A Proposal for Notice and Choice Requirements of a New Consumer Privacy Law.

• Author: Jordan, Scott

TABLE OF CONTENTS I. INTRODUCTION 254 II. FAILURES OF THE GDPR AND THE CCPA TO USE BOTH OPT-IN AND OPT-OUT CHOICES 261 III. FAILURES OF THE GDPR AND THE CCPA TO ADDRESS THE SPECTRUM OF IDENTIFIABILITY 263 A. Limited Definitions in the GDPR and in the CCPA 263 B. Lack of Recognition of the Benefits of Pseudonymous Information 264 C. Lack of Recognition of the Benefits of Non-Trackable Information 265 D. Differences in Consumer Views of Reasonably Identifiable Information, Pseudonymous Information, and Non-Trackable Information 266 IV. EXAMPLES OF COLLECTION, USE, AND SHARING OF DIFFERENT TYPES OF PERSONAL INFORMATION 267 A. Functional Use 267 B. Non-Functional Use 268 C. Sharing 269 V. PROPOSED CHOICE FRAMEWORK 270 A. Functional Use 271 B. Non-Functional Use 271 C. Sharing 272 VI. EMPOWERING CONSUMERS WHO DESIRE PRIVACY-PRESERVING ADVERTISING 273 A. Using Reasonably Identifiable Information for Behavioral Ads Published by an Ad Broker 274 B. Using Pseudonymous Information for Audience Segment Ads with Tracking 275 C. Audience Segment Ads Without Tracking 277 D. Contextual Ads 279 VII. PROPOSED NOTICE REQUIREMENTS 280 A. Types of Notice 280 B. Contents of Notices About Collection and Use 281 1. Categories of Personal Information 282 2. Method and/or Source of the Collection of Personal Information 284 3. Use of Personal Information 285 C. Contents of Notices About Sharing 286 1. Categories of Personal Information Shared 286 2. Recipients of Personal Information 287 VIII. STATUTORY TEXT 289 A. Defining Personal Information and Reasonably Linkable Information 289 1. Is the Information Personal? 291 2. Is the Information Private? 293 3. Is the Information Reasonably Linkable? 294 B. Defining Reasonably Identifiable Information, Pseudonymous Information, and Non-Trackable Information 297 1. Is the Information Trackable? 297 2. Is the Information Reasonably Identifiable? 300 C. Defining De-Identified Information and Anonymous Information 304 1. Is the Information Anonymous? 304 2. Is the Information De-Identified? 307 D. Defining Sensitive Information and Functional Use 309 1. Sensitive Personal Information 309 2. Functional Use 311 E. Defining Processing and Choice 313 1. Collection, Use, and Sharing 313 2. Choice 314 F. Defining Various Entities 315 1. Controllers and Contractors 315 2. First and Third Parties 318 G. Legal Controls 319 1. Legal Controls on De-Identified Information 319 2. Legal Controls on Non-Trackable Information 321 3. Legal Controls on Pseudonymous Information 321 IX. CONCLUSION 322 APPENDIX: STATUTORY TEXT 323 Sec. 1. Definitions 323 Sec. 2. Notice 326 Sec. 2. Choice 327 I. INTRODUCTION

The United States Congress has been devoting substantial attention to crafting a comprehensive consumer privacy law in the last few years. Any bill that attracts a majority vote is almost certain to include specific requirements for notices (e.g., elements of privacy policies) and for user choices (e.g., opt-out and/or opt-in). The formulation of these notice and choice provisions is the focus of this article.

Some researchers and stakeholders have criticized the notice and choice approach to consumer privacy regulation, pointing out the difficulty that consumers have reading privacy notices and the powerful position that businesses have in constructing choice mechanisms. Some researchers and stakeholders suggest imposing duties of care, loyalty, and confidentiality. However, whether or not such duties are incorporated into a future U.S. comprehensive consumer privacy law, it is exceedingly likely that notice and choice will remain a critical part of any such law.

In addition to notice and choice provisions, a comprehensive consumer privacy law may include requirements relating to a lawful basis other than user consent; data minimization; duties of care, loyalty, and confidentiality; readability of privacy policies; consumer rights to access, correct, and delete their personal information; methods for consumers to exercise these rights; methods for exercising choice; data portability; financial incentives; profiling; automated decision-making; research purposes; data security; data breaches; and enforcement. These issues are important but are outside the scope of this article.

