The Failure of Privacy Notices and Consumer Choice

Paper from First Monday: “Transaction costs, privacy, and trust: The laudable goals and ultimate failure of notice and choice to respect privacy.”

Abstract: The goal of this paper is to outline the laudable goals and ultimate failure of notice and choice to respect privacy online and suggest an alternative framework to manage and research privacy. This paper suggests that the online environment is not conducive to rely on explicit agreements to respect privacy. Current privacy concerns online are framed as a temporary market failure resolvable through two options: (a) ameliorating frictions within the current notice and choice governance structure or (b) focusing on brand name and reputation outside the current notice and choice mechanism. The shift from focusing on notice and choice governing simple market exchanges to credible contracting where identity, repeated transactions, and trust govern the information exchange rewards firms who build a reputation around respecting privacy expectations. Importantly for firms, the arguments herein shift the firm’s responsibility from adequate notice to identifying and managing the privacy norms and expectations within a specific context.

Posted on January 8, 2014 at 8:07 AM10 Comments


paul January 8, 2014 9:02 AM

Not really addressed here: lock-in effects and network effects leading to monopolies. It seems like a good start though.

Peter A. January 8, 2014 11:15 AM


There’s no evidence so far the man is a would-be-terrorist-bomber. He could be a bomber-for-fun-in-the-middle-of-a-desert, home-firecracker-maker-with-leftovers-from-new-year’s-eve, maker-of-bombs-for-sale-to-real-bombers or whomever else.

vas pup January 8, 2014 12:08 PM

“What’s needed is proper government regulation of online privacy”. I guess ‘proper’ (in that content) is when consumer privacy is set as higher priority for legislators than profits of on-line transaction providers. Now, who have more money/influence to lobby interests and adopt or block such regulation? You know the answer.
For executive branch those who today are in charge of generation/enforcement of such regulations are members of executive boards/CEOs/CIO etc. of those private corporations tomorrow. That common practice of revolving doors should be banned
asap. That is the main asymmetry of power.

Anonymoose January 8, 2014 3:31 PM

Regarding Dave’s comment above (“What’s needed is proper government regulation of online privacy.”):

Given how hard the government has worked to invade our personal privacy, do you really believe that they would respect any legislation intended to protect that same privacy that they themselves may pass?

I would like to believe that this would be the case, but precedent sadly prevents me from doing so.

name.withheld.for.obvious.reasons January 8, 2014 5:25 PM

Two problems, economy of scale and the need to assume the worst. From a small business perspective the use of trolling/tracking tools represents a real risk to our small business. And that’s irrespective of the truth regarding the scope/charter of the NSA’s subversion of all comms. Big business benefits from dragging behavioral data from the general public–including small businesses and represents an unfair (dare I call it) advantage. Large corporations are trying to convert marketing from a push to pull. Small business have to rely on skills, customer relations, and a general reporte with the community/sector. This year I will not be renewing my IEEE membership as the “community” has been all but silent on the subject, and in some cases has defended the government’s actions. In addition our company has had to expend significant capital and resources to answer the issue surrounded subverted Internet technology and technology companies. We are forced to respond to the new “worst case” scenario.

Romer January 9, 2014 7:52 PM

Good paper. Clearly explains why notice and consent (aka Terms of Use) is ridiculous in the context of web and Internet privacy.

Not to go too far into the weeds, the paper pretty thoroughly explains why the current approach to privacy and data use is absolutely hosed and inappropriate to the Internet. A dumb, boilerplate solution (notice and consent) to an infinite number of contextual privacy situations.

It’s good that the author rejects government solutions to the web privacy problem. That would merely be a bigger, dumber, thicker kind of boilerplate fix. And so the author rightly points back to market approaches, using the diamond, rubber, rice, and other markets for comparison. (The web, on the other hand, is a completely unbalanced – you might say dysfunctional – transaction environment with a gross imbalance toward providers, not users.

I couldn’t really get a good fix on the author’s thinking about the actual economics of today’s web, where users are consistently undervaluing their data and providing it to companies that understate the value of the transaction (simple math shows that Google alone shows a net profit of maybe $120.00 a year for each user’s information).

It’ll take a real market solution to solve this problem. I have no doubt that the founders of Google, Facebook, and the rest are wondering just when their gig will be up. I don’t think that’s too far off.

Romer January 9, 2014 8:02 PM

@Dave 11:18 AM – “What’s needed is proper government regulation of online privacy.”

What’s needed is a company that profits more than Googlebook by protecting – not scamming and selling – your private information.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.