Deceptive Design and Ongoing Consent in Privacy Law.

• Author: Wiener, Jeremy

INTRODUCTION

Google and Facebook's user interfaces (UIs) contain misleading language that causes individuals to consent to the lowest possible privacy setting. (1) And they are not alone. Organizations routinely deceive individuals into sharing more personal information than they otherwise would. (2) This undermines the consent-based model for privacy protection, as well as public trust in the government's ability to protect peoples' privacy. (3)

As a result, governments, scholars, and civil societies are increasingly exploring how deception impacts an individual's right to consent to their personal information's collection and processing. (4) For example, Canada's last federal government tabled a bill to replace the country's private-sector privacy law, the Personal Information Protection and Electronics Document Act (PIPEDA) (5) with the Consumer Privacy Protection Act (CPPA). (6) The CPPA proposed to prohibit organizations from obtaining or attempting to obtain an individual's consent by engaging in a deceptive or misleading practice. (7)

The problem is that there is no unified analysis of how such a statutory provision might apply. This might deter regulators and policy-makers from adopting such an anti-deception model.

This article seeks to resolve the issue by filling three gaps in the literature. First, it categorizes the different types of deception according to privacy law's notice-and-choice framework, and then distinguishes the different moments at which deception can occur: at "I agree moments," and beyond "I agree moments."

It then concretizes this categorization by comparatively surveying investigations led by the United States' Federal Trade Commission (FTC) and the Office of the Privacy Commissioner of Canada (OPC). This will shed light on how a statutory provision that regulates deceptive privacy practices might apply to the specific practices that individuals regularly find themselves in, and will constitute one of the first comprehensive surveys of a thematic area of OPC investigations.

Finally, the article explores whether privacy statutes that regulate deceptive practices should be interpreted as applying beyond "I agree moments." This is an important question, because only regulating deception at "I agree moments" would disembody law from individuals' lived experiences.

Related to this last area of exploration, the article argues that privacy statutes should be interpreted as granting not only a right to consent, but a right to consent as an act of ongoing agency. Such a right to ongoing consent would mean that privacy statutes regulating deception apply beyond "I agree moments." This would cover the entirety of a company's dealings with individuals and would thus more fully appreciate individuals' embodied experiences and understandings.

To demonstrate this, the article proceeds in five parts. Part I context-ualizes the problem. It discusses the deficiencies of language-based notice-and-choice, showing the importance of recognizing how digital space's design impacts user experience. Part II explores deception. It defines it in relation to other forms of influence, examines the legal standard for determining whether a deceptive representation or practice actually occurred, and categorizes the three different types of deception according to privacy law's notice-and-choice framework. Part III distinguishes deception that occurs at versus beyond "I agree moments"--a novel distinction that appreciates that the entirety of an organization's dealings with a user affect individuals' understandings. Part IV exemplifies written and design-based deception at "I agree moments" by surveying investigations led by the United States' FTC and Canada's OPC. Part V then provides examples of deception occurring beyond "I agree moments," and argues that privacy statutes that regulate deception should be interpreted as applying to it. To make this point, the section distinguishes privacy from contract law, looks to notions of ongoing consent in other areas of law, and examines privacy statutes' general schemes. The paper then concludes.

1. DESIGNING FOR NOTICE-AND-CHOICE'S DEFICIENCIES

   Notions of autonomy and consent have long underpinned understandings of privacy. (8) They began affecting private-sector privacy law in the 1980s when they were articulated in the United States' Fair Information Practice Principles (FIPPs). (9) The FIPPs informed privacy protection laws around the world, such as PIPEDA. (10) It is therefore not surprising that the OPC describes individual autonomy as the "foundation for the consent princi-ple," (11) and that Canada's former privacy commissioner, Jennifer Stoddart, described consent as "the fundamental principle on which PIPEDA is based." (12)

   Consent's current paradigm is notice-and-choice, also known as "knowledge and consent." (13) "Notice" occurs where an organization presents the what-when-how of their privacy practice. (14) "Choice" signifies accepting or rejecting those terms. (15) Notice generally precedes choice, and is inextricably linked to it. (16) Consent requires both. (17)

   The consent-based model of privacy protection, however, is subject to much criticism. (18) Many are calling on privacy law to shift away from consent as a result. (19) But Europe's recently enacted General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and proposed privacy bills in Canada and the United States do not shift away from consent entirely. In these, consent remains one of the primary legal bases for processing individuals' personal information. (20) Examining how to strengthen consent is thus worthwhile.

