Sections

Commentary

Hitting refresh on privacy policies: Recommendations for notice and transparency

Members of the media (L) keep pace with Facebook CEO Mark Zuckerberg

Over the past two years, we have observed the tide turn against the system of “notice-and-choice” that has governed online privacy since the days of America Online (AOL) giveaway discs.

In April 2018, Sen. John Kennedy (R-LA) told Mark Zuckerberg that Facebook’s user agreement “sucks.” In February 2019, Rep. Frank Pallone, Jr. (D-NJ), Sen. Roger Wicker (R-MS), and Sen. Maria Cantwell (D-WA), respectively labeled privacy policies as “unrealistic and unfair,” “lengthy and confusing,” and simply “no longer enough.” Then, last October, FTC Commissioner Rebecca Kelly Slaughter echoed these concerns at a Brookings fireside chat, stating “I am really over notice-and-consent.”

Describing the current privacy regime as “a losing game,” one of us (Kerry) wrote a 2018 Brookings report highlighting key problems that have subsequently aired on both sides of the aisle. One issue is that privacy policies can result in over-notification or “click fatigue.” Another is that the online marketplace is asymmetrical; companies know far more about how they collect and process data than could even the most sophisticated and vigilant individual. A third issue is that individuals typically have few, if any, real choices regarding how businesses process, retain, and share personal information after collecting it. As Northeastern University professor Woody Hartzog told Congress a year ago: “[T]he control companies promise people is an illusion…. Companies decide the kind of boxes people get to check, the buttons they press, switches they activate and deactivate, and other settings they get to fiddle with.”

What Hartzog describes—an inevitable cascade of click-through consents, along with some limited privacy settings available to users—is how the current system puts responsibility on individuals to understand and manage personal information. In November, Senate Democrats released a set of privacy principles that propose to shift this burden to the companies that collect and use data. This is a key step toward legislation that sets responsibilities and boundaries for businesses that apply regardless of what disclosures their users read or boxes they tick.

Notice-and-choice in draft legislation

Even so, most current bills and legislative proposals rely on notice-and-choice in varying degrees. Shortly after the Senate Democrats released their privacy principles, Cantwell introduced the Consumer Online Privacy Rights Act and Wicker distributed the draft Consumer Data Privacy Act that each require businesses to obtain “affirmative express consent” before collecting defined categories of sensitive data. Their definitions of “sensitive data” range from widely-available data points (such as telephone numbers or email addresses) to closely-held information (such as medical or financial account details). In addition, the Cantwell bill considers information regarding “online activities” as sensitive, which—as drafted—could encompass web browsing, e-commerce transactions, and mobile app use. By any measure, these proposals would still present individuals with many notices to view and boxes to click.

We have seen several House drafts to date rely just as heavily on notice-and-consent. In mid-December, House Energy & Commerce Committee staffers circulated a bipartisan discussion draft bill which generally requires businesses to provide “clear and concise notice” and obtain “express, affirmative consent” prior to processing information inconsistent with “reasonable consumer expectations.” In total, the discussion draft uses the term “consent” 37 times. California Reps. Anna Eshoo and Zoe Lofgren’s November 2019 Online Privacy Act—which also relies on a reasonable expectation standard—uses the term “consent” 58 times.

Many current bills seek to make privacy notices shorter and more user-friendly, while others would expand them to add detailed disclosure requirements. Some even attempt both at the same time—for example, Sen. Ed Markey’s (D-MA) Privacy Bill of Rights Act calls for “short-form” notices that not only are “clear, concise, well-organized, understandably written, and complete,” but simultaneously detail what data is collected, what purpose it serves, which third parties it is shared with, and more. The House Energy & Commerce discussion draft makes a similar Procrustean bed.

It seems then that notice-and-choice still has some life and is likely to play a role in privacy legislation. To be certain, transparency is largely significant, but any bill would need to recognize that information about data collection and processing has separate functions for different audiences and contexts, and that each function calls for a different level of disclosure. To get notice and transparency right, legislation should delineate two distinct types of notice: a) complete privacy disclosure statements for regulators and other specialized parties, and b) a variety of contextually appropriate notifications for consumers.

Complete privacy disclosure statements for regulators

Much of the information contained in the typical privacy policy is useless to the average individual. It is not merely that the provided descriptions of data processing are usually legalistic and opaque; even if expressed clearly and simply, much of the information is not immediately actionable or perhaps even relevant.

