Academic journal article Harvard Journal of Law & Technology

Three's a Crowd: Towards Contextual Integrity in Third-Party Data Sharing

Academic journal article Harvard Journal of Law & Technology

Three's a Crowd: Towards Contextual Integrity in Third-Party Data Sharing

Article excerpt

TABLE OF CONTENTS  I. INTRODUCTION II. A VERY RECENT HISTORY OF THIRD-PARTY DATA SHARING III. THE REGULATORY LINEUP     A. Privacy Litigation     B. Self-Regulation     C. The Federal Trade Commission and Its "Common Law " III. POLICY RECOMMENDATIONS FOR DOWNSTREAM DATA USE REGULATIONS     A. Greater Control and Accessibility     B. Greater Accountability down the Data Chain     C. Privacy By Design IV. CONCLUSION 


"We may also share your information with third parties with whom we have a relationship." (1) Innocuously tucked away in privacy policies, third-party data sharing is a rapidly growing source of online revenue for data controllers (2) in today's data-driven economy. Consumers short on time and attention are increasingly demanding, and getting, content curation and personalization. (4) Rather than charging users directly for these services, data controllers sell the data collected from their users to third parties, (5) who are typically data brokers, (6) app developers, (7) and successor businesses. Entire industries based on large, aggregated consumer data sets are rising, such as behavioral advertising (8) and big data research and analytics. (9)

As downstream sharing becomes more widespread, the likelihood of preserving "contextual integrity" (10)--meaning that the context of information sharing matches the individual's preferences--in the specific "node" in the data sharing chain erodes. Figure 1 provides a visual representation of the nodes. Each node refers to a stage of data sharing. The first node most typically involves the user directly volunteering the information to the data controller; this Note is primarily concerned with the second node, which typically involves the data controller sharing user data with downstream customers, such as advertisers. The second node is where contextual integrity begins to erode. (11) The typical user only has control over first-node sharing between user and data controller. First-node sharing achieves contextual integrity as the user's aim (e.g., to connect with friends) is matched by the data-sharing context (e.g., Facebook). In contrast, contextual integrity in the second node is unclear at best; data is shared without the user's direct involvement. Users are forced to make a bundled choice that disregards temporal and contextual nuances of information sharing. The rise of data as a commodity has undermined user ability to preserve contextual integrity online.

With increasing complexity in the data-sharing model, there must be a corresponding increase in nuance for its data privacy counterpart. Possible nodes in third-party data sharing are numerous and growing, yet privacy policies essentially remain a blunt instrument, giving users a binary option between sharing with none or sharing with all (the "all" including currently unforeseeable downstream data collectors). This existing "notice-and-choice" regime deprives consumers of a chance to ensure meaningful contextual integrity for their online identities. This is a problematic intrusion into an individual's right of self-determination online. (12) Human society is a complex network of context-dependent norms of appropriateness and disclosure, (13) and a forced uniformity of these contexts could cause unfortunate chilling effects. Uncontrolled data collection could result in crimes, such as identity theft and data breaches, and inequities, such as data-driven profiling of job candidates, tenants, and would-be criminals.

The Federal Trade Commission ("FTC") has filled the statutory vacuum to lead the development of regulations in the online privacy space. Despite criticisms that it is "low-tech, defensive, and toothless," (14) it remains best suited to implement greater contextual integrity in the third-party data sharing space due to its standardized enforcement procedures, practice of giving notice to industry actors subject to privacy rules, and the compliance incentives it alone can provide. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.