Online Privacy Policies: Contracting Away Control Over Personal Information?

20 Pages Posted: 27 Aug 2013

Date Written: September 30, 2006


Individuals disclose personal information to websites in the course of everyday transactions. The treatment of that personal information is of great importance, as highlighted by the recent spate of data breaches and the surge in identity theft. When websites share such personal information with third parties, the threat of its use for illegal purposes increases. The current law allows website companies to protect themselves from liability for sharing or selling visitors’ personal information to third parties by focusing on disclosures in privacy policies, not on substantive treatment of personal information. Because of the low likelihood that a visitor will read or understand that policy, websites have an incentive to protect themselves by allowing for a broad use of the visitor’s personal information. In turn, websites word those policies as contractual commitments, purportedly binding visitors to their terms, which often include forum selection provisions as well as privacy terms. In light of these two factors – little substantive protection, and privacy provisions that allow for broad use of personal information – such visitors may well find themselves in the position of challenging the enforceability of the privacy policy. I argue that the policies are challengeable primarily on lack of assent and unconscionability grounds.

Keywords: privacy, internet, contracts

Suggested Citation

Stuart, Allyson Haynes, Online Privacy Policies: Contracting Away Control Over Personal Information? (September 30, 2006). Penn State Law Review, Vol. 111, No. 3, 2007, Available at SSRN:

Allyson Haynes Stuart (Contact Author)

Charleston School of Law ( email )

PO Box 535
Charleston, SC 29402
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics