Against Notice and Choice: the Manifest Failure of the Proceduralist Paradigm to Protect Privacy Online (or Anywhere Else)
91 Pages Posted: 20 Feb 2018
Date Written: February 20, 2018
Notice and choice are the foundational principles underlying the regulation of privacy in online transactions and in most other situations in which individuals interact with the government and commercial interests. These principles mean that before collecting personally identifiable information (“PII”) from an individual, the collector must provide the individual with a disclosure (notice) of what PII it proposes to collect and how it proposes to use that information. That knowledge enables the individual to make a rational decision (choice) about whether to allow that collection of information, generally by declining to enter into the transaction or, in some situations, by denying consent to collect the PII.
This article argues that the notice-and-choice paradigm is fundamentally flawed, cannot be fixed, and should be replaced with a system that places substantive limitations on the collection and use of PII for commercial purposes.
Why do presumably rational users of the Internet fail to take advantage of this wealth of disclosure information, which is only a click away? Our behavior is easily explained by the concept of “rational inattention.” The human condition of bounded rationality makes it infeasible for us to take in and process all the information that is contained in the privacy notices that surround us. Even if we were able to process these notices, it would do us no good because, as demonstrated by an empirical study included in the article, the uniformity among these privacy policies means that we cannot choose among more- and less-protective policies: we can only choose to engage with the online world, making our PII available for uses that we cannot understand or evaluate, or become hermits in self-exile from the online world.
The alternative that the article proposes is to discard our faith in the proceduralist approach of notice-and-choice and develop substantive rules that will truly protect the privacy of individuals in their online interactions, rather than settling for the simulacrum of privacy protection that the present system offers.
Note: Please note that this article is not in its final form and quotations taken from it may not be identical to the published version.
Suggested Citation: Suggested Citation