THE PATHOLOGIES OF DIGITAL CONSENT.

• Author: Richards, Neil

ABSTRACT

Consent permeates both our law and our lives--particularly in the digital context. Consent is the foundation of the relationships we have with search engines, social networks, commercial web sites, and any one of the dozens of other digitally mediated businesses we interact with regularly. We are frequently asked to consent to terms of service, privacy notices, the use of cookies, and so many other commercial practices. Consent is important, but it's possible to have too much of a good thing. As scholars have documented, while consent models permeate the digital consumer landscape, the practical conditions of these agreements fall far short of the gold standard of knowing and voluntary consent. Yet as scholars, advocates, and consumers, we lack a common vocabulary for talking about the different ways in which digital consents can be flawed.

This article offers four contributions to improve our understanding of consent in the digital world. First, we offer a conceptual vocabulary of "the pathologies of consent"--a framework for talking about different kinds of defects that consent models can suffer, including unwitting consent, coerced consent, and incapacitated consent. Second, we offer three conditions for when consent will be most valid in the digital context: when choice is infrequent, when the potential harms resulting from that choice are vivid and easy to imagine, and where we have the correct incentives choose consciously and seriously. The further we fall from these conditions, we argue, the more a particular consent will be pathological and thus suspect. Third, we argue that our theory of consent pathologies sheds light on the so-called "privacy paradox"--the notion that there is a gap between what consumers say about wanting privacy and what they actually do in practice. Understanding the "privacy paradox" in terms of consent pathologies shows how consumers are not hypocrites who say one thing but do another. On the contrary, the pathologies of consent reveal how consumers can be nudged and manipulated by powerful companies against their actual interests, and that this process is easier when consumer protection law falls far from the gold standard. In light of these findings, we offer a fourth contribution--the theory of consumer trust we have suggested in prior work and which we further elaborate here as an alternative to an over-reliance on increasingly pathological models of consent.

INTRODUCTION

Consent permeates our law. It is one of its most powerful and most important building blocks. This should be no wonder. We live in a society that lionizes individual choice in the many social roles we play every day, whether as consumers, citizens, family members, voters, lovers, or employees. Consent reinforces fundamental cultural notions of autonomy and choice. It transforms the moral landscape between people and makes the otherwise impossible possible. (1) It is essential to the exercise (and waiver) of fundamental constitutional rights, and it is at the essence of political freedom, whether we are talking broadly about a "social contract" or making political choices for individual candidates and referenda in the voting booth.

Consider the substantial amount of legal work that consent performs. It is the basis of contracts, whether for goods, services, real estate, or marriage. The consent of the governed is the basis for the rule of law in democratic societies and was an important basis for the American Revolution. Consent can also work magic. When consent is present, trespassers can become dinner guests, a battery can become a welcome pat on the back, and even what would otherwise be a sexual assault can become an act of intimacy. (2)

Consent's power, its usefulness, and its resonance with norms of autonomy and choice make it an easy legal tool to reach for when we want to regulate behavior. Just as activities that have no harm might warrant lesser (or no) regulation, what consenting adults choose to do together takes that activity presumptively beyond the law's regulatory power. This is true whether the activity happens in the open or behind the proverbial closed doors. Consent's power is particularly justified in cases of what we might call "gold standard" consent--agreements between parties who have equal bargaining power, significant resources, and who knowingly and voluntarily agree to assume contractual or other legal obligations.

Perhaps nowhere has consent been deployed more frequently as a legal concept than in the context of digital goods and services. Consent is the foundation of the relationships we have with search engines, social networks, commercial web sites, and any one of the dozens of other digitally mediated businesses we interact with regularly. We are frequently asked to consent to terms of service, privacy notices, the use of tracking cookies, and so many other commercial practices. But it's possible to have too much of a good thing. As we and other privacy law scholars have documented elsewhere, while consent models permeate the digital consumer landscape, the practical conditions of these agreements fall far short of the gold standard. (3) Think about your own agreements with the social networks you use, the apps you install on your phone, or the Amazon Alexa that might sit, listening, in your kitchen or bedroom. Do you know what you agreed to? Have you read the agreements? Did you have a meaningful choice? While the answer to these questions is usually "no," the dominant legal regime that applies in the United States is that the terms and conditions of these services are valid as long as there is some kind of "notice and choice" to consumers. (4) In practice, and as enforced with occasional exception by the Federal Trade Commission (FTC), notice-and-choice models can be legally sufficient even if the notice is buried somewhere in a dense privacy policy, and the choice is take-it-or-leave-it--accept what a company wants to do with your data or not use the service at all. (5)

While criticism of the over-use of consent in the consumer privacy context is rising, critics lack a shared vocabulary with which to discuss when consent is legitimate, when it is flawed, and how to talk about and distinguish those flaws. (6) Our lack of the right words and concepts with which to talk about defects in consent models runs into the rhetorical, cultural, and legal power of consent. As a consequence, consent criticism can fail to gain traction in the minds of those who are undecided or who have taken consent's powerful "consenting adults" rhetoric at face value. This results in a projection of gold standard norms onto the deficient digital landscape in ways that we want to suggest are pathological. In this article, we offer a conceptual framework for thinking about when consent is valid and when it has pathologies, and a conceptual vocabulary for talking about different kinds of pathologies that consent models can suffer. Our analysis is focused on the consumer privacy context, but we believe that our model and the vocabulary of the pathologies of consent can be useful in many of the other areas of the law in which consent is frequently applied.

Let us be clear about our claim: We arc not arguing for a wholesale rejection of consent. A legal system without consent would be so radically different from what we have that it would be almost unimaginable. More fundamentally, we believe that consent should retain its prominent place in our law generally. Our argument is more nuanced. Consent is undeniably powerful, and often very attractive. But we have relied upon it too much, and deployed it in ways and in contexts to do more harm than good, and in ways that have masked the effects of largely unchecked (and sometimes unconscionable) power. (7) The gold standard of consent to data practices has been articulated throughout our law as being "knowing and voluntary." (8) European law uses an analogous method to require consent that is "freely given, specific, informed," and voluntary. (9) But this ideal can only exist under certain circumstances, (10) which is what we hope to illuminate in this essay. We argue that consent is most valid when we are asked to choose infrequently, when the potential harms that result from the consent are easy to imagine, and when we have the correct incentives to consent consciously and seriously. The further we fall from this gold standard, the more a particular consent is pathological and thus suspect.

Beyond the conceptual framework and vocabulary, we offer a third contribution to our understanding in this area. We believe that the theory of consent pathologies offered here complicates a seductive but simplistic story that has been offered in tech policy circles for over a decade. This is the notion of the "privacy paradox"--the idea that consumer anxiety about privacy is undermined by the fact that consumers act in privacy-diminishing ways in practice. Understanding this phenomenon in terms of consent pathologies reveals that consumers are not hypocrites who say one thing but do another that reveals their true preferences. On the contrary, the pathologies of consent show how consumers can be nudged and manipulated by powerful companies against their actual interests, and this phenomenon is easier when the legal regime that purports to protect consumers falls far from the gold standard. As a fourth contribution, we suggest that the solution is not to double down on our increasingly pathological models of consent, but to look to other mechanisms that are more sensitive to relationships and power differentials, such as those designed to inspire the social trust that makes consent less necessary.

Our argument has four parts. In Part I, "the Empire of Consent," we survey the many instances of consent in our law, illustrating both the varied work that consent performs and the varied tests for consent that courts and legislatures have produced. We...