Privacy Self-Management and the Consent Dilemma
Abstract
The current regulatory approach for protecting privacy involves what I refer to as “privacy self-management” — the law provides people with a set of rights to enable them to decide how to weigh the costs and benefits of the collection, use, or disclosure of their information. People’s consent legitimizes nearly any form of collection, use, and disclosure of personal data. Although privacy self-management is certainly a necessary component of any regulatory regime, I contend in this Article that it is being asked to do work beyond its capabilities. Privacy self-management does not provide meaningful control. Moreover, people cannot appropriately self-manage their privacy due to a series of structural problems. There are too many entities collecting and using personal data to make it feasible for people to manage their privacy separately with each entity. It is virtually impossible for people to weigh the costs and benefits of revealing information or permitting its use or transfer without an understanding of the potential downstream uses, further limiting the effectiveness of the privacy self-management framework. In order to advance, privacy law and policy must confront a complex and confounding dilemma with consent. In this Article, I propose several ways privacy law can grapple with the consent dilemma and move beyond relying too heavily on privacy self-management.Keywords:
Privacy, personal data protection, privacy self-management, consent.References
Acquisti, Alessandro y Jens Grossklags (2006). «Privacy and rationality: A survey». En Katherine J. Strandburg y Daniela Stan Raicu (editoras), Privacy and technologies of identity. Nueva York: Springer.
Acquisti, Alessandro y Jens Grossklags (2008). «What can behavioral economics teach us about privacy?». En Alessandro Acquisti y otros (editores), Digital privacy. Boca Ratón (Estados Unidos): Auerbach Publications.
Allen, Anita L. (2011). Unpopular privacy: What must we hide? Nueva York: Oxford University Press.
Anton, Annie I. y otros (2004). «Financial privacy policies and the need for standardization». IEEE Security & Privacy, 2.
Ariely, Dan (2008). Predictably irrational. Nueva York: HarperCollins Publishers.
Bamberger, Kenneth A. y Deirdre K. Mulligan (2011). «Privacy on the books and on the ground». Stanford Law Review, 63 (2).
Barbaro, Michael y Tom Zeller (2006). «Jr., A face is exposed for AOL searcher 4417749», New York Times, 9 de agosto, sec. Technology. Disponible en <http://select.nytimes.com/gst/abstract.html?res=F10612FC345B0C7A8CDDA10894DE404482>.
Ben-Shahar, Omri y Carl E. Schneider (2011). «The failure of mandated disclosure». University of Pennsylvania Law Review, 159.
Brandimarte, Laura, Alessandro Acquisti y George Loewenstein (2013). «Misplaced confidences: Privacy and the control paradox». Social Psychological and Personality Science, 4 (3). Disponible en <http://www.heinz.cmu.edu/~acquisti/papers/acquisti-spps.pdf>.
Brill, Julie (2010). «Remarks by commissioner Julie Brill. United States Federal Trade Commission» (Trabajo presentado en la Conference of Western Attorneys General Annual Meeting, Privacy 3.0 Panel, Nuevo México, Santa Fe, 20 de julio), disponible en <http://www.ftc.gov/speeches/brill/100720cwagtranscription.pdf>.
Calo, M. Ryan (2012). «Against notice skepticism in privacy (and elsewhere)». Notre Dame Law Review, 87.
Cate, Fred H. (2006). «The failure of fair information practice principles». En Jane K. Winn (editor), Consumer potection in the age of the ‘information economy’. Bodmin (Inglaterra): Ashgate Publishing.
Citron, Danielle Keats (2007). «Reservoirs of danger: The evolution of public and private law at the dawn of the information age». Southern California Law Review, 80.
Cohen, Julie E. (2000). «Examined lives: Informational privacy and the subject as object». Stanford Law Review, 52.
Cohen, Julie E. (2012). Configuring the networked self. New Haven: Yale University Press.
Cohen, Julie E. (2013). «What privacy is for». Harvard Law Review, 126.
Gellman, Robert (2013). «Fair information practices: A basic history». Disponible en <http://bobgellman.com/rg-docs/rg-FIPShistory.pdf>.
Gilbert, Daniel (2006). Stumbling on happiness. Nueva York: Vintage.
Goldman, Eric (2002). «The privacy hoax». Forbes, 14 de octubre. Disponible en <http://www.forbes.com/forbes/2002/1014/042.html>.
Hoofnagle, Chris Jay y otros (2010). «How different are young adults from oder adults when it comes to information privacy attitudes & policies?». Social Science Research Network. Disponible en <http://ssrn.com/abstract=1589864>. Manuscrito inédito.
Janger, Edward J. y Paul M. Schwartz (2002). «The gramm-leach-bliley act, information privacy, and the limits of default rules». Minnesota Law Review, 86.
