THE NOTICE-AND-CHOICE PRIVACY GAMBLE: GAME THEORY, CONSUMER AGENCY, AND IMPLICATIONS FOR GDPR.

This paper introduces a theoretical framework for how the notice-and-choice model for protecting consumer information privacy can be considered a viable policy approach, despite mounting evidence that privacy notices are often ignored, difficult to read, increasing in length, and misunderstood by consumers. Drawing from several well-known game-theoretic models from Daniel Ellsberg (c. 1961 & 62) that we believe map closely to an online consumer's notice-and-choice context, we outline a rational choice model for consumer online privacy and discuss its relevance for the EU's General Data Protection Regulations [GDPR]. We argue that an online consumer's notice-and-choice privacy gamble is a 'reasonable bet' given the consumer's expected payoff in an environment that is constrained by competition and dynamic forces of institutional trust. Consumer choice, as a deliberate, consistent, and repeatable action, is context dependent and underwritten by consumer agency and the communicative aspects of a notice-and-choice transaction. Additional choicetheoretic derivations involving uncertainty and ambiguity (inspired by renewed interest and discussion of the Ellsberg Paradox) are also discussed and explored as a potential direction for research. Research Question Privacy notices and the requisite checkbox action to 'acknowledge-and-continue,' although ubiquitous to the online experience, are proving to be increasingly difficult for privacy and marketing scholars to justify as a matter of sound public policy. While there is little disagreement that information disclosure and consumer choice remain basic components of informed consent, there is a growing body of evidence that suggests privacy notices fail to provide consumers with sufficient information for an actual informed privacy choice. Privacy notices are too often ignored, considered difficult to read, increasing in length, difficult to comprehend, and/or fundamentally misunderstood (Calo 2012; Martin 2015; Milne and Culnan 2004; Nissenbaum 2011). What, if anything, do privacy notices provide for a consumer's choice in the context of a notice-and-choice transaction? Is the checkbox action to acknowledge-and-continue a completely meaningless or empty gesture, given that consumers do not read, or hardly read, or fundamentally misunderstand the conditions to which they "volunteer" personal information? Summary of Findings This paper outlines a defense for the notice-and-choice model for online privacy by addressing persistent worries about notice adequacy and information disclosure. Drawing from game theory and a theory of consumer agency, we aim to explain how consumer choice, as a deliberate action, is the result of a rational and experiential process that is constrained by competition and dynamic forces of institutional trust. Game theory provides a useful forum for evaluating privacy related decision making because it introduces a set of concepts that frame a consumer's expectation for privacy protection in terms of subjective 'degrees of belief' and 'theory of revealed preference.'. Recent provisions in the EU's General Data Protection Regulations [GDPR], such as requiring better privacy notice communication protocol and providing consumers the opportunity for data access and deletion, are consistent, at least in their intent, with our interpretation of consumer agency and consumer choice. Moreover, we argue further, the central notions of the EU's GDPR, such as privileging the locus of privacy protection on 'natural persons' and/or 'human data subjects' and framing obligations of data controllers and data handlers are consistent with the theory of rational choice and consumer agency we outline and describe. Key Contributions The current discussion contributes to the marketing and public policy environment by offering a theoretical grounding for the notice-and-choice model, as a current consumer protection policy approach in the US, while discussing its implications for the (now) established GDPR in the EU. Although there are some prior studies that examine how game theory can be used to clarify privacy research, this is the first effort that we are aware of that attempts to theoretically ground a current and emerging policy approach within a decision theory framework. • This paper provides a conceptual framework for situating many of the central concepts and assumptions of the EU's GDPR within a theory of consumer agency. • Warrant for endorsing the notice-and-choice model is postulated from a discussion and analysis of Ellsberg's (now) classic 1961 & 1962 game theoretic problems and solutions. Additional choice-theoretic derivations involving uncertainty and ambiguity are also considered and discussed. [ABSTRACT FROM AUTHOR]