You didn't even notice! Elements of effective online privacy policies.

• Author: Grannis, Amanda
• Position: Introduction through II. Exploring the Elements of Effective Legal Notice B. FDA Labeling Rules 2. User-Friendly Formatting, p. 1109-1139

Introduction I. The Landscape of Notice in U.S. Privacy Law. A. The Federal Trade Commission and Notice and Choice B. The FTC's Harm-Based Model C. Statutory Protections of Privacy D. Common Law Notice Standards Applied to the Digital Age II. Exploring the Elements of Effective Legal Notice A. Arbitration Clauses Viewed as Contracts: Actual and Constructive Notice 1. Contract Remedies for Insufficient Notice of Arbitration Clauses 2. Arbitration Clauses Viewed as Waivers: The "Voluntary and Knowing" Standard B. FDA Labeling Rules. 1. Standardized Content in FDA Labeling Rules 2. User-friendly Formatting 3. Symbolic Visual Cues C. FTC Enforcement Actions 1. Unauthorized Disclosure of Personal Information 2. Surreptitious Collection of Personal Information 3. Failure to Secure Personal Information 4. Unlawful Retention of Personal Information D. Notice Problems in the Online World 1. The Cost of Reading Privacy Policies 2. Ambiguity and Consumer Misunderstanding a. Ambiguity of Privacy Policy Language b. Misunderstanding of Privacy Policy Text c. False Assumptions and Lack of Awareness III. Elements of Effective Online Notice A. The Format of Effective Notice 1. Readable Text 2. Conspicuous Disclosures B. The Content of Effective Notice 1. Accurate Disclosures 2. Precise Language 3. Affirmative Consent to Modified Material Terms 4. "Knowing and Voluntary" Assent Conclusion INTRODUCTION

On February 5, 2015, electronic retailer RadioShack filed for Chapter 11 bankruptcy protection. (1) RadioShack previously announced that it planned to sell the personally identifiable information of 117 million consumers in asset auctions across several states. (2) The following month, RadioShack sought to sell its "transaction data," along with 8.5 million customer email addresses and 67 million customer names and address files. (3) This trove of personal data would be a valuable asset to third party marketers, (4) as it would reveal what items customers purchased, where they purchased it, and how much they paid. (5)

Ultimately, a bankruptcy judge approved the sale of RadioShack's customer data for $26 million, which after negotiations sold the names and addresses of 67 million former customers. (6) This controversial sale not only alarmed the public and state regulators, but arguably directly breached RadioShack's privacy policy. (7) Indeed, RadioShack's privacy policy provided that it would not "sell or rent" customers' "personally identifiable information to anyone at any time." (8) RadioShack's privacy policy also claimed that it "respect[ed]" customer's privacy, and would abstain from selling its mailing lists. (9) How could RadioShack break its own privacy promises and operate against former assurances to customers?

The RadioShack case typifies systematic problems of privacy policies and online notice. Sometimes, companies like RadioShack will break their own promises to customers, and appropriate consumer data in ways that the average consumers would not anticipate. (10) More often, however, privacy policies are vague or silent about core data practices. (11) Commercial websites often collect, share, and retain consumer information without mentioning these practices or disclosing their specific details in privacy policies. (12) Furthermore, the verbose and legalistic character of policy language often makes it difficult for consumers to understand privacy terms, (13) and the format of privacy policies deters consumers from reading them. Research shows that the majority of consumers do not read privacy policies (14) and this may be because they are often displayed in dense paragraphs of crowded text.

In response to these prevalent issues, this Note explores how companies alter their privacy policies so that they will become usable notice mechanisms of online data collection and dissemination practices. Part I analyzes common law and statutory sources of notice regulation in the United States. Part I also addresses the Federal Trade Commission's (FTC) privacy jurisprudence as well as notice and choice, the dominant model for displaying and attaining users consent to the terms of online privacy policies.

Part II examines and extracts the most salient principles of effective notice from established relevant legal models. Each legal model represents a different aspect of commercial practice, and their notice standards thus provides valuable insights for conveying effective notice in the context of commercial websites and online consumer transactions. To illustrate greater standards of notice in the domain of commercial contracts, this section first studies notice requirements of enforceable arbitration agreements. The second legal model discussed is the Food and Drug Administration's (FDA) over-the-counter (OTC) drug labeling rule. This section examines FDA labeling practices to highlight what constitutes sufficient notice and warnings in highly regulated industries. Part II then describes different FTC enforcement actions that relate to consumer privacy harms as a reflection of greater notice and privacy standards of general commercial entities. Part II concludes with an overview of some of the most prominent issues pertaining to online notice today.

Part III extrapolates core principles from the three legal models to articulate the elements of effective online notice. This Note does not purport to outline an exhaustive list of essential elements. Rather, these elements are intended to inform expectations of what effective notice should be in the online world. These elements pertain to both the format and content of effective notice, as each of these aspects has a vital impact on consumer understanding of privacy terms. Part III also discusses what tactics commercial websites should implement to sufficiently communicate the nature and scope of their data collection practices to consumers. Moreover, this Part offers a greater analytical framework for addressing online notice problems.

1. THE LANDSCAPE OF NOTICE IN U.S. PRIVACY LAW

   1. The Federal Trade Commission and Notice and Choice

      Privacy law in the United States is often described as "sectoral" (15) because there is no one dominant source of privacy legislation. (16) Privacy laws operate like a patchwork quilt of various state law privacy torts, federal statutes, and administrative rules. (17) In terms of government regulation, the Federal Trade Commission (FTC) is the main federal agency that regulates the privacy space. (18) Congress created the FTC in 1914 after it enacted the Federal Trade Commission Act (FTCA) to protect consumers and promote competition. (19) In 1995, the FTC began to shift its focus to online consumer privacy issues, (20) as the Internet was becoming more ubiquitous and the online marketplace was burgeoning. (21) During this time, the FTC endorsed a policy of privacy self-regulation, in which it entrusted consumers to make their own decisions and judgments about their privacy. (22) The FTC began to clarify and define this model of privacy self-regulation in a 2000 report. (23) In the report, the FTC determined that commercial entities that collected consumers' personally identifiable data must comply with the "fair information practice principles" of "Notice" and "Choice." (24) The FTC explained that "Notice" required entities to give consumers "clear and conspicuous notice" of their information practices "before any personal information is collected." (25) The FTC stated that "Notice" was the "most fundamental" principle because it was a "prerequisite to implementing other fair information practice principles, such as Choice." (26) According to the principle of "Choice," entities must give consumers options pertaining to how "any personal information collected... may be used for purposes beyond those necessary to complete a contemplated transaction." (27) Such "purposes" may include sharing consumer information with third parties or using it for marketing products. (28)

      The FTC premised the notice and choice model on the belief that companies would disclose their data collection practices to consumers, and consumers would self-manage their privacy by offering or denying their consent. (29) The FTC asserted that privacy notices should be seen as a way to help consumers understand what information is collected about them and what is done with that information. (30) In response to the FTC's endorsement of a policy of privacy self-regulation, companies began to draft and post privacy policies on their commercial websites. (31) Not only could these policies promote companies' privacy practices, but could also help to "stave off" formal privacy regulations from Congress. (32) Eventually, privacy policies became fairly ubiquitous in online commercial practice. (33) In 1998, only two percent of websites displayed privacy policies--by 2000, nearly all websites featured them. (34)

      The self-regulatory regime of notice and choice remains in place today. (35) Companies display disclosure statements pertaining to their data collection practices on their websites, and consumers can choose to read those disclosures and decide to...