A New Critique of the Notice and Choice Privacy Protection Model
portfolio_page-template-default,single,single-portfolio_page,postid-23622,ajax_fade,page_not_loaded,,select-theme-ver-3.3,wpb-js-composer js-comp-ver-6.6.0,vc_responsive

The Non-Contractual Nature of Privacy Policies and a New Critique of the Notice and Choice Privacy Protection Model
Thomas B. Norton*

  The full text of this Article may be found here.

27 Fordham Intell. Prop. Media & Ent. L.J. 181
Note by Thomas B. Norton*



otice and Choice is the model for protecting privacy online in the United States. Under the model, users of online services are given notice about services information and privacy practices in the form of privacy policies. Based on this information, users can choose whether to use particular online services and whether to exercise any options for protecting their privacy that the services might offer. In theory, Notice and Choice seems like a sound regulatory mechanism. Indeed, state and federal regulatory agencies prefer the model as a basis for privacy enforcement action. But Notice and Choice faces harsh criticism from privacy advocates. This Note adds a new critique to the list—that Notice and Choice leaves individual consumers who are affected by privacy policy breaches, legally, empty-handed. This is because website privacy policies—the principal mechanism for effectuating Notice and Choice—are generally not considered to be legally binding agreements. As a result, individuals’ contract theory-based actions against companies for privacy policy breaches almost categorically fail. As a result, the users of online services are largely left without individual redress for privacy policy breaches. Much has been written about Notice and Choice, and even more has been written about online contracting. Yet, like Notice and Choice and contract theory themselves, these two bodies of scholarship remain misaligned. This Note fills that gap by addressing Notice and Choice in the context of contracts, and offers alternative solutions to give individuals the opportunity to seek redress in the Notice and Choice scheme through contract theory.

* J.D., Fordham University School of Law; Privacy Fellow, Fordham Center on Law and Information Policy at Fordham University School of Law. I thank Professors Joel Reidenberg and Cameron Russell for their continued input and support. I also thank the participants of the 43rd Research Conference on Communications, Information and Internet Policy (Sept. 2015) and the inaugural European Privacy Law Scholars Conference (Oct. 2015) for their insightful comments, as well as Professor Aditi Bagchi for her advice on an earlier version of this project. This project was supported in part by the National Science Foundation Secure and Trustworthy Computing initiative grant 1330214 for the project “TWC SBE: Option: Frontier: Collaborative: Towards Effective Web Privacy Notice and Choice: A Multi-Disciplinary Prospective” (the “Usable Privacy Project”). I thank the project’s principal investigators and the research teams at Carnegie Mellon University for their efforts and support.