Informational privacy consists in the ability to control what personal information others collect and what they do with it.  We value the control, as over twenty years of studies attest; but, other studies show that we readily trade very personal information for very small rewards.  We offer a solution to this puzzle—a limited solution since we restrict our inquiry to private-sector, commercial contexts.  Our solution provides a general perspective on informational privacy and suggests ways of ensuring sufficient control over personal information. The solution is that the seemingly contradictory attitudes are characteristic of conformity to suboptimal informational norms. This raises three questions.  What is a norm?  What is an informational norm?  And, what is it for a norm to be “suboptimal”?  We take our answers from a general theory of norms and market interactions in our forthcoming (Fall 2011) book, Unauthorized Access: the Crisis in Online Privacy and Security.  Setting informational privacy concerns in this general context reveals important commonalities with other current problems.

We focus on coordination norms.  A coordination norm is a behavioral regularity in a group, where the regularity exists at least in part because almost everyone thinks that he or she ought to conform to the regularity, as long as everyone else does.  Driving on the right is a classic example.  In mass markets, coordination norms promote buyers’ interests by unifying their demands.  A mass-market buyer cannot unilaterally ensure that sellers will conform to his or her requirements; coordination norms create collective demands to which profit-motive driven sellers respond.

The problem on which we focus is that rapid technological change has rendered existing norms “suboptimal.”  There are many optimality notions (Pareto optimality being perhaps the best known); the optimality notion we use is value-optimality.  A norm is value-optimal when (and only when) in light of the values of all (or almost all) members of the group in which the norm obtains, the norm is at least as well justified as any alternative.  We will use “suboptimal” for norms that are not value-optimal.  A classic example of a suboptimal coordination norm is the “no helmet” norm among pre-1979 National Hockey League players.  Not wearing a helmet was a behavioral regularity that existed in part because each player thought he ought to conform, as long as all the others did.  However, because of the value they placed on avoiding head injury, virtually all the players regarded the alternative in which they all wore helmets as better justified.  The players nonetheless remained trapped in the suboptimal “no helmet” norm until the league mandated the wearing of helmets in 1979.  Like the hockey players, we “play without a helmet” when we enter certain types of market transactions:  we are, that is, trapped in what are—now—suboptimal coordination norms.

Informational privacy is a case in point.  As Helen Nissenbaum and others have emphasized, informational norms regulate the flow of personal information in wide variety of interactions, including market transactions.  Informational norms are norms that constrain the collection, use, and distribution of personal information.  In a range of important cases, such norms are coordination norms that unify buyers’ privacy demands.  The norms are instances of the following pattern: consumers demand that businesses process—collect, use, and distribute—information only in role-appropriate ways.  The problem is that technological advances have so greatly increased the power and breadth of role-appropriate information processing that many norms are no longer value-optimal:  alternatives in which consumers have more control are better justified.  The consequence is an unacceptable loss of control over personal information.

Conformity to suboptimal norms explains the otherwise puzzling fact that consumers value control over personal information while they also surrender control for small rewards.  This is precisely the sort of behavior one sees when groups are trapped in suboptimal norms.  Recall the hockey players.  They did not wear helmets even though their values made “all players wear helmets” a far better justified alternative.  Similarly, consumers conform to suboptimal informational norms even though their values make “consumers have more control” a far better justified alternative.  Trading privacy for small rewards is just norm-conforming behavior; however, when asked about their values, consumers indicate that they value control.  Their problem is that, like hockey players, consumers cannot break free of the suboptimal norm.

The solution to the hockey players’ problem was “legislative”:  the league mandated that every player wear a helmet.  We offer a similar solution:  a model in which appropriate legislation gives rise to value-optimal informational norms.  The model applies in a wide variety of cases in which rapid change has outstripped the evolution of norms and thus underscores the fact that issues about informational privacy share important similarities with other types of suboptimal norms that currently govern various market transactions.