Notice and Choice and Its Problems Robert Sloan Richard Warner.

Slides:

Advertisements

Similar presentations

Confidentiality, Consent and Data Protection Elizabeth M Robertson Deputy Medical Director Grampian University Hospitals Trust.

Advertisements

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.

US Constitution and Right to Privacy Generally only protects against government action Doesn’t obligate government to do something, but rather to refrain.

Data, Privacy, Security, and The Courts: Where Are We? And, How Do We Get Out Of Here? Richard Warner Chicago-Kent College of Law

Trespass to Chattels: eBay and Intel Richard Warner.

Contracts, Norms, and Privacy Robert Sloan Richard Warner.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

John Palatiello, MAPPS Executive Director Kevin Pomfret, Centre for Spatial Law and Policy presentation to NGAC December 7, Washington, DC.

United States v. Nosal. The Nosal Fact Pattern Korn/Ferry computer Confidential information and trade secrets Authorized access by users logging in with.

Vladimir Misic: 10 Professionalism and Ethics Ownership and Protection.

A Consent-Based Approach Richard Warner

ICT Ethics 2 ICT 139.

Ethical and Social Issues in Information Systems

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.

The Rational Decision-Making Process

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

Chapter 18: Distributionally-Weighted Cost Benefit Analysis.

Basic Business Statistics, 10e © 2006 Prentice-Hall, Inc. Chap 9-1 Chapter 9 Fundamentals of Hypothesis Testing: One-Sample Tests Basic Business Statistics.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 16 and 17: March 27 and 29, 2007 Solove’s taxonomy of privacy.

Informational Privacy, Privacy Law, Consent, and Norms Richard Warner.

NTIA Privacy Multistakeholder Meeting March 25, 2014 Amanda Koulousias, Attorney Division of Privacy and Identity Protection Federal Trade Commission FTC.

RISK MANAGEMENT FOR ENTERPRISES AND INDIVIDUALS Chapter 9 Fundamental Doctrines Affecting Insurance Contracts.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Per Anders Eriksson

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

3-1 Chapter Three. 3-2 Secondary Data vs. Primary Data Secondary Data: Data that have been gathered previously. Primary Data: New data gathered to help.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Is Same-Sex Marriage Wrong?

Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University

LAW SEMINARS INTERNATIONAL New Developments in Internet Marketing & Selling November 13 & 14, 2006 San Francisco, California Moderator : Maureen A. Young.

RFID Policy Update 1/23/08 Dan Caprio President DC Strategies, LLC.

March  There is a maximum of one obtuse angle in a triangle, but can you prove it?  To prove something like this, we mathematicians must do a.

CHAPTER 4 Marketing Information and Research: Analyzing the Business Environment Off-line and Online M A R K E T I N G.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

1 Personalization and Trust Personalization Mass Customization One-to-One Marketing Structure content & navigation to meet the needs of individual users.

BEHAVIORAL TARGETING IN ADVERTISING By Rita Aliperti.

Lesson Title: Privacy Overview Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

1 Ethical Issues in Computer Science CSCI 328, Fall 2013 Session 15 Privacy as a Value.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

Market research for a start-up. LEARNING OUTCOMES By the end of this lesson I will be able to: –Define and explain market research –Distinguish between.

Online Safety Issues in Our School Topics of Discussion All about Acceptable Use Policies Significance of Signatures on an AUP What is included in an.

Ownership of Software Software represents the results of intellectual rather than purely physical efforts and is therefore inherently non- tangible. So.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.

PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.

The Third Annual Medical Device Regulatory, Reimbursement and Compliance Congress 1 How to Implement a Private Payer Reimbursement Strategy Barbara Grenell.

Consent & Vulnerable Adults Aim: To provide an opportunity for Primary Care Staff to explore issues related to consent & vulnerable adults.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

University Website Office August 2002 University Web Guidelines ● Objectives ● Outline ● Development Process.

TOP 10 TECHNOLOGY INITIATIVES Robert G Parker July 12, 2013.

The Updating Problem: Offer and Acceptance Richard Warner.

APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.

UNIT III. A managerial problem can be described as the gap between a given current state of affairs and a future desired state. Problem solving may then.

Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.

Consumer Information Federal Trade Commission Act grants Federal Trade Commission (FTC) responsibility regarding unfair methods of competition and unfair.

Acceptable Use Policy (Draft)

GDPR (General Data Protection Regulation)

E&O Risk Management: Meeting the Challenge of Change

A Denial of a Reasonable Accommodation:

Why are you collecting data in the first place

Investor protection and MIFID

Objectives 1. A definition of planning and an understanding of the purposes of planning 2. Insights into how the major steps of the planning process are.

Protecting Business Assets While Enabling Performance

IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004

RISK MANAGEMENT MARKET & SOCIAL RESEARCH

Statistical Test A test of significance is a formal procedure for comparing observed data with a claim (also called a hypothesis) whose truth we want to.

