Against Notice and Choice: the Manifest Failure of the Proceduralist Paradigm to Protect Privacy Online (or Anywhere Else)

Notice and choice are the foundational principles underlying the regulation of privacy in online transactions and in most other situations in which individuals interact with the government and commercial interests. These principles mean that before collecting personally identifiable information (“PII”) from an individual, the collector must provide the individual with a disclosure (notice) of what PII it proposes to collect and how it proposes to use that information. That knowledge enables the individual to make a rational decision (choice) about whether to allow that collection of information, generally by declining to enter into the transaction or, in some situations, by denying consent to collect the PII. This article argues that the notice-and-choice paradigm is fundamentally flawed, cannot be fixed, and should be replaced with a system that places substantive limitations on the collection and use of PII for commercial purposes. Each of us who engages with commercial websites, mobile computing devices, or everyday devices that are connected to the Internet receives these notices many times every day. The notices are typically conveyed in the text of a privacy policy that can be accessed by clicking on a hyperlink at the bottom of a web page, tapping on a link of a mobile app’s page on a distribution platform, or paying close attention when installing an Internet of Things device. And the great majority of us, just as many times each day, ignore these privacy notices and submit to whatever collection of PII may result. Why do presumably rational users of the Internet fail to take advantage of this wealth of disclosure information, which is only a click away? Our behavior is easily explained by the concept of “rational inattention.” The human condition of bounded rationality makes it infeasible for us to take in and process all the information that is contained in the privacy notices that surround us. Even if we were able to process these notices, it would do us no good because, as demonstrated by an empirical study included in the article, the uniformity among these privacy policies means that we cannot choose among more- and less-protective policies: we can only choose to engage with the online world, making our PII available for uses that we cannot understand or evaluate, or become hermits in self-exile from the online world. The alternative that the article proposes is to discard our faith in the proceduralist approach of notice-and-choice and develop substantive rules that will truly protect the privacy of individuals in their online interactions, rather than settling for the simulacrum of privacy protection that the present system offers.