After decades, we still talk about the role of notice and choice in privacy. Yet there seems to be broad recognition that notice and choice do nothing for the privacy of consumers. Some American businesses cling to notice and choice because they hate all the alternatives. Some legislators draft laws with elements of notice and choice, either because it’s easier to draft a law that way, because they don’t know any better or because they carry water for business.
For present purposes, I will talk about notice and choice generically as consent. Consent is a broader concept than choice, but the difference doesn’t matter for the point I want to make. How you frame consent is complex. There are many alternatives and many approaches. It’s not just a matter of opt-in or opt-out. While I’m discarding issues, I also want to acknowledge and set aside the eight basic Fair Information Practices. There is no notice and choice principle in FIPS, and FIPs are not specifically important here.
Until recently, my view was that consent in almost any form is pretty much death for consumer privacy. No matter how you structure it, websites and others will find a way to wheedle consent from consumers. Those who want to exploit consumer data will cajole, pressure, threaten, mystify, obscure, entice or otherwise coax consumers to agree.
Suddenly, I’m not as sure of my conclusion about consent. What changed my mind? There is a new data point from Apple's App Tracking Transparency framework. Apple requires mobile application developers to obtain opt-in consent before serving targeted advertising via Apple's Identifier for Advertisers. Early reports suggest consumers are saying "NO" in overwhelming numbers — overwhelming as in more than 90%.
It isn’t this strong consumer reaction that makes me think consent might possibly have a place. I want to highlight a different aspect of the Apple framework.
Before I do, I want to remind everyone of the National Do Not Call Registry run by the U.S. Federal Trade Commission. By one measure, the registry is a smashing success. It includes more than 240 million phone numbers. That means that a lot of people opted-in to the registry with an affirmative act. It was not a choice presented to them, but something that each individual had to seek out on their own by adding their number to the list. It is one measure of how much people hate spam calls.
The registry is a failure in many ways. I average about four spam calls a day, most from crooks or foreigners beyond the reach of U.S. law. The registry is a success in other ways because I do not get calls from American companies that comply with the law. How many calls do I not get? That’s impossible to say. But I know that if I give my phone number to a legitimate American company, I won’t get a marketing call from them.
What do the Apple framework and the registry have in common? In both cases, a third party sets the terms and the methodology for consumer choice. In the one case, Apple set the terms. In the other case, the FTC did. This is not what happens when a website unilaterally sets the terms of consent. A one-sided approach is why consent does nothing for consumers today.
The issue I raise is whether it is possible that consent can play a meaningful and fair role if an independent third party sets the terms of consent rather than a business desperate to have consumers agree to its terms. We have two data points that suggest a role for third parties is possible. A model from another sphere is the institutional review board that sets rules for consent in research activities.
Figuring out how to structure and present a third-party consent mechanism requires much debate. One possibility is that a neutral third party or a balanced process (with representatives of consumers and business) could establish acceptable methods for consent. One size will surely not fit all circumstances. Everyone who has read this far already thought of giving the assignment to the FTC. I am not a big fan of the FTC in the privacy realm, but even I recognize the FTC as an option here.
We don’t yet know everything about the Apple framework. There is a lot of complexity hidden in the way apps respond to the option thrust upon them. We don’t know if there will be loopholes, enforcement or penalties. Apple is not a wholly neutral third party. I do not want to go too far out on the limb here until we know more.
As much as consent is disfavored by many in the privacy world (not just advocates), it is difficult to say to an informed consumer their willingness is always irrelevant. Consumers consent to many significant activities, sometimes on their own, sometimes with help from intermediaries, sometimes under statutory processes and sometimes as directed by professional ethics. We make it hard for lenders to offer terms that are inherently unfair to consumers and require disclosures to consumers seeking loans or credit cards. We settle for practical but incomplete solutions to problems. It’s the 80-20 rule: You can solve 80% of a problem readily, but solving the last 20% is much harder. Sometimes, 80% is the best we can do as a practical and political matter.
I am certainly not seeking to rehabilitate notice and choice. I’m only asking if there might be a role for consent through a better process for defining and obtaining consent. Perhaps a truly neutral third party standing between the consumer and the business seeking choices involving privacy might produce a better and fairer outcome. A third-party consent mechanism will not solve all privacy issues, and I don’t seek to promote consent in all circumstances. There are times when banning activities even with consumer consent is still the right policy. No matter what, a consumer can’t consent to a usurious loan or to an unsafe and ineffective drug.
My only goal is to add the idea of a third-party consent mechanism to current discussions.
Photo by Pierre Bamin on Unsplash
If you want to comment on this post, you need to login.