Website Privacy Policies Research Articles

GenAIPABench: A Benchmark for Generative AI-based Privacy Assistants

Website privacy policies are often lengthy and intricate. Privacy assistants assist in simplifying policies and making them more accessible and user-friendly. The emergence of generative AI (genAI) offers new opportunities to build privacy assistants that can answer users’ questions about privacy policies. However, genAI’s reliability is a concern due to its potential for producing inaccurate information. This study introduces GenAIPABench, a benchmark for evaluating Generative AI-based Privacy Assistants (GenAIPAs). GenAIPABench includes: 1) A set of curated questions about privacy policies along with annotated answers for various organizations and regulations; 2) Metrics to assess the accuracy, relevance, and consistency of responses; and 3) A tool for generating prompts to introduce privacy policies and paraphrased variants of the curated questions. We evaluated 3 leading genAI systems—ChatGPT-4, Bard, and Bing AI—using GenAIPABench to gauge their effectiveness as GenAIPAs. Our results demonstrate significant promise in genAI capabilities in the privacy domain while also highlighting challenges in managing complex queries, ensuring consistency, and verifying source accuracy.

An analysis of privacy policies in Sri Lanka

This article focuses on privacy policies of websites and attempts to understand how they have been designed. A study looking at the privacy policies of US firms was conducted for the first time in 2016 by Professor Marotta-Wurgler. While the study provides a look into how the global north considers privacy, there is nascent scholarship in this regard for the global south. I look to the global south – Sri Lanka, in particular – to understand to what extent privacy and the well-being of consumers feature in designing privacy policies of various industries in the country. I look at 20 privacy policies across four industries, cloud computing, banking, supermarkets, and transport services. I conclude that while firms abide by some international standards even without legal obligation, there is room for improvement. There is little standardization within and across industries with international firms laying down higher privacy protections on average. The article finds most policies to be long and incomprehensible. I conclude that while incorporation of international privacy standards to varying degrees absent legal compulsion is admirable, there is more to be done to benefit the consumers for whose welfare privacy policies are drafted in the first place.

User Information Sharing and Hospital Website Privacy Policies

Hospital websites frequently use tracking technologies that transfer user information to third parties. It is not known whether hospital websites include privacy policies that disclose relevant details regarding tracking. To determine whether hospital websites have accessible privacy policies and whether those policies contain key information related to third-party tracking. In this cross-sectional content analysis of website privacy policies of a nationally representative sample of nonfederal acute care hospitals, hospital websites were first measured to determine whether they included tracking technologies that transferred user information to third parties. Hospital website privacy policies were then identified using standardized searches. Policies were assessed for length and readability. Policy content was analyzed using a data abstraction form. Tracking measurement and privacy policy retrieval and analysis took place from November 2023 to January 2024. The prevalence of privacy policy characteristics was analyzed using standard descriptive statistics. The primary study outcome was the availability of a website privacy policy. Secondary outcomes were the length and readability of privacy policies and the inclusion of privacy policy content addressing user information collected by the website, potential uses of user information, third-party recipients of user information, and user rights regarding tracking and information collection. Of 100 hospital websites, 96 (96.0%; 95% CI, 90.1%-98.9%) transferred user information to third parties. Privacy policies were found on 71 websites (71.0%; 95% CI, 61.6%-79.4%). Policies were a mean length of 2527 words (95% CI, 2058-2997 words) and were written at a mean grade level of 13.7 (95% CI, 13.4-14.1). Among 71 privacy policies, 69 (97.2%; 95% CI, 91.4%-99.5%) addressed types of user information automatically collected by the website, 70 (98.6%; 95% CI, 93.8%-99.9%) addressed how collected information would be used, 66 (93.0%; 95% CI, 85.3%-97.5%) addressed categories of third-party recipients of user information, and 40 (56.3%; 95% CI, 44.5%-67.7%) named specific third-party companies or services receiving user information. In this cross-sectional study of hospital website privacy policies, a substantial number of hospital websites did not present users with adequate information about the privacy implications of website use, either because they lacked a privacy policy or had a privacy policy that contained limited content about third-party recipients of user information.

