obstacles to the gainful use of privacy policies. Most choose not to read them, for instance, and those that do find them unclear and excessively long. (34) Scholars in multiple disciplines have explored shortening privacy policies or otherwise changing their format to reduce the burden on consumers. This might involve converting "legalese" to plainer language, (35) "layering" notice, (36) placing the information in a table, (37) or otherwise standardizing disclosure. (38) Studies show only marginal improvement in consumer understanding where privacy policies get expressed as tables, icons, or labels, assuming the consumer even reads them. (39)

   This Article focuses on emerging techniques of notice that, representing something of a radical departure from traditional notice, have gone largely unexplored to date. Acknowledging the limitations of the written word, icon, or picture, this Part looks to the potential of contemporary design psychology to create a new generation of notice. The notice described below differs from privacy policies--and, indeed, traditional notice generally--in that it does not rely exclusively on language or its symbolic equivalent. Rather, it is "visceral," in the sense of changing the consumers understanding by leveraging the very experience of a product or service. (40)

   The first section offers three categories of visceral notice and gives examples. The categories include using a familiarity with one technology or context to warn or inform about another; using certain common psychological reactions to design to change a consumer's mental model (41) of a product or service; and "showing" consumers...