Online Privacy Policies And The Invisible Market For Our Data
U.S. District Court of New Jersey
January 18, 2016
Penn State Law Review (2016, Forthcoming)
Abstract:
Consumers constantly enter into blind bargains online. We trade our personal information for free websites and apps, without knowing exactly what will be done with our data. There is nominally a notice and choice regime in place via lengthy privacy policies. However, virtually no one reads them. In this ill-informed environment, companies can gather and exploit as much data as technologically possible, with very few legal boundaries. The consequences for consumers are often far-removed from their actions, or entirely invisible to them. Americans deserve a rigorous notice and choice regime. Such a regime would allow consumers to make informed decisions and regain some measure of control over their personal information. This article explores the problems with the current marketplace for our digital data, and explains how we can make a robust notice and choice regime work for consumers.
Online Privacy Policies And The Invisible Market For Our Data – Introduction
When you go online or use an app on your phone, you are sharing your information with multiple companies at once. If you tell the dating website OKCupid you occasionally drink or do illegal drugs, OKCupid will save that information to your profile, but marketers can also buy that information in real time. If you look up something on the Center for Disease Control’s website, say, “herpes symptoms,” the CDC will tell Google what you looked up. The CDC is not trying to profit from you, but they use Google Analytics to measure their website traffic. The CDC uses Google Analytics because it is a free, useful tool. It is a “free” tool because it is quietly paid for with your data.
There are programs that can show you which third parties are watching you on a given website. They can even block many of these third parties, though blocking them may disrupt the appearance or usability of some sites. But these programs cannot tell you what those third parties will do with your information. They also cannot tell you what inferences these companies might make about you. For example, Target famously created an algorithm to determine which female customers might be pregnant, in order to send them relevant coupons. The women did not need to buy baby clothes for Target to know they were pregnant – it was subtler cues like buying zinc, lotion, and a purse large enough to double as a diaper bag. Target was aware it could make women “queasy” by suddenly sending them ads for maternity clothes, so it started to put the baby-related ads in between ads for unrelated products, to make the placement look random. “As long as we don’t spook her,” a Target executive said, “it works.”
Many Americans feel spooked. Our data seems to be more widely disseminated, and more vulnerable than ever. Hackers gained access to millions of Americans’ accounts at JP Morgan and Anthem Health Insurance. The NSA collected millions of Americans’ phone records for years. Commercial data brokers buy and sell our data to such an extent that one broker has 3,000 data points for nearly every single U.S. consumer.
At least 30% of Americans have taken one or more steps to avoid surveillance since the Edward Snowden revelations. The remaining 70% have not taken steps perhaps because they are not concerned, or because they do not know where to begin. The above scenarios – cyber attacks, government surveillance, and commercial data aggregation – are fundamentally different problems, with different solutions. But it is easy for the disparate threads to merge together to become one amorphous fear, with no hint of how to secure our personal information.
This article seeks to take on just one of those threads – commercial use of individuals’ data. Consumers enter into essentially blind bargains online, where they trade their personal information for free websites and apps. There is nominally a notice and choice regime in place via lengthy privacy policies, but virtually no one reads them. Some consumers think just having a privacy policy means a website will keep their information private. In this ill-informed environment, companies can gather and exploit as much data as technologically possible, with very few legal boundaries. The consequences for consumers are often far-removed from their actions, or entirely invisible to them. Consumers deserve a more rigorous form of notice and choice that allows them to make informed decisions and regain some measure of control over their personal information online.
See full PDF below.
