The Care and Feeding of Sticky Defaults in Information Privacy Law

Lauren Willis, When Nudges Fail: Slippery Defaults, 80 U. Chi. L. Rev. ___ (forthcoming 2013) available at SSRN.

If Jotwell is meant to surface obscure gems of legal scholarship, which might go unnoticed otherwise, I might be missing the point by highlighting a work forthcoming in the not-so-obscure University of Chicago Law Review on the au courant topics of nudges and liberal paternalism. But Lauren Willis’s new article, When Nudges Fail: Slippery Defaults, might escape the attention and acclaim it deserves as a work of information privacy law, so it is in that field I hope to give the article its due.

Willis’s article takes on the pervasive idea that all default choices are sticky. Defaults can sometimes be sticky, but Willis carefully deconstructs the economic, social, and technological preconditions that tend toward stickiness, and then demonstrates how firms can manipulate those conditions to render defaults quite slippery.

This article deserves to become a standard citation in information privacy law scholarship, important in at least three ways. Most obviously, the article uses online behavioral advertising and the Do Not Track debate as a recurring example, revisiting it throughout. This article makes a very useful contribution to the Do Not Track debate, which continues to rage.

Deeper, and more generally, the article delivers a blow—perhaps fatal—to the age-old “opt-in versus opt-out” debate. Should new, privacy invasive practices affect only people who opt-in to them, or should they instead apply to all except those who opt-out of them? Willis helps us understand that this debate, which has generated so much energy and discussion, may matter less than we think. “When firms have significant control over the process for opting out or the context in which the defaults are presented, firms can undermine the stickiness of policy defaults.” In other words, firms can, and do, encourage, cajole, push, and deceive into opting in those customers who rationally should not.

As proof, the heart of the article presents a lengthy examination of failed attempts by regulators to limit what they have seen as predatory bank practices surrounding checking account overdraft coverage. Although it might seem like an unequivocal convenience to have banks cover rather than reject ATM withdrawals and debit card payments from accounts with insufficient funds, because of the fees they charge for this “service”—$20 or even more—these amount to “low risk, high cost loan[s].” Low risk, because the bank is paid back automatically with the next deposit, and high cost—Willis gives a typical example amounting to an effective 7,000% APR. In some cases, these banks offer alternative services that provide basically the same protection at orders of magnitude less cost. For one who worries about consumer welfare, this is a maddening story, told with detail and care. Banks lied about the benefits of the coverage. They deluged the holdouts under a flood of paper and harassed them on the telephone. And in the end, they spurred droves of customers—according to one study, 75% of all customers and 98% of customers who overdraft more than ten times per year—to switch.

Going forward, one will be able to skim the first few footnotes of any article that uses the words “privacy,” “opt-in,” and “opt-out” to apply the “Willis Test.” Any such article that doesn’t cite this piece probably needn’t be taken seriously.

But at its deepest, and to my mind most interesting, level this article chips away at the faith we have placed in notice and choice, which is to say, at the foundation of most contemporary information privacy laws. Notice implies the transmission of accurate and fair information giving rise to fully informed consumers, and choice presupposes freedom of action and the absence of coercion. Watching the banks manipulate their customers into making bad choices brings home the challenges that face those who yearn for honest notice and choice. The lesson Willis offers repeatedly is crucial for information privacy law: companies control the messages that consumers see, and they are masters at manipulation.

And these are banks. Banks! Dinosaurs of the old economy that build websites that users merely suffer to use rather than enjoy and whose executives probably think UI and UX are stock ticker symbols. To flip the overdraft protection default, these fusty old companies resorted to costly Jurassic techniques involving the phone, ATM, and email account. Consider how much more consumers are outmatched by the media owners who run today’s engaging-to-the-point-of-addictive mobile apps and social networking sites. Online, consumers notice only what these master manipulators want them to notice and choose what they are preordained to choose.

This matters for information privacy a lot. We still rely on notice and choice as the most important tools regulators have to guarantee user privacy. Proposals for tackling new privacy concerns—from location tracking, to remote biometrics, to genomic information, and beyond—continue to center on creating the conditions for meaningful notice and consent. Willis’s article suggests that firms will provide clear notice and obtain meaningful choice only when they see no reason to oppose either choice, which is to say, when it doesn’t count for much. It might be time for regulators to reach for different tools.

We have known for some time that notice and choice are plagued by information quality problems. But Willis’s article demonstrates the still unmet need for scholarship that deconstructs the mechanics of how companies manipulate these problems to their benefit to subvert individual privacy. This builds on the groundbreaking work of scholars from outside law such as Lorrie Cranor and Alessandro Acquisti. And while legal scholars like Ryan Calo have built on this work (and I’ve started to do so, too), we need more of this. We need thorough and careful accounts of the landscape of notice and choice. With this article, this very necessary research agenda now has a fine blueprint.

 
 
Discussion

1 comment
  1. 1

    Standard disclaimer applies: I wrote this in my personal, academic capacity. Nothing I say in this review essay reflects the official view of my current employer (the FTC), any of its individual commissioners, or its staff.