Consumer choice is one of the pillars of our approach to privacy in the U.S.
A privacy policy gives consumers “notice” about how their personal information will be collected, used, and shared and then tells the consumer what “choices” they have. Websites present checkboxes and buttons labeled “Agree,” all designed to give consumers options for how they participate online.
As the digital landscape has evolved, however, it has become apparent that this notice and choice approach may fail to protect individual privacy. Instead, it puts the burden of privacy protection on the consumer. Consumers are asked to understand unclear concepts (“what IS a sale”?) and are then presented with a false choice—agree or don’t use the website.
The focus on consumer choice fails, in part, because consumers often don’t understand how information is collected and used online (and how they may benefit or be harmed by that use).
There are also practical limitations to the choices provided, and consumers ultimately don’t want to make these complicated decisions every time they visit a website. Consent-fatigue hits even the most vigilant consumer, and at some point, it’s just easier to click accept so you can read that article and move on with your life.
The Failure of “Notice”
Website publishers are expected to create privacy policies that are both short and easy to read, but that disclose in detail the data that is collected, used, and shared by the site.
Having written countless policies addressing the myriad of privacy regulations, I can attest to the difficulty of this task.
Privacy policies aren’t 20 pages long because companies want them to be. They are that long because that is the space required to disclose all of the information regulators expect to see.
These requirements rarely consider or emphasize what is meaningful to the consumer and what would help the consumer make a (quick) decision about how to engage with that website.
For example, one of the regulations issued under the California Consumer Privacy Act is a requirement to disclose metrics about the number of individual rights requests a company has received. How is this information at all useful to the consumer? It’s not. Instead, it adds more length to the policy, more text for the consumer to parse through, and ultimately little value.
The Reality of Consent Fatigue
There have been several studies examining the impact of “decision fatigue” – the mental impact of having to make too many decisions. As one study noted, “people who lack choices seem to want them and often will fight for them”; yet at the same time, “people find that making many choices can be [psychologically] aversive.”
Similarly, requiring consumers to accept or agree to the cookie or privacy policy on every website they visit, to understand and make decisions about whether to opt-out of “sales,” is draining.
The same fatigue that sets in after someone is asked to make decisions throughout the day sets in when consumers are asked about exercising their choices online, and it’s not clear how meaningful these choices are.
What’s the Alternative?
If the notice and choice framework is failing us, then we have to find a better way. Here’s what I suggest:
- Invest in consumer education – Consumers should understand what to expect online: what activities are routine and (relatively) harmless, what activities are out of the ordinary, and why. Ideally, this would be a “just the facts” delivery of information, without the spin or rhetoric from either side.
- Adopt a one-page, easy to read privacy notice – The concept of a “privacy nutrition label” has been discussed for over a decade, but has never been widely adopted. The time has come. We should identify the most important questions a consumer may have based on the platform (website, app, etc.) and answer them with a yes or no (“Do you give my email address to third parties to send me marketing messages? Yes/No”…” Does this app track my location for advertising purposes” Yes/No). The details can be included on a longer notice for those who want to read it and for regulators who will still demand to have it.
- Adopt a white list of advertising activities – There are some advertising activities that we should collectively agree are ok, they are business activities that will not cause the consumer harm. Website analytics, measurement, and attribution come to mind. These activities are critical to digital advertising and should be permitted.
- Adopt a white list of advertising partners – Privacy laws are requiring companies to disclose more detail about the third parties they share information with or allow to collect information on their site. Consumers can take advantage of certain frameworks that allow them to opt-out of data collection from these companies, but most consumers don’t have enough information to know who they are or whether they should opt-out. Instead, if a company signs on to a set of data governance principles, then websites should only have to disclose if they work with partners outside of that framework. Rather than requiring consumers to make decisions about a company’s practices, the industry should agree to a collective set of data practices, communicate those practices to consumers (see #1), and then notify the consumer when a company or its partner is acting outside of that framework.
Shifting our mindset from notice and choice will not be easy and will require agreement in an ecosystem of competing interests. However, in the long term, both consumers and businesses may benefit from this change.
This article is the third written in a series by Jessica B. Lee, Partner, Co-Chair, Privacy, Security & Data Innovations at Loeb & Loeb:
- California in Chaos: 3 Things You Need to Know to Stay on Top of CCPA
- The Value of Talking About the Value of Consumer Data
- The Trouble with Consumer Choice
Lee will lead a session—Are You Ready For CCPA 2.0?—of privacy experts explaining CCPA and CCPA 2.0, as well as what digital media companies need to do to stay ahead of privacy regulations at AdMonsters Publisher Forum Virtual, AUG 26, 2020.