The two common starting points for a comprehensive consumer privacy law are the 2016 European General Data Protection Regulation (GDPR) (1) and the 2018 California Consumer Privacy Act (CCPA). (2) In the GDPR and in the CCPA, notice requirements and user choices play a central role. However, the GDPR and the CCPA often do not agree on the specific requirements for notice and for user choice. (3) Thus, the GDPR and the CCPA often present two different policy options for notice and for choice.

However, policy options should not be limited to those offered by the GDPR and the CCPA. The notice requirements in these two options have proven to be insufficient to provide consumers the information necessary to make informed choices about their use of services and applications. Privacy policies often use non-standardized definitions of personal information that do not align with those in the GDPR or the CCPA or even with each other, leaving consumers confused about what constitutes personal information. Privacy policies often include assertions about the anonymity of personal information that exceed both the technical abilities and legal definitions of anonymization and of de-identification. Privacy policies often lack specificity over what personal information is collected and how, leaving consumers uncertain about the related privacy risks. Additionally, privacy policies often lack transparency about which personal information is required to provide functionality of the service or app, and which personal information is used for non-functional purposes such as advertising, frustrating consumers' attempts to balance functionality and privacy. Privacy policies often fail to disclose sufficient information about sharing of personal information, impeding consumers' ability to understand the degree of identifiability of their shared information, to determine the associated privacy risks, or to follow the dissemination of their personal information through the data ecosystem. A comprehensive consumer privacy law should remedy these shortcomings of the GDPR and the CCPA.

Turning to the opt-in and opt-out choices currently offered to consumers, there are also failings that need to be addressed. When privacy policies give choices to consumers, the choices are often limited. Privacy policies often give consumers little choice over what personal information is collected. Privacy policies generally do not provide consumers choices about the use of their personal information that provide a tradeoff between functionality of the service or application and the consumer's privacy. Privacy policies also often fail to give consumers much control over which of their personal information is shared, with whom, and for what purposes. Ultimately, privacy policies generally give consumers little control over the dissemination of their personal information through the data ecosystem. The choice requirements mandated by the GDPR (often described as opt-in) and by the CCPA (often described as opt-out) present two different policy options. However, there are policy options that apply opt-in and opt-out requirements to different types of personal information, that may be superior to either the GDPR's or the CCPA's approaches, and that may remedy these shortcomings.

The academic literature includes several articles that analyze the GDPR and/or the CCPA. Hoofnagle, van der Sloot, and Borgesios provide an overview of the GDPR's roots and goals. (4) They explain the history of European data protection and privacy laws prior to the GDPR, (5) the GDPR's scope, (6) Fair Information Practices, (7) the legal basis for processing personal data, (8) special requirements for sensitive personal data, (9) data transfers, (10) and enforcement. (11) They also broadly discuss the responsibilities of businesses and processors (12) and the rights of consumers. (13) However, this piece does not give detailed analyses of notice and consent requirements.

Hintze provides a summary of the GDPR's notice requirements, along with advice on how a business may comply with them. (14) He briefly discusses the types of organizations subject to the GDPR, (15) and then discusses in detail the required elements of privacy notices. His article is broader than the focus of this article, including discussion of not only notices regarding the processing of personal data, but also notices regarding the identity of the controller; (16) the legal basis for processing personal data; (17) user rights to access, correct, and delete personal data; (18) the user right to data portability; (19) the user right to complain; (20) data transfers; (21) and data retention. (22) Pardau provides a summary of the unamended original version of the CCPA. (23) He briefly summarizes the CCPA's notice and consent requirements. (24) He also summarizes other provisions in the CCPA, including its scope (25) and user rights to access and delete personal information. (26)

There are a few academic articles that compare various aspects of the GDPR and the CCPA. Buresh compares the European and American principles and definitions of privacy and discusses some of the relevant case law. (27) He then compares user rights under the GDPR and the unamended original version of the CCPA. Blanke focuses on the protection under the GDPR and the CCPA of personal information that consists of inferences drawn from other personal information. (28) However, neither article goes into much detail on the similarities and differences in the notice and consent requirements of the GDPR and the CCPA. (29) Jordan compares the notice and consent requirements of the GDPR, the unamended original version of the CCPA, and the recently amended version of...