John, Leslie K., Alessandro Acquisti y George Loewenstein (2009). «The best of strangers: Context dependent willingness to divulge personal information». Social Science Research Network. Disponible en <http://ssrn.com/abstract=1430482>. Manuscrito inédito.
Kafka, Franz (1998). The trial. Traducido por Breon Mitchell. Nueva York: Schocken Books.
Kahneman, Daniel (2011). Thinking, fast and slow. Nueva York: Farrar, Straus and Giroux.
Kahneman, Daniel, Paul Slovic y Amos Tversky (eds.) (1982). Judgment under uncertainty: Heuristics and biases. Nueva York: Cambridge University Press.
Kahneman, Daniel y Amos Tversky (eds.) (2000). Choices, values, and frames. Nueva York: Cambridge University Press.
Leibowitz, Jon (2007). «So private, so public: Individuals, the internet and the paradox of behavioral marketing» (Trabajo presentado en la FTC Town Hall Meeting on «Behavioral advertising: Tracking, targeting, and technology», 1 de noviembre). Disponible en <http://www.ftc.gov/speeches/leibowitz/071031ehavior.pdf>.
Lundblad, Nicklas y Betsy Masiello (2010). «Opt-in dystopias». SCRIPTed, 7 (1). Disponible en <http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.pdf>.
Marotta-Wurgler, Florencia (2011). «Will increased disclosure help? Evaluating the recommendations of the ALI’s ‘Principles of the law of software contracts’». University of Chicago Law Review, 78.
Mazzone, Jason (2003). «The waiver paradox». Northwestern University Law Review, 97.
McDonald, Aleecia M. y Lorrie Faith Cranor (2008). «The cost of reading privacy policies». I/S: A Journal of Law and Policy for the Information Society, 4.
Milne, George R. y Mary J. Culnan (2004). «Strategies for reducing online privacy risks: Why consumers read (or don’t read) online privacy notices». Journal of Interactive Marketing, 18.
Nissenbaum, Helen (2010). Privacy in context. Palo Alto: Stanford University Press.
Nussbaum, Emily (2004). «My so-called blog», New York Times, 11 de enero, sec. Magazine. Disponible en <http://www.nytimes.com/2004/01/11/magazine/11blog.html>.
Post, Robert C. (1989). «The social foundations of privacy: Community and self in the common law tort». California Law Review, 77.
Regan, Priscilla M. (1995). Legislating privacy: Technology, social values and public policy. Chapel Hill: The University of North Carolina Press.
Reidenberg, Joel R. (2003). «Privacy wrongs in search of remedies». Hastings Law Journal, 54.
Richards, Neil M. (2008). «Intellectual privacy». Texas Law Review, 87.
Richards, Neil M. (2013). «The dangers of surveillance». Harvard Law Review, 126.
Schwartz, Paul M. (1999). «Privacy and democracy in cyberspace». Vanderbilt Law Review, 52.
Schwartz, Paul M. (2005). «Privacy inalienability and the regulation of spyware». Berkeley Technology Law Journal, 20.
Schwartz, Paul M. (2013). «The EU–U.S. privacy collision: A turn to institutions and procedures». Harvard Law Review, 126.
Schwartz, Paul M. y Daniel J. Solove (2011). «The PII problem: Privacy and a new concept of personally identifiable information». New York University Law Review, 86.
Sherman, Erik (2008). «Privacy policies are great-for PhDs». CBS News, 4 de septiembre de 2008, sec. MoneyWatch. Disponible en <http://www.cbsnews.com/news/privacy-policies-are-great-for-phds/>.
Simitis, Spiros (1987). «Reviewing privacy in an information society». University of Pennsylvania Law Review, 135.
Solove, Daniel J. (2004). The digital person: Technology and privacy in the information age. Nueva York: New York University.
Solove, Daniel J. y Neil M. Richards (2009). «Rethinking free speech and civil liability». Columbia Law Review, 109.
Solove, Daniel J. y Paul M. Schwartz (2011). Information privacy law. 4.a ed. Nueva York: Aspen Publishers.
Strahilevitz, Lior Jacob (2013). «Toward a positive theory of privacy law». Harvard Law Review, 126.
Swire, Peter P. (2002). «The surprising virtues of the new financial privacy law». Minnesota Law Review, 86.
Thaler, Richard H. y Cass R. Sunstein (2008). Nudge. New Haven: Yale University Press.
Tene, Omer y Jules Polonetsky (2013). «Big data for all: Privacy and user control in the age of analytics». Northwestern Journal of Technology and Intellectual Property, 11.