By contrast, complete and detailed descriptions of data processing and privacy practices have material value for regulators, journalists, and public interest organizations. In particular, the Federal Trade Commission (FTC) currently uses privacy policies and other company statements as benchmarks to identify “unfair or deceptive acts or practices” under Section 5 of the FTC Act. When recognizing the importance of accountability benchmarks, Congress would further assist this specialized audience of watchdogs by including thorough disclosure requirements in legislation.

The Cantwell and Wicker proposals both recognize that comprehensive privacy statements can serve the public good and call for more comprehensive corporate disclosures for the public record. On an important and related note, corporate statements need to move beyond high-level generalities to concrete disclosures on a full range of privacy practices in order to serve true accountability benchmarks. As the Cantwell, Wicker, and House Energy & Commerce bills (among others) propose, these disclosures should include what data is collected, how it is used and retained, how and with whom it is shared, what security measures are in place, and by what mechanisms consumers can exercise privacy rights.

Finally, written policies can help organizations internally clarify their thinking and hold accountable the corporate officers who oversee data governance and privacy risk assessments. The Cantwell bill formalizes this accountability function by elevating privacy oversight to CEOs and importing disclosure and certification requirements from securities regulations. Under this bill, qualifying companies would be required to submit annual data protection reports to the FTC, certified by corporate officers, that outline each company’s compliance with the proposed regulations.

Varied contextually-appropriate notices for individuals

Targeting messages to individuals can be an entirely different game. The most detailed and honest privacy disclosure could be a silver bullet of transparency for regulators but utterly useless for the majority of consumers.

Even so, individuals deserve transparency. Transparency is a fundamental value—but it means little to most people unless it is both targeted and actionable. Companies can embody this value by providing relevant information in multiple formats and contexts. For example, Apple provides pop-up notifications when iOS apps request iPhone location data, which presents both timely and specific information to consumers.

In other contexts, such as prior to collecting health information or information pertaining to children under 13, individuals may benefit from notices in different formats. In the context of medical or children’s data, additional requirements for pre-collection notices may be necessary to enable opt-in control (in line with what HIPAA and COPPA currently mandate). Under such circumstances, new legislation should require clear and actionable information in a format that ensures users give meaningful consent in the (limited) circumstances where businesses may still use it. A one-size-fits-all disclosure requirement can undermine the contextual relevance that makes consent meaningful.

By making information available in multiple forms, the concept of “notice” can shift to allow more meaningful and true transparency. On a final note: while most individuals realistically should not be responsible for reading in-depth notices, anybody who wants to follow data processing practices, privacy rights, and redress options should be able to access the full scope of this information. Here, the Cantwell, Wicker, and Markey proposals take the right approach in mandating that detailed information be publicly available to all.

Rights and responsibilities for individuals and businesses

Transparency can hold value, but in practice, knowledge alone is not always sufficient to ensure consumer privacy. Furthermore, it should not be necessary for someone to fully understand a company’s data processing practices in order to trust the company to protect personal information—a point that David Medine and Gayatri Murthy, both of the Consultative Group to Assist the Poor (CGAP), recently highlighted in TechTank.

For these reasons, the Cantwell and Wicker proposals, along with numerous others, supplement privacy notices with individual rights that cannot be altered or signed away. Many of these proposed rights include individual access, correction, deletion, and portability of online personal information, paralleling the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act in this respect. These four rights would effectively mandate that all applicable companies offer individuals both access and control over personal information—such as the functionalities currently built into Facebook’s “Access Your Information” portal and Google’s “Google Dashboard.” They would offer individuals concrete examples of the practices described earlier for disclosures, and these examples can be customized to the individual user.

Customized access can serve as a powerful transparency and accountability tool. Recall that in 2013, Austrian law student Max Schrems took advantage of Facebook’s “Access Your Information” portal and prompted ongoing Court of Justice of the European Union litigation that throws EU-U.S. data transfers into question to this day. Both pre- and post-collection rights would thus offer a path to greater individual agency over online personal information, no matter which service or product people use, which effectively brings us full circle to transparency. By providing baseline control mechanisms, Congress would establish a third layer of visibility—on top of complete privacy disclosures for regulators and contextually-appropriate notices for individuals—to enable public engagement on data processing and privacy practices.

The authors would like to thank Marla Odell for her research and editing assistance.

Apple, Google, and Facebook are general, unrestricted donors to the Brookings Institution. The findings, interpretations, and conclusions posted in this piece are solely those of the authors and not influenced by any donation.

Authors