Since the 1970’s, fair information practices (FIPs) or fair information privacy practices (FIPPs) have formed the framework around which organizations structure their policies on data collection, use, disclosure, and retention. The cornerstone of individual privacy rights under the FIPs is notice and choice, sometimes called notice and consent. That is, an organization should inform individuals about how their personal information will be processed and shared and proceed only when an individual agrees to such use. At first glance, these dual concepts may appear to adequately protect individual privacy. As the digital landscape has evolved, however, it has become apparent that the notice and choice paradigm fails to adequately protect individual privacy in important ways.
First, the concepts of notice and choice assume that the choice is informed, but that is likely not the case. Privacy notices are often buried in terms of service that are lengthy, confusing, and difficult to read. They are often full of legalese and written from the perspective of protecting the organization from legal liability rather than from the perspective of genuinely and clearly informing users as to how their personal information might be shared. The term “privacy notice” may give users the impression that it contains information on how the organization is going to protect personal information rather than how it is going to disclose that information, which further disincentives a close read. All of this leads to the conclusion that a substantial number of individuals have no idea how companies are using or sharing their personal information.
Recognizing that notice and choice may no longer be sufficient to protect individual data privacy rights, some privacy professionals have signaled a move away from the notice and choice paradigm. For example, in a September 2018 request for comments, the National Telecommunications and Information Administration (NITA) noted, “To date, [mandates on notice and choice], have resulted primarily in long, legal, regulator-focused privacy policies and check boxes, which only help a very small number of users who choose to read these policies and make binary choices.” Fortunately, there are a number of things that a company can do to get out in front of this transition away from a strict notice and choice regime.
Second, an organization can protect its customers’ privacy rights by minimizing the amount of data it collects on those customers. Organizations should give serious thought before collecting more personal information than is necessary to provide the good or service in question. Data is not only an asset, but also a potential liability. While a data breach is never a pleasant experience, the harm to a company’s reputation will be amplified if the breach contains disclosure of personal information that has no rational connection to the good or service the organization provides to its customers.
Third, an organization can give its customers multiple options as to how their personal information is used and shared. For example, customers may be fine with having their email addresses added to a company’s internal marketing list, but may not want that same information sold to a third-party mailing list. True consumer choice requires more than an all or nothing approach.
As the practical shortcomings of the notice and choice framework become more apparent, lawmakers and regulators likely will begin to mandate a more holistic approach that looks more fully at what an organization does to protect individual privacy rights, rather than focusing on whether the organization simply complied with notice and choice requirements. By thinking about this shift now, organizations can better prepare themselves for this transition while building trust and confidence with their customers at the same time.