   Doing so requires appreciating consent's weaknesses. Dissecting privacy policies, and the ubiquitous form of notice that emerged in the 1990s, (21) is a good place to start. In short, privacy policies are confusing to read, and are infrequently read. (22) Even the sitting Chief Justice of the Supreme Court of the United States does not read them. (23) This might be because, according to Helen Nissenbaum, privacy policies are characterized by a "transparency paradox": if privacy policies comprehensively describe an organization's practices, then the policy will be too long and complicated for the average user to read or understand; and if they are short and simple, then they will not be detailed enough for users to make informed choices. (24)

   Acknowledging the deficiencies of traditional language-based notice, privacy doctrine is increasingly examining how digital space's design impacts user experience. (25) It is not alone in this regard. Social scientists have long appreciated how design influences human behaviour in the physical world. (26) In architecture, for example, Jeremy Bentham designed the modern prison panopticon to encourage passivity. (27) More recently, the Design Against Crime Research Centre reduced petty crime in an area that had seen high rates of bicycle and bag theft by adding lights and spaces for people to socialize. (28)

   Law also frequently regards design. For instance, product liability largely concerns how defective design can cause harm. (29) Contract law recognizes that design enables understanding by invalidating clauses deemed illegible due to their physical representation or location. (30) And in intellectual property law, following years of underdevelopment, design patents have burst onto the stage. (31)

   It is thus fitting that privacy law concerns itself with digital design. As Julie Cohen put it, not regulating design's effect on notice-and-choice would divorce privacy law from "embodied experience." (32) It would reflect what philosophers call "theoretical knowledge," as opposed to the practical knowledge gained through interactive spatial life. (33) Recognizing this, Ryan Calo suggests that policy should encourage "visceral notice," defined as notice that does not rely exclusively on language or its symbolic equivalent. (34)

   The key, naturally, is appreciating design's impact on not only notice, but also choice. This may indeed be at the heart of what the former Information & Privacy Commissioner of Ontario, Ann Cavoukian, meant when she suggested that law adopt Privacy by Design (PbD), generally characterized as the approach of embedding privacy into the design specifications of various technologies. (35) The GDPR and Quebec's proposed Bill-64 contain PbD language, but their PbD provisions are broadly worded and do not specifically reference deceptive design. (36) As a result, European data regulators have only just begun thinking about how to investigate and sanction deceptive design. (37) Deepening our collective reflection on how to best regulate deceptive design is important. Accordingly, this article is one of the first to determine how a privacy-specific statute might actually regulate deceptive notice-and-choice. To facilitate the analysis, the next part discusses deception's distinguishing features.

2. UNDERSTANDING DECEPTION

   Understanding deception is essential to regulating it. Accordingly, this part first defines deception by distinguishing it from other forms of influence, such as persuasion and manipulation. (38) It then examines deception in private and statutory law. (39) Finally, it considers how privacy doctrine classifies different deceptive practices, and fills a gap in the literature by categorizing deception according to notice-and-choice. (40)

   1. Defining Deception

      Deception must be distinguished from other forms of influence: persuasion, coercion, manipulation, and nudging. Not doing so might create confusion as to whether a particular practice is covered by an attempt to regulate deceptive design.

      Daniel Susser, Beate Roessler, and Helen Nissenbaum's work on manipulative digital media defines deception's distinguishing features. (41) This and the next four paragraphs borrows heavily from their article. To illustrate how deception differs from other forms of influence, let us use...