by Jeff Sovern
I've moved on to the privacy chapter of our casebook, and in that regard I just finished reading M. Ryan Calo's (Calo is at the University of Washington and affilated with Stanford) intriguing Against Notice Skepticism In Privacy (And Elsewhere), 87 Notre Dame Law Review 1027 (2012). Before I add my two cents, here's the abstract:
What follows is an exploration of innovative new ways to deliver privacy notice. Unlike traditional notice that relies upon text or symbols to convey information, emerging strategies of “visceral” notice leverage a consumer’s very experience of a product or service to warn or inform. A regulation might require that a cell phone camera make a shutter sound so people know their photo is being taken. Or a law could incentivize websites to be more formal (as opposed to casual) wherever they collect personal information, as formality tends to place people on greater guard about what they disclose. The thesis of this Article is that, for a variety of reasons, experience as a form of privacy disclosure is worthy of further study before we give in to calls to abandon notice as a regulatory strategy in privacy and elsewhere.
Calo is clearly more a fan of notice than outright regulation. At one point he paraphrases Winston Churchill and writes that “notice is the worst regulatory mechanism, except for all of the alternatives." Regular readers of this blog know that I am less fond of notice as a way of conveying information to consumers. Still, notice may yet have a role to play in privacy, in the form of the single letter-grade approach. As I have blogged about before, restaurant grades have been effective to convey health department assessments to consumers, and have improved the health not only of consumers who pay attention to the grades, but also of those who don't. Surely it would be possible for some external agency to devise criteria for privacy policies, so that companies that don't use consumer information at all would get an "A", those who use it only internally would get a "B", and so forth. That way, consumers could continue to forego reading privacy policies, but still know what privacy choices they are making. And just as restaurateurs strive for better health department grades, to attract the business of those who care about the grades, which helps all consumers, perhaps businesses would strive for better privacy grades. It seems like such an obvious idea, I wonder if someone has already tried it.
Calo calls for more research, and I agree. We need to try different ways of providing notice to see what consumers actually use. The CFPB is willing to do this with its notices. Perhaps the FTC will follow suit on privacy. I would love to see one of those Innocentive contests for notices that convey privacy policies to consumers in such a way that consumers will actually use them.