Characteristics of direct-to-consumer platforms offering erectile dysfunction treatment.

Due to the sensitivity and potential embarrassment of discussing erectile dysfunction (ED) in person, men are seeking treatment online. We sought to compare offerings of direct-to-consumer (DTC) platforms for ED treatment with respect to consultation, pricing, services, and privacy policy. Google was queried to identify DTC platforms offering ED treatment with the keywords: "telehealth erectile dysfunction," "telemedicine erectile dysfunction," and "online erectile dysfunction." Inclusion criteria were as follows: serving a majority of U.S. states, existing online only, providing both the consultation and prescription for phosphodiesterase type 5 inhibitors, and delivering the prescription to the patient. Fifteen DTC platforms met criteria. Ten provided free consultations; 4 bundled the consultation fee with the first month of the prescription, with 1 of these functioning as a subscription service. Fourteen (93%) relied on online intake forms and 10 (67%) advertised review by the prescriber within 2 business days. Only 4 (27%) platforms explicitly advertised physician-only consults. Direct contact with the prescriber would only occur if needed or if required by state law at 8 (53%) platforms. Purchasing sildenafil and tadalafil was advertised on all platforms. Minimum prices of sildenafil ranged from $0.50 to $35/pill (mean $5.16/pill, median $2.65/pill); tadalafil ranged from $0.50 to $9.80/pill (mean $4.70/pill, median $3.21/pill). In addition to ED therapy, 13 (86%) platforms offered treatment for other men's health issues. All platforms included a website privacy policy, but only 10 (67%) mentioned Health Insurance Portability and Accountability Act compliance, with 2 of these claiming to not be covered entities. Although DTC platforms are transparent with phosphodiesterase type 5 inhibitor medication and subscription pricing information, few offer direct contact with a physician to further discuss issues related to ED after completion of the online intake form. For comprehensive evaluation of ED in Health Insurance Portability and Accountability Act-compliant settings, in-person or telemedicine visits should be arranged with men's physicians.

An Empirical Study on Vagueness Detection in Privacy Policy Texts

Website privacy policies outline how a website handles personal information. Many such policies are written vaguely, making it difficult for users to comprehend what data is collected and how it’s used, posing a threat to privacy and security. The empirical study in this paper aims to address this issue by applying transformer models to automatically detect the level of vagueness in privacy policy texts. We calculate the vagueness scores based on annotations obtained through arithmetic mean, geometric mean, and harmonic mean of the individual annotations and discretize the policy text into four distinct vagueness categories. Our detailed numerical study shows that transformer models perform well for the vagueness classification tasks and they can be effective in enhancing the clarity and transparency of privacy policies. Our experiments also highlight the importance of reliable annotations and show that the transformer model performance can be enhanced with more reliable annotations with lower standard deviation and entropy values.

Read and accepted? Scoping the cognitive accessibility of privacy policies of health apps and websites in three European countries.

Trust and accessibility are vital to adoption of health and wellness apps. This research scoped three elements of cognitive accessibility of health app privacy policies: availability, ease of navigation, and readability. For this cross-sectional study, quantitative data collected in the Netherlands, Sweden, and the United Kingdom included: whether privacy information was in a country's official language (availability); number of distracting visual elements (ease of navigation); word count and Common European Framework of Reference (CEFR) reading level (readability). Health app privacy policies were compared to policies from a purposively selected sample of websites, and to benchmarks, including CEFR reading level B1. Health app privacy policies were less often available in countries' official languages compared to sampled websites (Chi-Square [1, 180] = 57.470, p < 0.001) but contained fewer distracting visual elements. More UK privacy policies were in the country's official language, whereas Swedish privacy policies contained fewest words and fewest potentially distracting design elements. Only one privacy policy met the CEFR reading level benchmark. Lack of privacy information in non-Anglophone app-users' native languages and high reading levels may be major barriers to cognitive accessibility. Web and app developers should consider recommendations arising from this study, to stimulate trust in and adoption of health and wellness apps.

