This year already looks like a big one for evolution on thinking about privacy

Only about a week into 2010 and already there are some very public indications that the current attention on information privacy, especially on the Internet, is likely to result in more visible changes in the way online companies, users, and the U.S. government thinks about privacy. Coincident with a question we posed a few days ago about whether heightened sensitivity about personal information disclosure on Facebook (as well as other sites and forms of social media) would result in changes in user behavior, Facebook CEO Mark Zuckerberg observed in an interview with Michael Arrington of TechCrunch that social norms about privacy and users’ comfort level with disclosing and sharing more and more personal information online have shifted dramatically in the relatively short time since Facebook began. (The relevant question and answer are the second of the interview, starting about 2:30 into the video recording.) Zuckerberg used this evolution of social norms in part to justify the significant step recently undertaken by Facebook of changing the privacy policy and default information disclosure practices for all of its 350 million users. This line of explanation might seem disingenuous given the regular disputes over privacy that Facebook has had, both in the U.S. and internationally, but given the enormous popularity and continued growth of Facebook, you have to ascribe the company some credibility for producing products and services that attract a broad user base. It’s possible of course that the continued heavy use of Facebook in spite of its history on privacy is an indication less of a societal shift in the desire for privacy protection brought about through the rise of social networking than a simple failure by many users to pay any attention to privacy policies, of Facebook or other online sites.

The disconnect between disclosure of privacy policies and practices and user awareness of those policies despite their conspicuous publication is a fundamental flaw in current rules under which online organizations must give notice to users about privacy policies and related practices such as information collection. The Federal Trade Commission, through its chairman Jon Leibowitz, has gone on the record suggesting that the current model of “advise and consent” — in which companies post their privacy policies and users who visit or conduct transactions online with those companies are considered to have given implied consent — isn’t working. Leibowitz and the FTC Bureau of Consumer Protection’s David Vladeck say they are looking at alternatives to the privacy policy disclosure practices, with an eye to coming up with options by this summer. One idea sure to get more detailed examination is a shift to an explicit opt-in model, as opposed to the opt-out approach that dominates privacy consent today in the United States. The FTC might want to look to practices in the European Union, which late last year moved to adopt a fully opt-in model on cookies. There is certainly a usability trade-off with strict opt-in requirements, as infrequent users of sites may not be interested in the additional time and effort required to read opt-in notices, and may instead choose not to proceed or answer affirmatively without knowing the terms to which they have agreed. Many e-commerce sites face this same sort of trade-off when determining whether user registration is required to complete an order transaction. In cases where users are willing to register with a site, it’s hard to imagine that the extra step of opting in to data collection and usage practices will present too much of a burden, although there’s some justified skepticism about how closely anyone will look at privacy policies and terms of use, even with opt-in.