Skip to main content

Privacy notice and choice in practice

Researcher: Lorrie Cranor

Research Area: Privacy Protection

Cross Cutting Thrusts: Usable Privacy and Security


For several decades, “notice and choice” have been key principles of information privacy protection. Conceptions of privacy that involve the notion of individual control require a mechanism for individuals to understand where and under what conditions their personal information may flow and to exercise control over that flow. Thus, the various sets of fair information practice principles and the privacy laws based on these principles include requirements for providing notice about data practices and allowing individuals to exercise control over those practices. Privacy policies and opt-out mechanisms have become the predominant tools of notice and choice. However, a consensus has emerged that privacy policies are poor mechanisms for communicating with individuals about privacy. With growing recognition that website privacy policies are failing consumers, numerous suggestions are emerging for technical mechanisms that would provide privacy notices in machine-readable form, allowing web browsers, mobile devices, and other tools to act on them automatically and distill them into simple icons for end users. We are conducting experiments to gather empirical data on the effectiveness, usability, and deployment of notice and choice mechanisms, including the Platform for Privacy Preferences, the AdChoices Icon, browser privacy plugins, Do Not Track, Android permissions interfaces, and financial model privacy notices.