Welcome to the Latest “Off by One” Column

“The Our Reality Privacy Policy” story parodies the content and utility of website privacy policies. Because the literature on privacy policies is so vast, it is a challenge to identify only a few references to offer readers interested in learning more. In Aleecia M. McDonald and Lorrie Faith Cranor’s classic 2008 article, the authors estimated that it would take U.S. users on average more than 180 h annually to read the privacy policies of all of the websites they encounter.S1 Even if users read the privacy policies, in their 2021 article, Jenny Tang et al. found that technical terms are broadly misunderstood.S2 Although the privacy policy in this story uses natural language, there has been significant research on other approaches for presenting privacy policies. Victor Morel and Raúl Pardo’s 2020 article, “SoK: Three Facets of Privacy Policies,” systematically explores different approaches.S3

Unifying Privacy Policy Detection

AbstractPrivacy policies have become a focal point of privacy research. With their goal to reflect the privacy practices of a website, service, or app, they are often the starting point for researchers who analyze the accuracy of claimed data practices, user understanding of practices, or control mechanisms for users. Due to vast differences in structure, presentation, and content, it is often challenging to extract privacy policies from online resources like websites for analysis. In the past, researchers have relied on scrapers tailored to the specific analysis or task, which complicates comparing results across different studies.To unify future research in this field, we developed a toolchain to process website privacy policies and prepare them for research purposes. The core part of this chain is a detector module for English and German, using natural language processing and machine learning to automatically determine whether given texts are privacy or cookie policies. We leverage multiple existing data sets to refine our approach, evaluate it on a recently published longitudinal corpus, and show that it contains a number of misclassified documents. We believe that unifying data preparation for the analysis of privacy policies can help make different studies more comparable and is a step towards more thorough analyses. In addition, we provide insights into common pitfalls that may lead to invalid analyses.

Safe, Sound, and Private: Promoting Data Protection for Students

In an effort to slow the spread of the highly infectious disease coronavirus (COVID-19), school districts around the world closed school buildings, thrusting educators into emergency remote teaching. Although many vendors were quick to release tutorial guides and free trials for their online learning resources, the growing concern over student data protection intensified. A lack of transparency or disregard for privacy in the privacy policies of many apps and websites used by students may allow third parties to generate detailed profiles of students to be used for behavioral advertising, which could cause unforeseen consequences. This article highlights existing federal laws that aim to protect student data, explains the importance of vetting apps and websites used by students, offers guidance to assist schools with the vetting process, and concludes with resources to teach about digital citizenship, including lessons in which students learn how to protect their own data.

A Study of South Asian Websites on Privacy Compliance

Privacy laws in South Asian countries are still at a nascent stage. Therefore, South Asian websites are susceptible to user privacy violation. This paper presents an assessment of website privacy policies from 10 sectors in the three largest South Asian economies, namely, India, Pakistan, and Bangladesh. Using a manual qualitative analysis on a dataset of 284 popular websites, we assessed the policies based on accessibility, readability, and compliance with 11 privacy principles. Our findings show that overall, the privacy statement accessibility, and privacy compliance of websites from the three countries is low especially in the education, healthcare, and government sectors. Readability is quite low for websites in all 10 sectors of the three countries. Privacy compliance in each country is the highest for the principles of data processing and third-party transfer, whereas it is the lowest for protection of children’s data, data retention and portability. Indian websites performed comparatively better amongst the three countries on all three metrics, followed by Pakistan, and Bangladesh. Based on our results, we provide recommendations involving all stakeholders (i.e., website owners, privacy regulators, and users) to help improve privacy protection of user data in South Asia.

