Contracting for Personal Data

Should traditional rules of contract law apply to transactions in markets for personal data involving consumers? The protection of consumer information in the United States (US) has followed a ‘Notice and Choice’ approach, which encouraged businesses to outline their information privacy practices, including the rights and risks associated with the collection, use, sharing, and security of information in privacy policies, to which consumers must typically agree. To a large extent, the relationship between the business and user with regards to information privacy is contractual.

A reasonable concern is that conventional principles of contract law are inadequate to protect the interests of consumers, who ostensibly agree to having their personal data collected by firms.  A major fear, common to transactions involving all sorts of goods and services, is that many consumers face barriers to information that lead them to misperceive or not fully internalize the nature and consequences of transactions. In addition, the ordinary remedies for breach of contract may be inadequate to deter or compensate for the particular harms caused by undesired or unauthorized use or dissemination of data. And since contractual rights and duties typically bind only the parties to the contract, they may be of limited value when data are transferred to other parties, a common practice for personal data. 

These concerns have prompted proposals for reform that depart from fundamental principles and rules of contract law that govern other types of market transactions. Some of these reform proposals would impose mandatory rules, that is to say, rules that cannot be amended by the parties to an agreement. Those interventions, while addressing some of the problems outlined above, would also sacrifice the flexibility that is one of the key advantages of contractual governance. 

It is important to evaluate the empirical foundations for proposals seeking to address problems caused by information barriers that make consumers more vulnerable relative to more sophisticated parties. Proposals for special rules to govern the collection, use, security, and transfer of personal data rest, at least in part, on testable empirical claims whose careful evaluation should take precedence over anecdote and casual observation. 

In a recently published article, Contracting for Personal Data, we begin to explore this question empirically by examining 194 privacy policies from firms interacting with consumers in the US across seven markets from 2014 to 2018 from a representative sample of firms. Ninety percent of the policies are incorporated by reference in the firms’ ‘Terms of Use’, where firms set out other contractual terms, including dispute resolution clauses. We analyze the terms that relate to collection, security, sharing of personal information, and enforcement of contractual rights and benchmark them against the 2012 self-regulatory guidelines of the Federal Trade Commission and the European Union’s 2018 General Data Protection Regulation (GDPR). We examine how those terms vary both over time and across markets.

A key initial finding is that many firms in our sample revised their contracts to comply with at least some provisions of the GDPR, even though the contracts in question were aimed at US consumers. Terms regulated by the GDPR showed statistically significant improvements, on average, during the four-year period, in that they became more information-protective. In contrast, terms that were not subject to the GDPR became less protective, according to the relevant benchmarks, in a statistically significant way. These spillover effects of European regulation on US consumers are an important but often overlooked feature of data protection in the US.  

We also document significant differences in privacy policies across markets. Firms in markets that collect highly sensitive information (like adult entertainment firms) or where the subjects are likely to include more sophisticated users (like cloud computing firms) took more privacy-protective steps in collecting, sharing, and securing personal data. We find that compliance with the GDPR varies across markets in similarly intuitive ways. To the extent that these variations across markets reflect differences in preferences, they offer evidence of the potential advantages of the flexibility associated with a traditional contractual approach. Subjects might want more protection in highly sensitive or potentially embarrassing situations, but require less for other uses of data, such as sharing on message boards. 

Finally, we try to shed some light on the significance of information barriers in contracting for personal data. We present two suggestive findings. First, within markets, firms are not offering terms that could be seen as being maximally exploitative. Second, we investigate whether firms treat ordinary consumers differently from more sophisticated customers by examining the information privacy terms of cloud computing firms’ privacy policies. We find no significant differences between the terms offered to more and less sophisticated subjects in that market. While these findings cannot lead us to draw firm conclusions about whether consumers will receive adequate protection from traditional principles of contract law that place few mandatory restrictions on contracting practices, they do invite further empirical analysis to determine whether traditional contract law is up to the challenge of governing transactions in personal data.

Kevin Davis is Beller Family Professor of Business Law at New York University School of Law.

Florencia Marotta-Wurgler is Professor of Law at New York University School of Law.