Institutional Review Board

Presentation transcript:

Notice and Choice and Its Problems Robert Sloan Richard Warner

Notice and Choice The “notice” is the presentation of information  Typically in a privacy policy. The “choice” is some action by the consumer  Typically using the site, or clicking on an “I agree” button. Claims: 1. Notice and Choice ensure free and informed consent. 2. The pattern of free and informed consent defines an acceptable tradeoff between privacy and the benefits of information processing.

Informed Consent The knowledge requirement: to give informed consent, consumers must know what information websites collect and what they do with it. The problem: Consumers may have little knowledge of the ways in which businesses process information. The “notice” appears to offer the obvious solution: present the information in a privacy policy which can be read and understood with reasonable time and effort.

The Obvious Objection The vast majority of visitors do not read privacy notices “[P]rocessing privacy notices is a cost that most consumers apparently do not believe is worth incurring. The perceived benefits are simply too low.” J. Howard Beales, III & Timothy J. Muris, Choice or Consequences: Protecting Privacy in Commercial Information, 75 U. C HI. L. R EV. 109 (2008). So doesn’t it follow that the vast majority of visitors do not give informed consent?

The Reply: Assumption of the Risk “Assumption of the risk” principle: If you know that, with reasonable time and effort, you could obtain information relevant to a choice, and you freely choose not to obtain that information, then you assume the risk of consequences of which you would have been aware had you obtained the information. So even if a consumer does not read, you can properly regard the person as informed as long as Notice is sufficiently informative, and the person had an adequate opportunity to read and understand it.

Free Consent Free consent “requires a knowing understanding of what one is doing in a context in which it is actually possible for one to do otherwise, and an affirmative action in doing something, rather than a merely passive acquiescence in accepting something.” Margaret Jane Radin, Humans, Computers, and Binding Commitment, 75 I ND. L.J. 1125, 1126 (1999). An informed person has the knowing understanding; is free not to use the site, and the choice is the affirmative action.

The Tradeoff The overall pattern of giving or withholding consent draws a line between permissible and impermissible uses of personal information, and that line defines tradeoff between the benefits of processing information and the need to protect informational privacy Why should the overall result of each person getting what he or she wants not also be acceptable?

Critique of Notice and Choice The critique is that Notice and Choice fails to ensure free and informed consent, and fails to implement an acceptable tradeoff.

Failure to Ensure Informed Consent Notice and Choice yields informed consent if two conditions are fulfilled.  First, the Notice contains sufficient information.  Second, consumers have an adequate opportunity to read and understand. Assume—as is currently the case--information collected on one occasion for one purpose is typically retained, analyzed, and distributed for a variety of other purposes in unpredictable ways. Given this assumption, it is impossible to fulfill the first condition, and any reasonably close approximation to it ensures that the second condition is not fulfilled

Notices Cannot Be Sufficient An individual “may give out bits of information in different contexts, each transfer appearing innocuous. However, the information can be aggregated and could prove to be invasive of the private life when combined with other information... From the standpoint of each particular information transaction, individuals will not have enough facts to make a truly informed decision. The potential future uses of that information are too vast and unknown to enable individuals to make the appropriate valuation.” Daniel J. Solove, Privacy and Power: Computer Databases and Metaphors for Information Privacy, 53 S TAN. L. R EV. 1393, 1452 (2001).

The Data Processing Assumption Our argument that Notices cannot be sufficient depends on this assumption:  Information collected on one occasion for one purpose is typically retained, analyzed, and distributed for a variety of other purposes in unpredictable ways. What if we abandon the assumption? The FTC in effect proposes just this.

FTC Proposals They insist that “companies should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law.” And that companies “implement reasonable restrictions on the retention of data and should dispose of it once the data has outlived the legitimate purpose for which it was collected.”  Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change, March 2012, 61, We argue against this when in the context of the tradeoff issue.

Failure to Ensure Free Consent Free consent “requires a knowing understanding of what one is doing in a context in which it is actually possible for one to do otherwise, and an affirmative action in doing something, rather than a merely passive acquiescence in accepting something.” The problem: consent to Notices appears to be “a merely passive acquiescence in accepting something” and hence not free.  The Vicky wine store example. Notice and Choice has no solution to this problem.

The Tradeoff Problem The resulting overall pattern of consent would determine a tradeoff between privacy and competing concerns. It is extremely unlikely that the tradeoff would result in a socially optimal balance.  The telephone book example.

The FTC’s Proposed Restrictions The principles for restricting the use of data that the FTC appears to be advocating are hardly clear, but it is difficult to see how they would allow retaining the Bing searches that led to the life-saving discovery of the combined effects of Paxil and Pravachol, or how they would permit the donation of all tweets to the Library of Congress.