Turow, Joseph, Lauren Feldman y Kimberly Meltzer (2005). Open to Exploitation: American Shoppers Online and Offline. Annenberg Public Policy Center of the University of Pennsylvania. Disponible en <http://www.annenbergpublicpolicycenter.org/downloads/information_and_society/turow_appc_report_web_final.pdf>.
Turow, Joseph y otros (2009). «Contrary to What Marketers Say, Americans Reject Tailored Advertising and Three Activities that Enable It». Social Science Research Network. Disponible en <http://ssrn.com/paper=1478214>. Manuscrito inédito.
Whittington, Jan y Chris Jay Hoofnagle (2012). «Unpacking privacy’s price». North Carolina Law Review, 90.
Acquisti, Alessandro y Jens Grossklags (2008). «What can behavioral economics teach us about privacy?». En Alessandro Acquisti y otros (editores), Digital privacy. Boca Ratón (Estados Unidos): Auerbach Publications.
Allen, Anita L. (2011). Unpopular privacy: What must we hide? Nueva York: Oxford University Press.
Anton, Annie I. y otros (2004). «Financial privacy policies and the need for standardization». IEEE Security & Privacy, 2.
Ariely, Dan (2008). Predictably irrational. Nueva York: HarperCollins Publishers.
Bamberger, Kenneth A. y Deirdre K. Mulligan (2011). «Privacy on the books and on the ground». Stanford Law Review, 63 (2).
Barbaro, Michael y Tom Zeller (2006). «Jr., A face is exposed for AOL searcher 4417749», New York Times, 9 de agosto, sec. Technology. Disponible en <http://select.nytimes.com/gst/abstract.html?res=F10612FC345B0C7A8CDDA10894DE404482>.
Ben-Shahar, Omri y Carl E. Schneider (2011). «The failure of mandated disclosure». University of Pennsylvania Law Review, 159.
Brandimarte, Laura, Alessandro Acquisti y George Loewenstein (2013). «Misplaced confidences: Privacy and the control paradox». Social Psychological and Personality Science, 4 (3). Disponible en <http://www.heinz.cmu.edu/~acquisti/papers/acquisti-spps.pdf>.
Brill, Julie (2010). «Remarks by commissioner Julie Brill. United States Federal Trade Commission» (Trabajo presentado en la Conference of Western Attorneys General Annual Meeting, Privacy 3.0 Panel, Nuevo México, Santa Fe, 20 de julio), disponible en <http://www.ftc.gov/speeches/brill/100720cwagtranscription.pdf>.
Calo, M. Ryan (2012). «Against notice skepticism in privacy (and elsewhere)». Notre Dame Law Review, 87.
Cate, Fred H. (2006). «The failure of fair information practice principles». En Jane K. Winn (editor), Consumer potection in the age of the ‘information economy’. Bodmin (Inglaterra): Ashgate Publishing.
Citron, Danielle Keats (2007). «Reservoirs of danger: The evolution of public and private law at the dawn of the information age». Southern California Law Review, 80.
Cohen, Julie E. (2000). «Examined lives: Informational privacy and the subject as object». Stanford Law Review, 52.
Cohen, Julie E. (2012). Configuring the networked self. New Haven: Yale University Press.
Cohen, Julie E. (2013). «What privacy is for». Harvard Law Review, 126.
Gellman, Robert (2013). «Fair information practices: A basic history». Disponible en <http://bobgellman.com/rg-docs/rg-FIPShistory.pdf>.
Gilbert, Daniel (2006). Stumbling on happiness. Nueva York: Vintage.
Goldman, Eric (2002). «The privacy hoax». Forbes, 14 de octubre. Disponible en <http://www.forbes.com/forbes/2002/1014/042.html>.
Hoofnagle, Chris Jay y otros (2010). «How different are young adults from oder adults when it comes to information privacy attitudes & policies?». Social Science Research Network. Disponible en <http://ssrn.com/abstract=1589864>. Manuscrito inédito.
Janger, Edward J. y Paul M. Schwartz (2002). «The gramm-leach-bliley act, information privacy, and the limits of default rules». Minnesota Law Review, 86.
John, Leslie K., Alessandro Acquisti y George Loewenstein (2009). «The best of strangers: Context dependent willingness to divulge personal information». Social Science Research Network. Disponible en <http://ssrn.com/abstract=1430482>. Manuscrito inédito.
Kafka, Franz (1998). The trial. Traducido por Breon Mitchell. Nueva York: Schocken Books.
Kahneman, Daniel (2011). Thinking, fast and slow. Nueva York: Farrar, Straus and Giroux.
Kahneman, Daniel, Paul Slovic y Amos Tversky (eds.) (1982). Judgment under uncertainty: Heuristics and biases. Nueva York: Cambridge University Press.
