Privacy Decisions are not Private: How the Notice and Choice Regime Induces us to Ignore Collective Privacy Risks and what Regulation Should Do About It

57 Pages Posted: 18 Feb 2023 Last revised: 10 Apr 2024

See all articles by Christopher Jon Sprigman

Christopher Jon Sprigman

New York University School of Law; New York University (NYU) - Engelberg Center on Innovation Law & Policy

Stephan Tontrup

New York University School of Law

Date Written: February 15, 2023

Abstract

For many reasons the current notice and choice privacy framework fails to empower individuals in effectively making their own privacy choices. In this Article we offer evidence from three novel experiments showing that at the core of this failure is a cognitive error. Notice and choice caters to a heuristic that people employ to make privacy decisions. This heuristic is meant to judge trustworthiness in face-to-face-situations. In the online context, it distorts privacy decision-making and leaves potential disclosers vulnerable to exploitation.

From our experimental evidence exploring the heuristic’s effect, we conclude that privacy law must become more behaviorally aware. Specifically, privacy law must be redesigned to intervene in the cognitive mechanisms that keep individuals from making better privacy decisions. A behaviorally-aware privacy regime must centralize, standardize and simplify the framework for making privacy choices.

To achieve these goals, we propose a master privacy template which requires consumers to define their privacy preferences in advance—doing so avoids presenting the consumer with a concrete counterparty, and this, in turn, prevents them from applying the trust heuristic and reduces many other biases that affect privacy decision-making. Our data show that blocking the heuristic enables consumers to consider relevant privacy cues and be considerate of externalities their privacy decisions cause.

The master privacy template provides a much more effective platform for regulation. Through the master template the regulator can set the standard for automated communication between user clients and website interfaces, a facility which we expect to enhance enforcement and competition about privacy terms.

Keywords: Privacy; Notice and Choice; Heuristic Decision-Making; Reform; Law and Economics; Experimental Economics

Suggested Citation

Sprigman, Christopher Jon and Tontrup, Stephan, Privacy Decisions are not Private: How the Notice and Choice Regime Induces us to Ignore Collective Privacy Risks and what Regulation Should Do About It (February 15, 2023). Forthcoming Journal of Empirical Legal Studies 2024. NYU Law and Economics Research Paper No. 23-22, Available at SSRN: https://ssrn.com/abstract=4359681 or http://dx.doi.org/10.2139/ssrn.4359681

Christopher Jon Sprigman

New York University School of Law ( email )

40 Washington Square South
NY, NY 10012
United States

New York University (NYU) - Engelberg Center on Innovation Law & Policy ( email )

New York, NY
United States

Stephan Tontrup (Contact Author)

New York University School of Law ( email )

40 Washington Square South
New York, NY 10012-1099
United States
+1. 917 7286323 (Phone)

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
169
Abstract Views
1,069
Rank
322,116
PlumX Metrics