On Notice: The Trouble with Notice and Consent
Proceedings of the Engaging Data Forum: The First International Forum on the Application and Management of Personal Electronic Information, October 2009
7 Pages Posted: 21 Feb 2015
Date Written: 2009
This paper scrutinizes the use of ‘notice and consent’ to address privacy concerns in online behavioral advertising (OBA). It is part of a larger project with Dan Boneh, Arvind Narayanan, and Vincent Toubiana to evaluate the social, political, and ethical standing of OBA and to develop a system (PRIVADS) for privacy- preserving OBA. We develop a distinction between the ethical implications of the (1) tracking that is required to develop user profiles to be used in the (2) targeting of individual users with particular ads. We show how tracking and targeting present both distinct and overlapping ethical concerns and how existing mitigations tend to treat these concerns as one and the same, even when they seem to address different problems. Anonymization, for instance, attempts to defuse the privacy concerns of tracking by excluding ‘personally identifiable’ or ‘sensitive’ information, but offers little to quell concerns over targeting. On the other hand, policy solutions, particularly notice and consent, attempt to render participation a matter of choice, but generally fail to explain whether a user agrees or disagrees to tracking, targeting, or both. Moreover, we show how various types of complexity render current notice mechanisms practically and inherently insufficient. This is due to (1) the confusing disconnect between the privacy policies of online publishers and the tracking and targeting third parties with whom they contract, each of whom have their own privacy policies; (2) the fickle nature of privacy policies, which may change at any time, often with short notice, and (3) the ever-increasing number of players in the ad network and exchange space, resulting in flows of user data that are opaque to users. To the extent that meaningful notice remains illusory under such conditions, we conclude that even an opt-in regime would lack legitimacy.
Keywords: privacy, consent, big data, online behavioral advertising, tracking, cyberlaw, privacy policies
Suggested Citation: Suggested Citation