Kahneman, Daniel y Amos Tversky (eds.) (2000). Choices, values, and frames. Nueva York: Cambridge University Press.
Leibowitz, Jon (2007). «So private, so public: Individuals, the internet and the paradox of behavioral marketing» (Trabajo presentado en la FTC Town Hall Meeting on «Behavioral advertising: Tracking, targeting, and technology», 1 de noviembre). Disponible en <http://www.ftc.gov/speeches/leibowitz/071031ehavior.pdf>.
Lundblad, Nicklas y Betsy Masiello (2010). «Opt-in dystopias». SCRIPTed, 7 (1). Disponible en <http://www.law.ed.ac.uk/ahrc/script-ed/vol7-1/lundblad.pdf>.
Marotta-Wurgler, Florencia (2011). «Will increased disclosure help? Evaluating the recommendations of the ALI’s ‘Principles of the law of software contracts’». University of Chicago Law Review, 78.
Mazzone, Jason (2003). «The waiver paradox». Northwestern University Law Review, 97.
McDonald, Aleecia M. y Lorrie Faith Cranor (2008). «The cost of reading privacy policies». I/S: A Journal of Law and Policy for the Information Society, 4.
Milne, George R. y Mary J. Culnan (2004). «Strategies for reducing online privacy risks: Why consumers read (or don’t read) online privacy notices». Journal of Interactive Marketing, 18.
Nissenbaum, Helen (2010). Privacy in context. Palo Alto: Stanford University Press.
Nussbaum, Emily (2004). «My so-called blog», New York Times, 11 de enero, sec. Magazine. Disponible en <http://www.nytimes.com/2004/01/11/magazine/11blog.html>.
Post, Robert C. (1989). «The social foundations of privacy: Community and self in the common law tort». California Law Review, 77.
Regan, Priscilla M. (1995). Legislating privacy: Technology, social values and public policy. Chapel Hill: The University of North Carolina Press.
Reidenberg, Joel R. (2003). «Privacy wrongs in search of remedies». Hastings Law Journal, 54.
Richards, Neil M. (2008). «Intellectual privacy». Texas Law Review, 87.
Richards, Neil M. (2013). «The dangers of surveillance». Harvard Law Review, 126.
Schwartz, Paul M. (1999). «Privacy and democracy in cyberspace». Vanderbilt Law Review, 52.
Schwartz, Paul M. (2005). «Privacy inalienability and the regulation of spyware». Berkeley Technology Law Journal, 20.
Schwartz, Paul M. (2013). «The EU–U.S. privacy collision: A turn to institutions and procedures». Harvard Law Review, 126.
Schwartz, Paul M. y Daniel J. Solove (2011). «The PII problem: Privacy and a new concept of personally identifiable information». New York University Law Review, 86.
Sherman, Erik (2008). «Privacy policies are great-for PhDs». CBS News, 4 de septiembre de 2008, sec. MoneyWatch. Disponible en <http://www.cbsnews.com/news/privacy-policies-are-great-for-phds/>.
Simitis, Spiros (1987). «Reviewing privacy in an information society». University of Pennsylvania Law Review, 135.
Solove, Daniel J. (2004). The digital person: Technology and privacy in the information age. Nueva York: New York University.
Solove, Daniel J. y Neil M. Richards (2009). «Rethinking free speech and civil liability». Columbia Law Review, 109.
Solove, Daniel J. y Paul M. Schwartz (2011). Information privacy law. 4.a ed. Nueva York: Aspen Publishers.
Strahilevitz, Lior Jacob (2013). «Toward a positive theory of privacy law». Harvard Law Review, 126.
Swire, Peter P. (2002). «The surprising virtues of the new financial privacy law». Minnesota Law Review, 86.
Thaler, Richard H. y Cass R. Sunstein (2008). Nudge. New Haven: Yale University Press.
Tene, Omer y Jules Polonetsky (2013). «Big data for all: Privacy and user control in the age of analytics». Northwestern Journal of Technology and Intellectual Property, 11.
Turow, Joseph, Lauren Feldman y Kimberly Meltzer (2005). Open to Exploitation: American Shoppers Online and Offline. Annenberg Public Policy Center of the University of Pennsylvania. Disponible en <http://www.annenbergpublicpolicycenter.org/downloads/information_and_society/turow_appc_report_web_final.pdf>.
Turow, Joseph y otros (2009). «Contrary to What Marketers Say, Americans Reject Tailored Advertising and Three Activities that Enable It». Social Science Research Network. Disponible en <http://ssrn.com/paper=1478214>. Manuscrito inédito.
Whittington, Jan y Chris Jay Hoofnagle (2012). «Unpacking privacy’s price». North Carolina Law Review, 90.
