In a recent Law360 article, partner and co-chair of WilmerHale’s Cybersecurity and Privacy Practice Kirk Nahra and Associate Lydia Lichlyter outline why Congress should adopt a context-sensitive approach to federal privacy legislation, instead of relying on a traditional “notice and choice” model.
Excerpt: Legislators in both houses of Congress are currently engaged in earnest and detailed discussions about the potential for passing comprehensive federal privacy legislation, which has never before existed in the United States.
Many of these proposals rely on the same framework that has become common in sectoral laws and international privacy regimes: provide consumers with notice of the business’s data collection, use and sharing practices and give them choice about whether to consent to those practices.
This approach relies on a privacy notice made available by the relevant entity that describes how personal data is used and a consumer’s ability to review, understand and agree to these activities. The specific way these elements—notice and choice—are provided varies widely from one context to another, but the basic structure is fairly consistent.
The problem is that, as many academics and advocates have pointed out, notice and choice is a fundamentally ineffective framework for giving people control over their personal information. It unnecessarily burdens consumers, proliferating paperwork that is largely useless to individuals. And it fails to stop conduct that actually harms consumers. We believe there is a better option.