Since the 1970’s, fair information practices (FIPs) or fair information privacy practices (FIPPs) have formed the framework around which organizations structure their policies on data collection, use, disclosure, and retention. The cornerstone of individual privacy rights under the FIPs is notice and choice, sometimes called notice and consent. That is, an organization should inform individuals about how their personal information will be processed and shared and proceed only when an individual agrees to such use. At first glance, these dual concepts may appear to adequately protect individual privacy. As the digital landscape has evolved, however, it has become apparent that the notice and choice paradigm fails to adequately protect individual privacy in important ways.
First, the concepts of notice and choice assume that the choice is informed, but that is likely not the case. Privacy notices are often buried in terms of service that are lengthy, confusing, and difficult to read. They are often full of legalese and written from the perspective of protecting the organization from legal liability rather than from the perspective of genuinely and clearly informing users as to how their personal information might be shared. The term “privacy notice” may give users the impression that it contains information on how the organization is going to protect personal information rather than how it is going to disclose that information, which further disincentives a close read. All of this leads to the conclusion that a substantial number of individuals have no idea how companies are using or sharing their personal information.
That leads to a second related problem with the notice and choice framework. Notice and choice adequately protect individual privacy only if the choice is meaningful and consent is freely given. Yet accepting an organization’s privacy notice or terms of service is usually presented as a take it or leave it threshold requirement to access a website, web service, or application. When faced with the choice of access or no access, users will choose access, no matter how draconian an organization’s information sharing practices may be. In other words, conditioning user access on providing personal information and agreeing to an organization’s privacy policy gives the user a choice only in the most literal sense. But given human nature and the presence of information technology in our daily lives, it really presents the user with no choice at all.
Both of these issues, difficult to understand privacy notices and conditioning access on acceptance, have real effects. Users are constantly inundated with lengthy terms of use that they know they have no choice but to accept if they want to access the website or application at issue. They soon become desensitized and simply click “accept.” To be sure, a 2017 Deloitte consumer survey concluded that 91% of consumers simply accept legal terms and conditions without reading them, and that number jumps to 97% when looking at consumers age 18 to 34. These statistics show that while notice and choice may sound good in theory, it has real shortcomings in practice.
Recognizing that notice and choice may no longer be sufficient to protect individual data privacy rights, some privacy professionals have signaled a move away from the notice and choice paradigm. For example, in a September 2018 request for comments, the National Telecommunications and Information Administration (NITA) noted, “To date, [mandates on notice and choice], have resulted primarily in long, legal, regulator-focused privacy policies and check boxes, which only help a very small number of users who choose to read these policies and make binary choices.” Fortunately, there are a number of things that a company can do to get out in front of this transition away from a strict notice and choice regime.
First, an organization can build consumer trust by posting an easy to understand, layered privacy notice. A layered privacy notice starts with a short and simple statement of what personal information the organization collects and why it collects it. This first layer notice then contains a link to a fuller statement of the organization’s privacy policy. This second layer can be a broader “highlights” document as well, with a further link to the full privacy policy or perhaps an FAQ page. Short, top-layer notices also help users and protect the organization because they are more easily read on the smaller screens of mobile devices. Moreover, being transparent and using plain language in its privacy notice will help the organization build goodwill with its customers.
Second, an organization can protect its customers’ privacy rights by minimizing the amount of data it collects on those customers. Organizations should give serious thought before collecting more personal information than is necessary to provide the good or service in question. Data is not only an asset, but also a potential liability. While a data breach is never a pleasant experience, the harm to a company’s reputation will be amplified if the breach contains disclosure of personal information that has no rational connection to the good or service the organization provides to its customers.
Third, an organization can give its customers multiple options as to how their personal information is used and shared. For example, customers may be fine with having their email addresses added to a company’s internal marketing list, but may not want that same information sold to a third-party mailing list. True consumer choice requires more than an all or nothing approach.
As the practical shortcomings of the notice and choice framework become more apparent, lawmakers and regulators likely will begin to mandate a more holistic approach that looks more fully at what an organization does to protect individual privacy rights, rather than focusing on whether the organization simply complied with notice and choice requirements. By thinking about this shift now, organizations can better prepare themselves for this transition while building trust and confidence with their customers at the same time.