Analyzing Privacy Policies at Scale

Website privacy policies are often long and difficult to understand. While research shows that Internet users care about their privacy, they do not have the time to understand the policies of every website they visit, and most users hardly ever read privacy policies. Some recent efforts have aimed to use a combination of crowdsourcing, machine learning, and natural language processing to interpret privacy policies at scale, thus producing annotations for use in interfaces that inform Internet users of salient policy details. However, little attention has been devoted to studying the accuracy of crowdsourced privacy policy annotations, how crowdworker productivity can be enhanced for such a task, and the levels of granularity that are feasible for automatic analysis of privacy policies. In this article, we present a trajectory of work addressing each of these topics. We include analyses of crowdworker performance, evaluation of a method to make a privacy-policy oriented task easier for crowdworkers, a coarse-grained approach to labeling segments of policy text with descriptive themes, and a fine-grained approach to identifying user choices described in policy text. Together, the results from these efforts show the effectiveness of using automated and semi-automated methods for extracting from privacy policies the data practice details that are salient to Internet users’ interests.

Factors affecting trust towards online retailers in India: an empirical study

Loyal customers are considered extremely valuable to any organisation. In order to attain customer loyalty, online retailers should take major steps that will enhance repeat purchase behaviour. The current research examines the impact of satisfaction with previous interactions, perceived website quality, security and privacy policy, and online retailer credibility on trust towards online retailers. Then the relationship between consumer trust and loyalty intention was studied. The hypothesised model is validated empirically using data collected from 334 consumers. The data were analysed using exploratory factor analysis, correlations analysis, confirmatory factor analysis and regression analysis. The results indicated that consumers' perception of website quality and online retailer's credibility have strong positive effect on consumer trust. Consumer satisfaction due to previous interaction with an online retailer also directly affects trust. Data further demonstrated that security and privacy policy directly influence consumer trust. In the study, trust is found to directly affect loyalty intention. The study adds to the understanding of the antecedents and consequences of consumer trust in the online shopping environment. Managerial implications and suggestions for further research are provided.

Factors driving consumer loyalty intention towards e-tailers: an integrated model

Online shopping has emerged as one of the most important e-commerce applications in recent years. However, there is limited empirical research which has examined factors driving Indian consumers' loyalty intention towards e-tailers. Thus, this study proposed and tested a model that examines the effect of perceived website quality, security and privacy policy, shared value, and perceived e-tailer reputation on online consumer's trust, perceived risk, satisfaction, and loyalty intention in India. Data were collected from Indian online consumers and analysed using structural equation modelling. The results showed that perceived website quality has a strong positive effect on customer satisfaction. Data further demonstrate that security and privacy policy, and perceived e-tailer reputation directly influence e-trust. Online shopper's previous satisfaction with an e-tailer also builds e-trust and thus, decreases perceived risk. When a consumer is more satisfied with an e-tailer and has stronger trust on the same, this will lead to higher loyalty intention towards the e-tailer. These findings have interesting implications for website designers and online retailers. Finally, we discuss some limitations of our study and directions for future research.

Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding

Privacy policies are verbose, difficult to understand, take too long to read, and may be the least-read items on most websites even as users express growing concerns about information collection practices. For all their faults, though, privacy policies remain the single most important source of information for users to attempt to learn how companies collect, use, and share data. Likewise, these policies form the basis for the selfregulatory notice and choice framework that is designed and promoted as a replacement for regulation. The underlying value and legitimacy of notice and choice depends, however, on the ability of users to understand privacy policies. This paper investigates the differences in interpretation among expert, knowledgeable, and typical users and explores whether these groups can understand the practices described in privacy policies at a level sufficient to support rational decision-making. This paper seeks © 2015 Joel R. Reidenberg, Travis Breaux, Lorrie Faith Cranor, Brian French, Amanda Grannis, James T. Graves, Fei Liu, Aleecia McDonald, Thomas B. Norton, Rohan Ramanath, N. Cameron Russell, Norman Sadeh and Florian Schaub. † For their comments on this study, the authors would like to acknowledge and thank Alessandro Acquisti, Noah A. Smith, and Shomir Wilson, and the participants at the 2014 TPRC 42nd Research Conference on Communication, Information and Internet Policy. Funding for this project was provided, in part, by the National Science Foundation under its Secure and Trustworthy Computing (SaTC) initiative grants 1330596, 1330214, and 1330141 for “TWC SBE: Option: Frontier: Collaborative: Towards Effective Web Privacy Notice and Choice: A Multi-Disciplinary Prospective” and by a Fordham Law School Faculty Research Grant. †† Respectively, Stanley D. and Nikki Waxberg Chair and Professor of Law, Fordham University; Assistant Professor of Computer Science, Carnegie Mellon University; Professor of Computer Science and Engineering & Public Policy, Carnegie Mellon University: Senior Research Programmer, Carnegie Mellon University; Research Fellow, Fordham Center on Law and Information Policy; Ph.D Candidate (Engineering and Public Policy) Carnegie Mellon University; Ph.D Candidate (Computer Science), Carnegie Mellon University; Director of Privacy, Stanford Center for Internet & Society; Privacy Fellow, Fordham Center on Law and Information Policy; Masters Candidate (Computer Science), Carnegie Mellon University; Executive Director, Fordham Center on Law and Information Policy; Professor of Computer Science, Carnegie Mellon University; Postdoctoral Fellow (Computer Science), Carnegie Mellon University. 40 BERKELEY TECHNOLOGY LAW JOURNAL [Vol. 30:1 to fill an important gap in the understanding of privacy policies through primary research on user interpretation and to inform the development of technologies combining natural language processing, machine learning, and crowdsourcing for policy interpretation and summarization. For this research, we recruited a group of law and public policy graduate students at Fordham University, Carnegie Mellon University, and the University of Pittsburgh (“knowledgeable users”) and presented these law and policy researchers with a set of privacy policies from companies in the e-commerce and news and entertainment industries. We asked them nine basic questions about the policies’ statements regarding data collection, data use, and retention. We then presented the same set of policies to a group of privacy experts and to a group of crowd workers representing typical Internet users. The findings show areas of common understanding across all groups for certain data collection and deletion practices, but also demonstrate very important discrepancies in the interpretation of privacy policy language, particularly with respect to data sharing. The discordant interpretations arose both within groups and between the experts and the two other groups. The presence of these significant discrepancies has critical implications. First, the common understandings of some attributes of described data practices mean that semiautomated extraction of meaning from website privacy policies may be able to assist typical users and improve the effectiveness of notice by conveying the true meaning of these policies. However, the disagreements among experts and disagreement between experts and the other groups reflect that ambiguous wording in typical privacy policies undermines the ability of privacy policies to effectively convey notice of data practices to the general public. The results of this research will, consequently, have significant policy implications for the construction of the notice and choice framework and for the U.S. reliance on this approach. The gap in interpretation indicates that privacy policies may be misleading the general public and that those policies could be considered legally unfair and deceptive. And, where websites are not effectively conveying privacy policies to consumers in a way that a “reasonable person” could, in fact, understand the policies, “notice and choice” fails as a framework. Such a failure has broad international implications since websites extend their reach beyond the United States.

Automated Comparisons of Ambiguity in Privacy Policies and the Impact of Regulation

Website privacy policies often contain ambiguous language that undermines the purpose and value of privacy notices for site users. This paper compares the impact of different regulatory models on the ambiguity of privacy policies in multiple online sectors. First, the paper develops a theory of vague and ambiguous terms. Next, the paper develops a scoring method to compare the relative vagueness of different privacy policies. Then, the theory and scoring are applied using natural language processing to rate a set of policies. The ratings are compared against two benchmarks to show whether government-mandated privacy disclosures result in notices less ambiguous than those emerging from the market. The methodology and technical tools can provide companies with mechanisms to improve drafting, enable regulators to easily identify poor privacy policies and empower regulators to more effectively target enforcement actions.

