Chapter 1 ties together the problems of central elements of privacy law: the individual choice-based system, the fair information principles that originated it, the view that privacy is about secrecy, and dichotomies such as public versus private. We don’t have actual choices about our data beyond mechanically agreeing to privacy policies because we lack outside options and information such as what the choice means and what risk we’re taking on by agreeing. The choice-based approach creates a false binary of secret and open information when, in reality, privacy is a spectrum. The idea that someone, at any given time, has either total privacy or no privacy at all is unfounded. Additionally, data are bundled: you can’t reveal just one thing without letting companies infer other things. Reckoning with this reality defeats the popular “I have nothing to hide” argument, which traces back to Joseph Goebbels.

Privacy in public is a form of informational privacy. Informational privacy consists in the ability to control what others do with your information. You lack that control if you cannot give free and informed consent to how others process your information. How does one ensure free and informed consent across a sufficient range of cases? Our answer is that informational norms ensure that. That is not, however, the dominant legislative and regulatory answer, which is Notice and Choice. The Notice is a presentation of the terms governing the use of information. The Choice is an action signifying acceptance or rejection of the terms. Chapter 5 argues that Notice and Choice is clearly fails to ensure free and informed consent, and concludes that maintaining and creating norms is the most reasonable alternative.

Most of the existing privacy and security legal frameworks at both the federal and state level provide incomplete safeguards against many of the privacy and information security harms highlighted in earlier chapters. Many of these frameworks have long been critiqued by privacy law experts for their lack of effectiveness. The IoT amplifies these inadequacies as it compounds existing privacy and security challenges.

At the state level, the patchwork of privacy and security legislation creates varying obligations for businesses without consistently ensuring that individuals receive adequate privacy and cybersecurity protection. State legislation also suffers from several shortcomings and is often replete with gaping privacy and security holes. Even the CCPA, the first privacy statute of its kind in the United States, has several limitations. Further, varying state privacy and security legislation also enables unequal access to privacy and security between citizens of different states.