Notification as a privacy practice

As I’ve said time and time again, notification plays a big role in privacy. It is first principle of the Fair Information Practice Principles. However, in my view the role of notice is to a degree misunderstood. As I continue to explore the notion of privacy, it is clear that notice plays a function in our understanding and ability to make decisions, but things like cognitive biases may eviscerate the benefit of notification to our individual decision making. Mike Spinney’s recent blog post got me thinking that it might be important to share a post of mine on where I view the role of notification as a privacy practices. The following list is presented in reverse order of importance.

  1. Notification puts consumers on notice of the collection, dissemination and use of information. While clearly a role, it is not the role nor even the most important role of notice. Consumers will do what they are going to do and only marginally change their behavior based on direct notification of privacy practices.
  2. Notification helps an organization congeal their own privacy practices. Without a written privacy policy the organization may lack internal guidance as to acceptable and unacceptable behavior. The act of having to put pen to paper and write out their practices may help them identify potential risks and think about them. Of course, this benefit fails if the privacy practices are simply cut and pasted to a website or culled from industry norms. This is why I suggest in my consulting practice that organizations not use a cookie cutter approach to privacy notice generation but rather actually start from scratch. It forces them to think about the problem and potential solutions.
  3. Notification provides information to regulators. This is somewhat important (especially in a regulatory environment like the US where written data practices have the force of law under the FTC Act). Notification creates a legal regime under which the organization has constrained itself to abide.
  4. Notification informs the public. The difference between this role and #1 is that the public consists of hawks and advocates ready to pounce on organizations that are viewed as being out of line with the norms of society. As we know from Helen Nissenbaum, social norms are one of the mainstays of how people view their privacy. This plays an important role because it can give people much easier to digest social clues (“stay away from this company”,”trust this organization”) that are useful and take less devoted time that reading and understanding a complex notification system.
  5. Finally, and arguably most important, notification helps, especially where cultural norms are absent, to drive the debate. It puts out there, hey, here is what we think the proper use of information should be in this context. It facilitates the open discussion of the norm. Surreptitious activities do not allow for this important and socially worthy conversation to take place.