Crowdsourcing Privacy Policy Interpretation

Contract disputes frequently call on courts to resolve conflicts arising out of interpretative differences. In these disputes, the party at the bad end of a deal typically contends that the parties meant their contract to have a meaning other than the one that led to the unfavorable result. To this end, the complaining party argues that particular terms are ambiguous, and that the ambiguity should be resolved in a way that yields a more favorable outcome. Whether a contract’s terms are ambiguous is a determination for the court to make. But a battle wages over the appropriate method for making this determination. While some courts confine their analysis to the contract’s four corners (that is, a term will be deemed ambiguous if its meaning cannot be gleaned from the document itself), others consider evidence extrinsic to the document to determine whether terms are reasonably susceptible to more than one meaning. Under either approach, if the court determines that terms are ambiguous, it will resolve ambiguity according to an objective reasonable person standard. But subjective elements influence decision makers in even the most earnest endeavors to decide objectively.In this Note, I propose the novel concept that crowdsourcing can aid courts both in determining whether contract ambiguity exists and in resolving ambiguities objectively. Courts that accept extrinsic evidence as part of their ambiguity analysis could look to how the crowd interprets the agreement: if crowd workers cannot agree on a particular term’s meaning, the court may accept this as evidence that the term is ambiguous. Similarly, crowd agreement on a particular term’s meaning can supply the court with a reasonably objective interpretation of that term. In the Note, I explore this concept through the lens of empirical data from a recent study, Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding. That study asked crowd workers to interpret certain website privacy policies and compared the crowd’s interpretations to privacy policy experts’ interpretations of the same policies. This paper relies on data from that study to exemplify how the concept might apply. To reach this analysis, I first survey the general online contracting landscape. Because the note relies on data derived from analysis of website privacy policies, I specifically examine the extent to which privacy policies can be enforced as legally binding contracts. A finding that privacy policies are rarely enforced as such highlights a flaw in the notice and choice privacy regime that calls its legitimacy into question. I note that even if the crowdsourcing concept would not be adopted by courts, either the concept itself or theoretical questions is raises might prove useful for other adjudicators.

Identifying Relevant Text Fragments to Help Crowdsource Privacy Policy Annotations

In today's age of big data, websites are collecting an increasingly wide variety of information about their users. The texts of websites' privacy policies, which serve as legal agreements between service providers and users, are often long and difficult to understand. Automated analysis of those texts has the potential to help users better understand the implications of agreeing to such policies. In this work, we present a technique that combines machine learning and crowdsourcing to semi-automatically extract key aspects of website privacy policies that is scalable, fast, and cost-effective.

Disagreeable Privacy Policies: Mismatches between Meaning and Userss Understanding

Privacy policies are verbose, difficult to understand, take too long to read, and may be the least-read items on most websites even as users express growing concerns about information collection practices. For all their faults, though, privacy policies remain the single most important source of information for users to attempt to learn how companies collect, use, and share data. Likewise, these policies form the basis for the self-regulatory notice and choice framework that is designed and promoted as a replacement for regulation. The underlying value and legitimacy of notice and choice depends, however, on the ability of users to understand privacy policies.This paper investigates the differences in interpretation among expert, knowledgeable, and typical users and explores whether those groups can understand the practices described in privacy policies at a level sufficient to support rational decision-making. The paper seeks to fill an important gap in the understanding of privacy policies through primary research on user interpretation and to inform the development of technologies combining natural language processing, machine learning and crowdsourcing for policy interpretation and summarization. For this research, we recruited a group of law and public policy graduate students at Fordham University, Carnegie Mellon University, and the University of Pittsburgh (“knowledgeable users”) and presented these law and policy researchers with a set of privacy policies from companies in the e-commerce and news & entertainment industries. We asked them nine basic questions about the policies’ statements regarding data collection, data use, and retention. We then presented the same set of policies to a group of privacy experts and to a group of non-expert users.The findings show areas of common understanding across all groups for certain data collection and deletion practices, but also demonstrate very important discrepancies in the interpretation of privacy policy language, particularly with respect to data sharing. The discordant interpretations arose both within groups and between the experts and the two other groups. The presence of these significant discrepancies has critical implications. First, the common understandings of some attributes of described data practices mean that semi-automated extraction of meaning from website privacy policies may be able to assist typical users and improve the effectiveness of notice by conveying the true meaning to users. However, the disagreements among experts and disagreement between experts and the other groups reflect that ambiguous wording in typical privacy policies undermines the ability of privacy policies to effectively convey notice of data practices to the general public. The results of this research will, consequently, have significant policy implications for the construction of the notice and choice framework and for the US reliance on this approach. The gap in interpretation indicates that privacy policies may be misleading the general public and that those policies could be considered legally unfair and deceptive. And, where websites are not effectively conveying privacy policies to consumers in a way that a “reasonable person” could, in fact, understand the policies, “notice and choice” fails as a framework. Such a failure has broad international implications since websites extend their reach beyond the United States.

