The principles of “notice and choice” have been the key principles of information privacy protection for several decades. These principles of privacy that involve the notion of individual control require sufficient mechanisms for individuals to understand where, when and under what conditions their personal information may be used and transferred and to exercise control over data usage and transference. Therefore, the various sets of fair information practice principles and privacy laws based on these practices include requirements for providing notice about data practices and allowing individuals to exercise control over those practices. Privacy policies and preference center based opt-out mechanisms have become the predominant tools for notice and choice. However, these tools are increasingly insufficient. Serious threats follow from the ease of information storage, transfer, aggregation, analysis and inference. We face the real risk that the technological laws spelled out by Gordon Moore (growth in processing power) and Robert Metcalfe (network effects) will permanently overwhelm existing privacy principles of notice and choice. Privacy policies are long, complicated, inconsistently structured and subject to frequent and unannounced change. Digital services often involve interactions and data exchanges that include third parties unknown to the end user. Each digital service requires specific and tailored advertising preferences selections and can change these choices and associated user selections at any time. In this environment, it is nearly impossible for individuals to control their information usage or related third-party data flows via existing privacy policies and preference center based opt-out mechanism tools for notice and choice.
The inherently decentralized nature of the internet, being comprised of a multitude of digital services each with its own—advertising preference choices and privacy policies, does not permit acceptable transparency for individuals to understand where, when and under what conditions their personal information may be used and transferred or to exercise control over data usage and transference or to hold digital services and their third party partners accountable for unanticipated and unapproved data usage.