Complementing Notice with Periodic Disclosures

Introduction

Privacy policies or terms of use agreements (“notices”) are too long, time consuming, and complicated for most people, and therefore do not result in truly informed consent of those that click “agree”. To make things worse, notices often require you to consent at an early stage for different collections and uses of data that would span over a long period of time, and are very hard to process in advance. This essay considers whether these problems could be solved through complementing the notice with on-going periodic disclosures that would provide information about the data the user gave away and, to the extent possible, the risks involved.

At least theoretically, such an idea shows great promise. Ideally, we could imagine disclosures that provide each user with a periodic review of the data that was acquired from him specifically, and a general explanation about how has this data been used. Such personalized disclosures could demonstrate to people what have they been sacrificing, and enable a more informed reassessment of personal risks. As many users consider privacy risks as remote and highly unlikely to impact their lives, such reports, which would place an emphasis on each individual’s specific use-patterns and risks, could have a major impact which is unattainable through notices.

Theoretically, it appears that such disclosures could become reality through one of two ways: regulatory mandated disclosures; or through third parties that would provide such periodic “disclosures” for interested users.

Regulatory Solutions

The idea of forcing all websites to provide such periodic disclosures might sound tempting, but there are several serious issues that should be taken into consideration.

First, in the age of Big Data, and given most people’s limited technical capabilities, one could worry that such disclosures would still be too complicated for users, who would find themselves clueless in deciphering masses of data thrown at them. This, I believe, could be solved through requiring websites to provide users with automated “summaries” or “highlights” of their recent privacy exposure. For example, a user might benefit from a brief periodic report explaining that the application possesses data about his whereabouts on X amount of days over the last year/month/week. An even more effective disclosure would highlight certain personal details. The “personalization” makes it more likely that the individual will pay attention, as it brings to mind more realistic scenarios.

Second, for websites that collect and store personal data, I do not think it would be too much of a technical or financial burden to provide such summarized reports, but there are very clear limits to their ability to provide information about the full extent of the privacy exposure. For instance, in many websites we are being monitored not only by that website but also by other companies providing ad servers. The original websites might be able to report what personal information could have been collected, but would be limited in their ability to say what did the other companies collect and especially what did they do with the information. Also, when data is being collected and then sold to other “data brokers” of all sorts, the original website will not know to tell what ended up happening with the information. This puts a very clear limitation on websites’ ability to reflect the full extent of the user’s risk exposure.

Third, mandatory on-going disclosures, even if designed thoughtfully by the regulator, might not be as effective as hoped. Companies are likely to make disclosures as “dry” as possible, and it would be difficult to require them to effectively highlight the individual risks.

Fourth, such regulation would require a very significant shift from the existing regulatory regime regarding data privacy. The FTC Act and most other US privacy laws do not provide individuals right to access the collected data, and in my research I could not identify any law requiring similar privacy-related periodic disclosures. California enacted a security breach notification law (California Civil Code §1798.82), which could be paralleled to some extent, but it deals with “breaches”, while the problems I mentioned concern consented collection and use of data, an entirely different thing.

Also, looking forward, it does not appear that Congress is moving in the direction discussed here – as reflected in both recent federal privacy bills S.1995 (Personal Data Protection and Breach Accountability Act of 2014) and S.2025 (Data Broker Accountability and Transparency Act) (though I really cannot attest on their chances of moving forward, or on whether these reflect a “wider” interest in Congress).

Technical Solutions

Alternatively, we could also think of non-regulatory, technical means to provide such “disclosure”. An independent third-party might be more adequately incentivized than the notice-providing website, and therefore could provide information in a more apprehensible format, and stress, instead of play down, the individual risks. As discussed above, such third-parties would not be able to tell you where the information goes after its initial collection, but they might at least be able to monitor what information you gave away. Perhaps, if this data-mining will be coupled with some sort of general expertise about certain websites’ operation, it would be possible for such third-parties to present an educated assessment regarding the individual’s risks. For instance: “news website Y probably holds a list of all articles you read this year, including ‘how to hide that you cheated on your wife.’ In our assessment, this information could end up…” Such assessments are surely much less effective than solid information, but could still have some, limited, impact on people’s awareness. An additional issue is that technical solutions require each individual to approach (register or download) the third party at some point and many are not likely to make the effort.

Conclusion

The idea of complementing notices with periodic disclosures could seem promising, as, theoretically, it provides individuals with on-going information that would allow them to gradually “correct” unwise consents. However, in practice there are significant limitations that decrease both the possibility of such an idea coming to life, and its potential effectiveness.