“The makers of our Constitution . . . sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the Government, the right to be let alone – the most comprehensive of rights, and the right most valued by civilized men.”– Justice Louis Brandeis, dissenting, Olmstead v. United States
“Your user agreement sucks.”Senator John Kennedy to Mark Zuckerberg, Senate Judiciary Hearing on Facebook, Social Media, Privacy, and the Use and Abuse of Data
People care about privacy for different reasons, and to differing extents. As the volume of data sets about each of us continues to proliferate, and the uses of that information continue to evolve, gauging individual privacy expectations and broader societal norms has become increasingly challenging. Individuals make privacy decisions that seem to undermine their stated preferences, even as the risks to the fundamental interests linked to privacy, such as equality, autonomy, and intellectual freedom, only continue to grow. Largely to blame for these apparent contradictions are the ineffective standards that determine how privacy decision-making, expectations, and preferences are measured. The regulatory regime governing consumer privacy and the Fourth Amendment’s protections for privacy from the government both rest on the idea that judges and policymakers can discern individual and collective privacy norms, when in reality, they are rarely able to do so accurately.
Consumer privacy law in the United States is molded around the idea of privacy as an economic good, where the degree of legal protection a person receives depends on her control over her information through notice and choice mechanisms, like app permissions or privacy policies. The notice and choice model relies on the idea that informing consumers in convoluted boilerplate of how their data is collected and used empowers them to make privacy decisions that reflect their preferences. Under this thinking, any failure to subsequently make privacy-protective choices indicates either apathy or a deliberate declaration of a contrary preference. In fact, it is exceedingly difficult for individuals to make choices that produce the privacy outcomes they prefer or expect due to cognitive and structural limitations. Phenomena like decision fatigue, learned helplessness, and lack of information about collection and tracking all impede individuals from making the privacy choices that correspond to what they hope (or believe) will happen to their information.