Notice and Choice Cannot Stand Alone

“Notice and Choice” is the much-criticized approach to privacy regulation and self-regulation that has been in widespread use for about three decades. However, despite the failures of notice and choice as a regime, the concept of notice and choice should not be abandoned. It remains an important component of a broader privacy arsenal that should be combined with strong privacy laws and automated tools to provide customized privacy protections for individuals.

The idea behind notice and choice is that data collectors will provide transparent notices about their collection and use of personal information and allow individuals to make informed choices about whether and for what purpose their information will be used. In theory, this approach should allow data subjects to choose for themselves which uses of their personal information to permit (since these preferences are often context-dependent and vary by individual), while also encouraging a market for privacy in which data collectors improve their data practices to be more competitive.

In practice, notice and choice is a fantasy that has largely failed because notices take a long time to read,¹² are difficult to understand, and the number of decisions individuals face about the use of their data is overwhelming. Furthermore, it is often hard for people to understand the potential consequences of their privacy-related choices because they lack a detailed understanding of relevant technologies, data flows, and downstream data uses. To make matters worse, notices and choice interfaces are often difficult to find⁸ and designed to manipulate people into making the most privacy-invasive selections (deceptive patterns or dark patterns¹³). Given its poor track record, legal scholars,¹⁴ privacy advocates, and even regulators¹⁰ have been calling for the end of the notice-and-choice regime.

The failure of notice and choice is due in part to the fact that it has largely been left to stand on its own, with minimal legal teeth or technical support, and (in many jurisdictions) without strong baseline privacy laws. In short, the notice and choice regime was setup for failure. For notice and choice to be effective it must be mandatory, with requirements regulators have resources to enforce, and it needs to be embedded in a standardized technology framework that allows people to readily automate their privacy decisions without being constantly bombarded with privacy choices. It is also critical to have baseline legal protections that do not allow data collectors to ask people to consent to data practices that are fundamentally unfair or about which they are unable to make informed decisions.

The idea of automating privacy decisions is not new. After the U.S. Federal Trade Commission began encouraging website operators to post privacy policies in the 1990s, privacy advocates complained that these policies were too long to be useful to users. In response, the World Wide Web Consortium (W3C) developed the Platform for Privacy Preferences Project (P3P), a protocol for encoding privacy policies in a computer-readable XML format and allowing web browsers and other user agents to retrieve these policies, parse them automatically, and use them to inform users or make automated decisions on their behalf. The most widely adopted P3P implementation was built into the Microsoft Internet Explorer 6 web browser in 2001 and used to automate third-party cookie-blocking decisions. I led the P3P working group at W3C and also worked on a research prototype P3P user agent called Privacy Bird that displayed a colored bird and a brief digest of the privacy policy and where it conflicted with a user’s pre-set privacy preferences. Unfortunately, P3P never saw widespread adoption after its release in 2002 because it lacked incentives for adoption and mechanisms for enforcement.⁴ Indeed, in 2010 when thousands of websites were found to have circumvented browser P3P controls,⁹ not a single regulator stepped in.⁵

After P3P had come and gone, a simpler approach to automating privacy choice was proposed: Do Not Track (DNT). Rather than creating a computer-readable privacy policy and sending it to web browsers, DNT sought to transmit a single header from web browsers to web sites to request that a site and any third-party sites that load with it refrain from tracking an individual user. The W3C spent nearly a decade trying to reach consensus on a DNT standard that web browsers and web sites would adopt. Although some web browsers implemented DNT, in practice it was meaningless as few websites paid attention to the DNT headers.⁷ In the absence of adoption incentives or legal mandates, DNT ultimately failed.

The latest automated privacy choice approach is Global Privacy Control (GPC), which allows users to turn on a setting in their browser (or browser extension) that transmits a GPC signal to automatically opt out of websites selling or sharing their personal information. What is particularly exciting about GPC, is that now for the first time privacy laws are requiring websites to respect automated privacy signals such as GPC. Under the California Consumer Privacy Act (CCPA), websites are required to act on GPC opt-out requests, and in 2022 the California Attorney General began enforcing compliance.² There are already six other U.S. states that require websites to honor opt-out preferences transmitted through Universal Opt-Out Mechanisms (UOOMs).¹ GPC is designed to be compatible with privacy laws around the world. Although GPC currently provides only a single signal, it could be extended to offer multiple signals and provide for more fine-grained choices. The fact that an automated choice mechanism is now enforceable by law is potentially the game changer needed for automated choice mechanisms to have a chance at success. However, GPC is not yet a settings option in the most popular web browsers, although there are privacy-focused browsers and plugins that offer this option or enable it by default.

With the rapid proliferation of mobile apps, smart homes, and Internet of Things (IoT) devices, websites are just the tip of the iceberg when it comes to the collection and use of personal data. Thus, we have even more of a need for automated tools that can help users signal their preferences about sharing and using their data without being bombarded by requests from every smart device they walk by throughout the day. Researchers have explored mobile app privacy agents that automate app permissions settings¹¹ and IoT privacy agents that allow users to manage privacy settings for IoT devices in their environment.⁶ However, we currently lack incentives for companies to build automated privacy choice frameworks into their products.

The current generation of deployed notice and choice tools are simple but lack flexibility. More research is needed on how to build tools that can operate with minimal user input after their initial quick and easy configuration, perhaps driven by machine-learning approaches that learn a user’s preferences over time and can extrapolate based on the user’s current context or the preferences of similar users.¹⁵ These tools should allow users to occasionally grant exceptions to allow the use of their data when they find it beneficial. However, these exceptions should be granted because users want to provide their data (for example, I want to provide my location when I use a mapping service because I want to view my location on the map) rather than because services break when data is withheld (for example, some websites exhibit strange behavior or stop working when third-party cookies are blocked, encouraging users to override their cookie blockers) or because users are constantly bombarded with requests that they swat away without thinking (for example, cookie banners, another notice and choice mechanism that has been largely ineffective as a privacy tool³). And when exceptions are granted, data should be used only for the purposes the user requests (for example, the map service should not also use my location to serve me location-targeted ads unless I have specifically requested them). Recent research has demonstrated the utility of  “generalizable active privacy choice” interfaces for GPC that allow users to send GPC signals automatically to websites a user visits according to criteria such as type of website, type of data collected, user’s self-described privacy profile, or user’s privacy profile learned by the system.¹⁵

Even if we design fantastic tools, we will need incentives or legal mandates for them to be made readily available to end users and their signals respected by data collectors. We need UOOMs built into every web browser and their signals respected by every website. We need IoT devices that send and receive standardized privacy signals to well-designed user agents. We need enforceable penalties for data collectors that fail to honor automated signals or manipulate users into consenting to data practices. And, importantly, we need strong baseline privacy regulations that restrict the use of personal information without individual consent and prohibit some personal information uses altogether.

While notice and choice as a regime has largely failed to live up to its promises to date, if bolstered by appropriate laws, technology standards, and easy-to-use interfaces, the notice and choice concept could be a useful tool in our future privacy toolbox.