Contracting for Personal Data

By Kevin Davis and Florencia Marotta-Wurgler

To what extent do firms collecting information from U.S. based consumers take advantage of the contractual flexibility afforded by the local regime or, instead, choose to follow the more rigid requirements of the European Union’s (EU) General Data Protection Regulation (GDPR)? The answers to these questions should inform assessments of both regimes.   

Background on the Two Regimes

For the past two decades or so, the United States has followed a “Notice and Choice” self-regulatory approach. That approach encouraged businesses to outline their information privacy practices, including the rights and risks associated with the collection, use, sharing, and security of information in privacy policies, to which consumers must typically agree. To a large degree, the relationship between the business and user with regard to information privacy in the United States is contractual. A major fear associated with this approach, however, is that consumers are likely to misunderstand or fail to internalize the nature and consequences of transactions, leading them to experience adverse consequences, including unexpected uses and sharing of their personal information.

The prevalence of these concerns and the number of data breaches and information privacy scandals have led regulators in other regions, in particular those in the EU, to promote rules that deviate from the contractual paradigm. In May 2018, the GDPR became the primary law regulating how information collecting entities protect the personal data of EU citizens. The regulation requires data collecting and processing entities to adopt certain technological and organization practices to insure appropriate data security, adopt privacy protective defaults, provide specific disclosures and secure informed consent, and curb the collection and retention of personal information, among others. The downside of this kind of intervention is the sacrifice of the flexibility that is one of the key advantages of contractual governance. In the absence of mandatory rules, contracts can be adapted to match the circumstances and needs of the parties, including as they change over time. By contrast, mandatory terms like those required by the GDPR tend to be more uniform and inflexible.

Empirical Findings

In a recently published article, Contracting for Personal Data, we explore empirically the extent to which parties avail themselves of contractual flexibility and comply with the GDPR, while measuring the prevalence of privacy-protective contract terms across and within markets, as well as their evolution over time. We examine 194 privacy policies from firms interacting with consumers in the United States across seven markets from 2014 to 2018 from a representative sample of firms. We analyze the characteristics of and changes to 28 common contract terms relating to: collection, security, and sharing of personal information; data retention practices; privacy by design; user control; and enforcement of contractual rights, and benchmark them against the 2012 self-regulatory guidelines of the Federal Trade Commission (FTC) (“Notice and Choice”) and the GDPR. We examine how those terms vary both over time and across markets.

A striking initial finding is that most firms in our sample revised their contracts (many around May 2018), to comply with at least some provisions of the GDPR, even though the contracts in question were aimed at U.S. consumers. Terms related to information practices regulated by the GDPR on average showed statistically significant improvements during the four-year period, in that they became more information- (and thus consumer-) protective. While firms’ overall level of compliance with the GDPR is not high in absolute terms, the average level of compliance for all sample terms, and for some in particular, is high as compared to documented levels of compliance with non-binding guidelines, such as those of the FTC. For example, 77% of firms now allow subjects to access and correct their personal data, a significant increase from 2014. More strikingly, while only 8% of firms made a commitment to destroy or anonymize personal data upon account or service termination in 2014, 48% did in 2018. Processor Contracts is the category with the most improved protections: Firms barely contracted with data processors and third-party recipients of data to protect subjects’ data in 2014, but this changed drastically in 2018, with policies now describing various ways in which subsequent transfers of data are protected by contract. These protections include contracting with third parties regarding security, data uses, and sharing practices that third parties must abide by when acquiring access to the processors’ data.

Not all terms became more protective, however.  Those that became less protective on average include terms related to ensuring data accuracy, privacy by design, disclaiming liability for security measures, and providing opt-in (as opposed to opt-out) options for preventing the sharing of sensitive information. More generally, terms that were not subject to the GDPR became less protective, according to the relevant benchmarks, in a statistically significant way.

These findings strongly suggest that the GDPR has had significant effects on firms’ dealings with U.S. consumers. These spillover effects of European regulation are an important but often overlooked feature of data protection in the United States. 

Our study also documents significant differences in privacy policies across markets. Firms in markets that collect highly sensitive information (like adult entertainment firms) or where the subjects are likely to include more sophisticated users (like cloud computing firms) took more privacy protective steps in collecting, sharing, and securing personal data. We find that compliance with the GDPR varies across markets in similarly intuitive ways. To the extent that these variations across markets reflect differences in preferences, they offer evidence of the potential advantages of the flexibility associated with a traditional contractual approach. Subjects might want more protection in highly sensitive or potentially embarrassing situations, but require less for other uses of data, such as sharing on message boards.

Finally, we find that, within markets, firms are not offering terms that could be seen as being maximally exploitative. We also find that firms in the cloud computing market do not treat ordinary consumers differently from more sophisticated customers, at least as evidenced by the terms in cloud computing firms’ privacy policies. While these findings cannot lead us to draw firm conclusions about whether consumers will receive adequate protection from traditional principles of contract law that place few mandatory restrictions on contracting , they do invite further empirical analysis to determine whether traditional contract law is up to the challenge of governing transactions in personal data.

Kevin Davis is the Beller Family Professor of Business Law at New York University School of Law. Florencia Marotta-Wurgler is a Professor of Law at New York University School of Law.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.