Privacy Harms and the Effectiveness of the Notice and Choice Framework

In the last fifteen years, the Federal Trade Commission and the White House have promoted notice and choice as the preferred mechanism for protecting consumers’ privacy online. But law and policy scholars doubt the efficacy of this mechanism. Research shows that consumers rarely read website privacy policies, that such policies are often too complex for users to understand, and that website policy statements do not match consumers’ privacy expectations. Efforts to ameliorate theses issues through technological tools, such as privacy filters and do-not-track codes, have been unsuccessful. Further, these tools do not address whether notice and choice theory aligns with the actual privacy harms that consumers experience. This alignment remains unexplored. This article, thus, proposes to examine the relationship between the notice and choice theory and users’ actual privacy concerns. The article takes a novel approach that examines privacy litigation and FTC enforcement actions. This focus on the wrongs litigated in the real world reveals the most important harms that consumers experience and provides a better understanding of the efficacy of the notice and choice framework.The data set compiled to support the research for the article consists of all federal class action complaints alleging online privacy violations filed during the last ten years and the Federal Trade Commission complaints and settlements addressing online privacy. The article next addresses the roles that jurisdiction and competence play in framing claims and identifies a typology of the wrongful acts experienced by consumers. The research shows that four types of claims appear in both private litigation and public enforcement with respect to personal information: (1) unauthorized disclosure, (2) surreptitious collection, (3) failure to secure, and (4) undue retention. The article then applies this typology to map “zones of effectiveness” for the notice and choice regime. The article identifies which wrongs a proper notice and choice regime can and cannot address. The research demonstrates that while some wrongful practices might be avoided by the inclusion of specific statements in a notice, others will be incurable through notice. The latter set of wrongs is, thus, outside the “zone of effectiveness” of a notice and choice regime. Lastly, the article concludes with a discussion of whether and how the harms that consumers experience match the outcomes of litigation and FTC settlement orders.This research is supported by the National Science Foundation grant 1330214 “TWC SBE: Option: Frontier: Collaborative: Towards Effective Web Privacy Notice and Choice: A Multi-Disciplinary Prospective.”

Privacy policy disclosures of behavioural tracking on consumer health Websites

AbstractMany Internet users are seeking health information online, encountering significant privacy risks in the process. Historically, these risks are associated with personally identifiable information, but behavioural tracking presents a new and increasing threat to privacy. In this paper, we analyze the disclosure, in a set of website privacy policies, of the collection of non‐personally identifiable information by consumer health information websites. The websites all engage in first and third party behavioural tracking using cookies and web beacons, and are among the sites recommended by consumer health sections of the Medical Library Association or the Canadian Health Libraries Association (see Burkell and Fortier, 2012, 2013). Our analysis reveals that while the majority of these sites disclose both first party (6/7) and third party (5/7) behavioural tracking, the language used in these disclosures is difficult to understand, tending to minimize behavioural tracking and obfuscate agency in the tracking process. These results suggest that consumer health information website privacy policies do not provide optimal disclosure of behavioural tracking practices. Library and information science professionals should work with users to ensure they are aware of the behavioural tracking practices of the websites they visit, assisting them to interpret the disclosures provided in website privacy policies.