Privacy Notice and Choice in Practice
In the United States, notice and choice remain the most commonly used mechanisms to protect people’s privacy online. This approach relies on the assumption that users provided with notice will make informed choices that align with their privacy expectations. The goal of this research is to empirically inform industry and regulatory efforts that rely on notice and choice to protect people’s online privacy. To do so, we present a set of case studies covering different aspects of privacy notice and choice in four domains: online behavioral advertising (OBA), online social networks (OSN), financial privacy notices, and websites’ machine-readable privacy notices. We investigate users’ privacy preferences, information needs, and ability to exercise choices in the OBAdomain. Based on our results, we provide recommendations to improve the design of notice and choice methods currently in use in this domain. In the context of OSNs, we explore the effect of nudging notices designed to encourage more thoughtful disclosures among Facebook users and recommend changes to the Facebook user interface aimed to mitigate problematic disclosures. We demonstrate how standardized notices enable large-scale evaluations and comparisons of companies’ privacy practices and argue that standardized privacy notices have an enormous potential to improve transparency and benefit users, privacy-respectful companies, and oversight entities. We argue that, in today’s complex Internet ecosystem, an approach that relies on users to make privacy decisions should also empower them with user-friendly interfaces, relevant information, and the tools they need to make privacy decisions. Finally, we further argue that notice and choice are necessary, but not sufficient to protect online privacy, and that government regulation is necessary to establish necessary additional protections including access, redress, accountability, and enforcement.